Computer Security: Don't Leave Open a "Back Door" into Your Business
An unsecured Web site is an invitation to hackers
Q: My wife and I own and operate a restaurant and homemade candy store.
We presently have a Web site, but it is not secure to order from. What
advice do you have on Web-site security?
--K.A., Goshen, Indiana
A: Information security shouldn't be an afterthought for companies that
do business on the Web. Build the costs into your initial investment
plans and operating budget for the Web site.
You can build a Web commerce site without outside help these days. Still, it's
worth getting professional advice on security and having a security assessment
done regularly by an outside consultant. You can even do one in-house with the help
of security-scanning software. (Check www.iss.net for software options.) A Web-site
consultant will understand most of the issues and explain the options.
How much security you put in place should depend on what your site does. Being
small is no protection. Hackers target small businesses because they're easy marks.
The old adage about an ounce of prevention applies. If you lose vital company data
to a virus or if a hacker shuts down online orders for a week, earlier savings on
security will be cold comfort.
That doesn't mean everyone needs the most elaborate security available. At a
minimum, you should have virus protection, though. Software that detects and removes
viruses and the more destructive applet-based "vandals" is widely available
off-the-shelf or free for the downloading at antivirus sites. One resource is
Esafe's anti-vandal resource center (www.esafe.com).
Your operating system, whether it is NT, Unix, or another system, needs to
be secured before you set up your Web site. Most operating systems' manufacturers
post security alerts when they discover weaknesses that are being exploited by
hackers, and they make Band-Aid fixes available for free.
The Carnegie-Mellon Emergency Response Team (CERT) also puts out advisories,
vulnerability updates, and security alerts at its Web site, www.cert.org. Password
protection is another important element of your security system. With an E-commerce
site, you may want to allow different users to have different layers of access to
information. While retail customers may only see product lists and retail prices,
authorized dealers or trade accounts can use their passwords to check inventories
and wholesale prices, which you wouldn't want your end users or competitors to see.
Even if your site is just an online billboard listing company information, you
need a firewall that sits between the Internet and your site and allows
only authorized people to get into the files on your server. Get what's known as
an enterprise-level firewall system, recommends Susan Crabtree, president
of Mission Critical Systems, a network security firm in Ft. Lauderdale. "There
are over 200 firewalls on the market, ranging [in cost] from a minimum of $1,000
to up to $50,000, depending on the platform and type of firewall you select,"
she says. "Make sure the one you choose will have the ability to grow as you
grow. A lot of companies don't look ahead after they get their immediate
product, and they regret it later."
Without a firewall, hackers could compromise your Web site. Their mischief can
range from embarrassing pranks, such as putting rude words or pictures up on your
site, to expensive and dangerous intrusions into your company's financial records
and personnel files. "You don't want to let a Web server be a back door for a hacker
or a competitor to get into your corporate network. If you leave a conduit open,
it's just like leaving a window open in your factory after hours," says R.W. Foster,
owner of Foster & Associates corporate security firm in Costa Mesa, Calif. Without a
firewall, hackers can even manipulate your site and use it as a launching pad for
their nefarious activities without your knowledge, Crabtree says.
When you're doing E-commerce, another security measure you'll need is a
"secure socket," which creates an encrypted transmission line for information
and credit-card numbers traveling to and from your credit-card processor, so
hackers cannot intercept sensitive data going over the Web. Your credit-card
processing company should be able to help you set up this security measure. For
more information, visit the Web site of Verisign, www.verisign.com.
A small business may or may not opt for more expensive protection, including
intrusion detection products, which monitor traffic for hacking attempts such
as multiple tries to determine passwords. Software such as RealSecure,
available at www.iss.net, will issue a systems alert and page your company
engineers if it determines that someone is jiggling your virtual doorknob.
Think about security as an ongoing -- not a one-time expense -- experts
say. You'll need to keep your software up-to-date to cope with new
viruses and other system threats. Do a search on keywords like "Web site
security" and you'll find many software products, security consultants, and Web
pages on information security. Foster's site, www.security-online.com, is a central
resource on the topic with many links to other related sites.
Have a question about running your business? Ask our small-business experts. Send us an E-mail at firstname.lastname@example.org, or write to Smart Answers, BW Online, 46th Floor, 1221 Avenue of the Americas, New York, NY 10020. Please include your real name and phone number in case we need more information; only your initials and city will be printed. Because of the volume of mail, we won't be able to respond to all questions personally.