Is there a magic bullet to make your business computers secure?

“The most secure computer in the world is one that can’t be used by anybody,” says Paul Stamp, senior analyst at Forrester Research, of Cambridge, Mass. That’s a nice sentiment, but he admits that it's not really practical these days, unless you are running a computer museum. More realistically, today’s small business owners should concern themselves with balancing the need for security with access. And, at every step of the way they have to make the risk tradeoff.

Just by being on the Internet will invite attempts, says Toby Weir-Jones, the director of product management of BT Counterpane, of Mountain View, Calif., which provides managed security services. And attempts are the definition of risk. And that could be a cost. “If a machine doesn’t need to be online it should be,” Weir-Jones says.

Networking depends on the PC's function

Whether you have a computer that should be kept off network, says Cal Braunstein, the chairman and CEO of the Robert Frances Group, a business technology consultancy in Westport, Conn., will also depend on the company and the type of function being performed. For example, you may have multiple networks at a company, rather than one. You may have a mini-network in research and development (R&D) and may not want any of those machines linked to the outside world in order to better protect your company secrets.

Many R&D facilities, Braunstein says, have multiple PCs per user there. Some are for the R&D network or standalone boxes and others are linked to the rest of the company. “Not all of these machines should be linked together into a single network," he says. "There needs to be someone who understands the security issues for the company who is looking at all these assets and deciding their networking rights.”

Besides security, says Andrea Peiro, the CEO and founder of the Small Business Technology Institute, a non-profit devoted to encouraging technology adoption among small business, another reason to consider putting a machine off the network, is that if it “performs a very specialized task – such as direct e-mail marketing distribution – and may be faster if directly connected to non-shared Internet access.”

Hidden costs of off-network computers

Having a computer that is not attached to the network can protect sensitive data and provide one less avenue for malware, but it can also be an inconvenience. It’s a cost from a time perspective. It takes a lot longer to go over to another PC and burn the information onto a CD or put it on a USB drive than to e-mail it over the network or allow the computer user to download it from the Internet or an intranet. On the other hand, says Stamp, it takes a lot of time to wipe spyware off a PC, or worse. “In business, you have got to make the call," he says.

If keeping certain PCs off the network is too much of a hassle, Peiro suggests that a small company can configure its firewall and gateways differently and assign different levels of access to different users. “Sometimes a simple repositioning of the network firewall and the Internet gateway," she says, "creating multiple sub-networks with different levels of access to resources, may elegantly address the concerns and maintain the benefits of the network for everybody.”