Internet security is a broad term that refers to the various steps individuals and companies take to protect computers or computer networks that are connected to the Internet. One of the basic truths behind Internet security is that the Internet itself is not a secure environment. The Internet was originally conceived as an open, loosely linked computer network that would facilitate the free exchange of ideas and information. Data sent over the Internet—from personal e-mail messages to online shopping orders—travel through an ever-changing series of computers and network links. As a result, unscrupulous hackers and scam artists have ample opportunities to intercept and change the information. It would be virtually impossible to secure every computer connected to the Internet around the world, so there will likely always be weak links in the chain of data exchange.
Due to the growth in Internet use, the number of computer security breaches experienced by businesses has increased rapidly in recent years. At one time, 80 percent of security breaches came from inside the company. But this situation has changed as businesses have connected to the Internet, making their computer networks more vulnerable to access from outside troublemakers or industry spies. To make matters worse, as Vince Emery noted in How to Grow Your Business on the Internet, 97 percent of companies that experience breaches in computer security do not know it. When business owners do become aware of problems, furthermore, Emery estimated that only 15 percent report the security breach to authorities.
Small business owners need to recognize the various threats involved in conducting business over the Internet and establish security policies and procedures to minimize their risks. As a writer for Business Week noted, "With your business ever more dependent on safe use of the Internet, security savvy has become as important as understanding marketing and finance." Internet security measures range from hardware and software protection against hackers and viruses, to training and information programs for employees and system administrators. It may be impossible—or at least impractical—for a small business to achieve 100 percent secure computer systems. But small business owners can find ways to balance the risks of conducting business over the Internet with the benefits of speedy information transfer between the company and its employees, customers, and suppliers.
COMMON SECURITY PROBLEMS
In The E-Commerce Book, Steffano Korper and Juanita Ellis outline several common security problems that affect small business computers. For example, a well-known cause of computer problems are viruses, or damaging programs that are introduced to computers or networks. Some viruses rewrite coding to make software programs unusable, while others scramble or destroy data. Many viruses spread quickly and operate subtly, so they may not be noticed until the damage has already been done.
Hackers have two main methods of causing problems for businesses' computer systems: they either find a way to enter the system and then change or steal information from the inside, or they attempt to over-whelm the system with information from the outside so that it shuts down. One way a hacker might enter a small business's computer network is through an open port, or an Internet connection that remains open even when it is not being used. They might also attempt to appropriate passwords belonging to employees or other authorized users of a computer system. Many hackers are skilled at guessing common passwords, while others run programs that locate or capture password information.
Another common method of attack used by hackers is e-mail spoofing. This method involves sending authorized users of a computer network fraudulent e-mail that appears as if it were sent by someone else, most likely a customer or someone else the user would know. Then the hacker tries to trick the user into divulging his or her password or other company secrets. Finally, some hackers manage to shut down business computer systems with denial of service attacks. These attacks involve bombarding a company's Internet site with thousands of messages so that no legitimate messages can get in or out.
BASIC MEANS OF PROTECTION
Luckily, computer experts have developed ways to help small businesses protect themselves against the most common security threats. For example, most personal computers sold today come equipped with virus protection. A wide variety of antivirus software is also available for use on computer networks. In addition, many software companies and Internet Service Providers put updates online to cover newly emerging viruses. In addition to installing antivirus software and updating it regularly, Korper and Ellis recommend backing up data frequently and teaching employees to minimize the risk of virus transmission.
One of the most effective ways to protect a computer network that is connected to the Internet from unauthorized outside access is a firewall. A firewall is a hardware security device that is installed between a computer network and the Internet. It acts like a Web server, routing traffic, but also blocks external users from accessing the internal computer system. Of course, a firewall cannot protect information once it leaves the network. A common method of preventing third parties from capturing data while it is being transmitted over the Internet is encryption. Encryption programs put data into a scrambled form that cannot be read without a key.
There are several methods available to help small businesses prevent unauthorized access to their computer systems. One of the most common methods is authentication of users through passwords. Since passwords can be guessed or stolen, some companies use more sophisticated authentication technologies, such as coded ID cards, voice recognition software, retinal scanning systems, or handprint recognition systems. All of these systems verify that the person seeking access to the computer network is an authorized user. They also make it possible to track computer activity and hold users accountable for their use of the system. Digital signatures can be used to authenticate e-mails and other outside documents. This technology provides proof of the origin of documents and helps prevent e-mail spoofing.
PROTECTING E-COMMERCE CUSTOMERS
In addition to protecting their own computers from security threats, companies that conduct business over the Internet must also take care to protect their online customers. Individuals and companies that make purchases online are becoming increasingly concerned about the security of the Web sites they visit. If a customer experiences problems using your small business's site, they are unlikely to trust you with their business again. They may use the mass communication potential of the Internet to inform other potential customers of the hazards. Furthermore, competitors may take advantage of the situation to steal your customers by advertising a secure Web server. "It's up to you to make your online customers feel safe and secure in their dealings with your company, " Paul J. Dowling, Jr. wrote in Web Advertising and Marketing. "And it's your responsibility to reduce their actual risk. Your customers have entrusted their money to your company; the least your company can do is safeguard it."
Unfortunately, small businesses engaged in e-commerce are most vulnerable to Internet security threats. As Emery explained, the same programs that facilitate electronic shopping also create a potential hole in your computer system security. As you collect credit card numbers and other customer information from fill-in-the-blank forms, or grant potential customers access to your databases full of product information, you may also leave yourself open to attacks by hackers or competitive spies.
