To date, larger enterprises have been the primary focus of information thieves, but smaller businesses are now just as likely to be the targets of these attackers. Maybe more so.

“Big companies have more resources and they’re getting smarter on that business risk and starting to be tougher to penetrate,” says Mark Piening, senior director of worldwide small- and medium-size business marketing for security vendor Symantec. Smaller companies won’t be able to protect themselves from criminals who are intent on hacking into their customer databases or phishing for sensitive corporate data -- unless they take steps to keep that information out of reach, or stop those emails from reaching employee desktops.

“The criminal may have more interest in going after a bigger business, because there’s often more to get,” Piening says. But if it's easier to go after the smaller business, "What do you think they are going to do?”

What you can do to stop trouble before it starts

In some cases, that’s as simple as turning off a service you don’t need. Why have critical corporate data sitting on a network exposed to the rest of the world? “If you have a customer database and you’re not doing something online with that, don’t put it on a network where that can be accessed,” says Piening. Isolating a server with that database can be a cheap and easy proposition, but not everyone manages their policies that diligently.

Email, of course, presents some of the biggest risks to an organization. “Bad things happen when you don’t protect your Exchange server,” notes Piening. Mail servers should be configured to block or remove emails with file attachments such as .VBS, .BAT, .EXE, .PIF, and .SCR, which are commonly used to spread viruses, advises Symantec in its most recent Internet Security Threat Report, published in September.

The report also advises signing up for a fraud alerting service or using Web server log monitoring to track whether complete downloads of your website are taking place, as that may indicate someone is trying set up an illegitimate website in support of a phishing attack. Phishing emails may be sent to your customers, but Piening also brings up other possibilities: those disguised as communications from your human resources department aimed at getting your own employees to cough up personal info, and/or someone phishing for your customers’ information. If they get it, “that’s pure company liability,” Piening says.

Email security software or appliances from vendors such as Symantec, McAfee, and Sonicwall are designed to keep the network free from spam (whether of the phishing or perverse kind), as well as from someone hijacking your small business’ email server to send spam. “The challenge there is you get blacklisted,” says David Kakish, a security specialist at technology products and services provider CDW. That's not a good thing in today’s world, where businesses must be able to electronically communicate with customers and prospects.  

A multi-tiered approach to security

Kakish advocates that small businesses take a multi-layered, multi-vendor approach to securing their systems. Consider e-mail systems as one example -- you might use one company’s technology at the SMTP gateway to cleanse messages of spam and viruses; another anti-spam and anti-virus engine on the email server itself; and further protection from another source at the desktop, laptop or other endpoints. That way, a small business has better assurance that if something is missed by one source at one point, it will be caught at the next.

It isn’t as complicated to deploy this kind of approach as it used to be. “People always assume there’s too much to do at the gateway level, and that it’s complex,” he says. But that’s no longer the case. “You don’t have to be an IT whiz to go in and do this. And management has gotten a lot easier.”

It’s a bit more of an investment to take a multi-layered approach to security, he says, but not that much. “Everyone looks at ROI, and in the security world you want to look at RON -- return on negligence,” Kakish says. “If you are negligent, what will happen in your environment? What’s the cost of your network being down for a couple of hours or days, and what is the cost to try to prevent that?”