Who's Hacking Into Your System Now?

Dreams of overnight success through new e-business ventures can quickly turn to nightmares if security issues are not addressed in your business planning.

When your computer systems interconnect with other systems to enable e-business, the risks to the integrity of your systems and data multiply exponentially. And these threats are not limited to the external threats posed by hackers. The dangers are as much internal as they are external.

Before doing business through the Internet, security must be addressed. But don't think of security as a barrier, but rather an enabler of success. If you can promise good security at your site, customers will be encouraged to do business with you, just as they are encouraged by your wide selection of goods, the sophistication of your site, or your prompt and dependable service. Good security will also convince customers that your pledges of consumer privacy (another barrier to e-commerce) are sound.

Just as you may protect your bricks and mortar business from break-ins only to find out the store clerk can rob you blind, in the e-business world security must cover many things. Your customers want to know their business dealings and any information shared with you will be kept private. You, on the other hand, want your business systems to remain available to customers yet safe from actions that could damage your reputation. Both you and your customers want to know that any information exchanged remains exactly as originally transmitted -- not somehow altered enroute.

Start With the Basics

e-business security is a very complex equation. It involves a unique combination of technologies and management that, even if setup to 'best practice' standards, cannot absolutely guarantee full protection. However, if you pay attention to the basics, you will reduce the risks and instill customer confidence in your e-business.

Security 101 -- Protecting Your Systems From Your Employees

After reading newspaper accounts of high profile hacker attacks you might conclude that external threats are your biggest concern. However, most reliable surveys report that employees are the most common source of security breaches. Through their actions, whether intentional or by mistake, your system may be brought down for days at a time, which means serious damage to your reputation and lost sales.

Your technology system's first line of defense should be security policies that take into account your connection to the Internet. Firewall configuration, intrusion detection and decoy systems, access controls (including password strength), employee privileges, supervision, and system redundancy and backup need to be considered. Be thorough and aggressive! Once you are satisfied with your policies, go about the business of making them work.

Establish Solid Web Security

Establishing perimeter security with a firewall is an important layer of your technology system's security. A firewall is a barrier between two networks, such as your internal network and the Internet. The firewall blocks unwanted messages from passing between the two. If not properly configured, a firewall can be exploited by an attacker. Once effectively established though, a firewall, and indeed all of your perimeter security, needs to be continuously studied and tested to ensure your business can withstand the latest new threats in "hacker land". Think about having periodic penetration tests and vulnerability assessments performed by a trusted security professional to gain comfort that your established security is sound.

Firewalls alone, however, are not a complete Internet security solution. Setting up an intrusion detection system will let you know when someone is lurking around or even has penetrated your security. It is also wise to have a good incident response plan ready to deal with events reported from an intrusion detection system.

Finally, pay attention to encryption technology. It protects the credit card and order transactions transferred through the Internet by your customers.

Assess and Re-Assess

Good security in the e-business world requires attention. Every day hackers find new ways to exploit your system and they are quick to share this information with almost anyone. To ensure new security concerns are addressed, perform security audits on a regular basis and ensure the results are followed up.

Cover Your Risks

Perhaps the most important thing you can do is bring in a specialist with the knowledge and skills to identify your risks, assess your systems and provide practical solutions. At Grant Thornton LLP, our e-business team includes technology risk management professionals whose business is to keep up with the changing complexities of managing security on the Internet and bring that knowledge to bear on your technology systems. Our professionals are available to perform an in-depth "security assessment" that will cover the basics analyzing the adequacy of your security policies, password rules, anti-virus protection, firewalls, intrusion detection systems, the use of encryption technology and more -- to identify the vulnerabilities in your system that both employees and hackers could exploit.

Depending on your needs, our assessments will analyze your security architecture, perform vulnerability assessments, and conduct penetration testing.

Beyond providing advice on e-business security, we are licensed by the Canadian Institute of Chartered Accountants to issue their WebTrust seal to qualified businesses. This seal provides your customer with assurance that your site has installed important controls that meet or surpass established guidelines on business practices, transaction integrity, privacy, security, availability, confidentiality and non-repudiation.

Good security is important to the success of every business. In e-business it's vital. Protect yourself with solid security practices and reap the rewards. Remember, there's still a "b" in e-business.

Grant Thornton LLP is a leading Canadian firm of chartered accountants, management consultants and other professional advisers that serves entrepreneurial people and organizations nationwide. Grant Thornton advisers provide a full range of business advice including assurance, tax, financial and management consulting services to owner-managed businesses and not-for-profit organizations.

Covering the Basics of e-Business Security

1) Implement a comprehensive security policy

2) Enforce strong passwords

3) Distribute anti-virus software

4) Install a properly configured firewall

5) Install an Intrusion Detection System

6) Use strong encryption technology

7) Perform regular security audits