Q: My wife and I own and operate a restaurant and homemade candy store. We presently have a Web site, but it is not secure to order from. What advice do you have on Web-site security?
--K.A., Goshen, Indiana

A: Information security shouldn't be an afterthought for companies that do business on the Web. Build the costs into your initial investment plans and operating budget for the Web site.

You can build a Web commerce site without outside help these days. Still, it's worth getting professional advice on security and having a security assessment done regularly by an outside consultant. You can even do one in-house with the help of security-scanning software. (Check www.iss.net for software options.) A Web-site consultant will understand most of the issues and explain the options.

How much security you put in place should depend on what your site does. Being small is no protection. Hackers target small businesses because they're easy marks. The old adage about an ounce of prevention applies. If you lose vital company data to a virus or if a hacker shuts down online orders for a week, earlier savings on security will be cold comfort.

That doesn't mean everyone needs the most elaborate security available. At a minimum, you should have virus protection, though. Software that detects and removes viruses and the more destructive applet-based "vandals" is widely available off-the-shelf or free for the downloading at antivirus sites. One resource is Esafe's anti-vandal resource center (www.esafe.com).

Your operating system, whether it is NT, Unix, or another system, needs to be secured before you set up your Web site. Most operating systems' manufacturers post security alerts when they discover weaknesses that are being exploited by hackers, and they make Band-Aid fixes available for free.

The Carnegie-Mellon Emergency Response Team (CERT) also puts out advisories, vulnerability updates, and security alerts at its Web site, www.cert.org. Password protection is another important element of your security system. With an E-commerce site, you may want to allow different users to have different layers of access to information. While retail customers may only see product lists and retail prices, authorized dealers or trade accounts can use their passwords to check inventories and wholesale prices, which you wouldn't want your end users or competitors to see.

Even if your site is just an online billboard listing company information, you need a firewall that sits between the Internet and your site and allows only authorized people to get into the files on your server. Get what's known as an enterprise-level firewall system, recommends Susan Crabtree, president of Mission Critical Systems, a network security firm in Ft. Lauderdale. "There are over 200 firewalls on the market, ranging [in cost] from a minimum of $1,000 to up to $50,000, depending on the platform and type of firewall you select," she says. "Make sure the one you choose will have the ability to grow as you grow. A lot of companies don't look ahead after they get their immediate product, and they regret it later."

Without a firewall, hackers could compromise your Web site. Their mischief can range from embarrassing pranks, such as putting rude words or pictures up on your site, to expensive and dangerous intrusions into your company's financial records and personnel files. "You don't want to let a Web server be a back door for a hacker or a competitor to get into your corporate network. If you leave a conduit open, it's just like leaving a window open in your factory after hours," says R.W. Foster, owner of Foster & Associates corporate security firm in Costa Mesa, Calif. Without a firewall, hackers can even manipulate your site and use it as a launching pad for their nefarious activities without your knowledge, Crabtree says.

When you're doing E-commerce, another security measure you'll need is a "secure socket," which creates an encrypted transmission line for information and credit-card numbers traveling to and from your credit-card processor, so hackers cannot intercept sensitive data going over the Web. Your credit-card processing company should be able to help you set up this security measure. For more information, visit the Web site of Verisign, www.verisign.com.

A small business may or may not opt for more expensive protection, including intrusion detection products, which monitor traffic for hacking attempts such as multiple tries to determine passwords. Software such as RealSecure, available at www.iss.net, will issue a systems alert and page your company engineers if it determines that someone is jiggling your virtual doorknob. Think about security as an ongoing -- not a one-time expense -- experts say. You'll need to keep your software up-to-date to cope with new viruses and other system threats. Do a search on keywords like "Web site security" and you'll find many software products, security consultants, and Web pages on information security. Foster's site, www.security-online.com, is a central resource on the topic with many links to other related sites.

Have a question about running your business? Ask our small-business experts. Send us an E-mail at editors@businessweekmail.com, or write to Smart Answers, BW Online, 46th Floor, 1221 Avenue of the Americas, New York, NY 10020. Please include your real name and phone number in case we need more information; only your initials and city will be printed. Because of the volume of mail, we won't be able to respond to all questions personally.