Emery makes a series of recommendations for small businesses that conduct business over the Internet. First, he stresses that all Internet software should be kept as far as possible from regular system software. For example, a small business might use a standalone computer to run its Web server or place a firewall between the Web server and the rest of the computer network. It may also be possible to run a small e-commerce operation on an Internet Service Provider's computer rather than a company machine. Emery also emphasizes that small businesses should never store customer information—especially credit card numbers—on its Web server or any other computer connected to the Internet. It is also a good idea to avoid putting any sensitive or proprietary company information on these machines.
For small businesses, which may not be able to employ computer experts who are qualified to establish and monitor Internet security systems, Emery recommends leaving e-commerce security to an Internet Service Provider (ISP). Many ISPs allow businesses to purchase Web space on a secure server for a reasonable price. In any case, small business owners should weigh the costs of implementing a secure Web server—and hiring the staff to continually monitor and maintain it—against the potential profits they may receive from online sales.
SECURITY POLICIES AND PROCEDURES
In order for hardware and software security measures to be effective, small businesses must incorporate computer security into their basic operations. Korper and Ellis recommend that small business owners establish a set of policies and procedures for Internet security. These policies should encompass computer activity at both the user level and the system administrator level.
At the user level, one of the first tasks is to educate users about the importance of computer security. Every user should require a password to access the company's computer system. Passwords should be at least eight characters long and include letters, numbers, and symbols. Employees should be advised to avoid obvious choices like names or birthdates. In addition, employees should be instructed never to store their password in a drawer or on a bulletin board, never to let anyone else log into the system using their name and password, and never to leave their computer on and unattended. Overall, small business owners need to convince employees that the information on the company's computer system is confidential, and that they have a responsibility to help protect it.
Computer system administrators should be involved in developing and implementing security policies and procedures. They are in charge of ensuring that the system's hardware and software are secure, as well as controlling and monitoring access to the system. Korper and Ellis mention a number of steps administrators can take to help protect a company's computer systems. First, they recommend keeping servers in a locked room with limited access. Second, they suggest separating system files from data files on the computer network. Third, they advise administrators to install virus scanning software on all company computers and prohibit employees from copying out-side programs or files onto the network.
Many of the system administrator's duties involve preventing unauthorized people—both inside and outside the company—from gaining access to the computer network. Internally, it is a good policy to limit employees' access to the system based upon their job needs. For example, it would probably not be necessary for person in accounting to have access to personnel records. The administrator should define user and group-access rights to allow employees to do their jobs without also making the system unnecessarily vulnerable to attacks from disgruntled workers. Another sound policy is to require employees to change passwords frequently, and to immediately disable passwords when employees leave the company or are terminated. Administrators should also grant Internet access only to those employees who need it for business purposes. It is possible to block employees' access to games, newsgroups, and adult sites on the Internet, and to install software that generates reports of the Internet destinations visited by employees.
In order to prevent unauthorized external access to the computer system, administrators should define access rights granted to suppliers and customers. They should also make sure Internet ports are secure, and possibly implement a firewall to protect the internal network from outside access. Another important policy is never to store employee passwords on any computer that is connected to the Internet. Administrators should also be careful about establishing guest accounts on the company's computer system, since some such requests may come from hackers or competitive spies.
There are a number of tools available to assist system administrators in monitoring the security of a company's computer network. For example, network auditing software tracks users who are accessing the system and what files are being changed. It also alerts the administrator to excessive failed log-in attempts. The best auditing packages generate network usage reports on demand, which allows the administrator to reconstruct events in case of a security breach.
Finally, a small business's computer security policies should cover emergency situations, such as detection of a virus or a security breach from outside the company. As Emery noted, it may be helpful to prepare a printed emergency response guide for both employees and system administrators. In a worst-case scenario, any guidelines stored on the computer system would be useless. Emery also outlines the basic steps companies should follow in case of severe system problems. First, employees who suspect a problem should contact the network administrator. The administrator should then get in touch with technical support at the ISP to determine the extent of the problem. It may also be helpful to contact the Computer Emergency Response Team (CERT) to find out if other companies are experiencing same problems. At this point, the administrator may wish to contact the small business owner or appropriate non-technical managers to inform them of the problems. Management can then decide whether to contact local law enforcement and what to tell employees.
ASSISTANCE WITH INTERNET SECURITY
Although dealing with the intricacies of Internet security may seem intimidating, there are a number of resources small business owners can turn to for help. For example, many companies have begun to offer packaged online security technologies, such as the hardware-based Web Safe system. In addition, secure Web servers and browsers are widely available. These systems, which include Netscape Navigator and Netscape Commerce Server, remove much of the Internet security burden from small businesses. Further-more, several Web sites provide free virus warnings and downloadable antivirus patches for Web browsers. The Computer Security Institute provides annual surveys on security breaches at www.gocsi.com. Another useful resource is the National Computer Security Association (www.ncsa.com), which provides tips on Internet security for business owners and supplies definitions of high-tech terms.
Small businesses seeking to establish Internet security policies and procedures might begin by contacting CERT. This U.S. government organization, formed in 1988, works with the Internet community to raise awareness of security issues and organize the response to security threats. The CERT web site (www.cert.org) posts the latest security alerts and also provides security-related documents, tools, and training seminars. Finally, CERT offers 24-hour technical assistance in the event of Internet security breaches. Small business owners who contact CERT about a security problem will be asked to provide their company's Internet address, the computer models affected, the types of operating systems and software used, and the security measures that were in place.