As more small companies connect to the Internet, they become aware of new ways their data can be attacked. This, combined with recent high-profile computer break-ins involving government agencies and reputable corporations nationwide, has caused small businesses to take data security more seriously.
Protecting your company against intruders starts with a systematic and objective look at your business's data security issues. "Small businesses need to think about where they have data and the different ways people can access it, and consider scenarios in which it can be compromised, altered, destroyed or stolen," suggests Ira Machefsky, vice president of Giga Information Group, an IT advisory service in Santa Clara, California.
First, determine where your computer system is weakest. Once you decide what you need to protect, devise a plan that combines a set of security procedures with technology intrusion barriers. Keep in mind that the potential harm may not come from hackers outside the organization--current and former employees are often the biggest threats to a company's computer security.
What's The Magic Word?
Your first barrier against intruders is user passwords and IDs. Operating systems like Microsoft's Windows 95 or NT and Novell's NetWare have built-in password and ID functions. Although they can be somewhat easy to get around, they serve as a minimum level of defense to restrict unwanted access into computer systems, databases and files.
Instruct employees to change their passwords frequently, refrain from sharing them with others, and stop keeping them on Post-it notes stuck to their computers. Choose passwords with at least seven characters; many programs will let you establish ones with dozens of characters. Try to mix lowercase and uppercase letters, avoid using any character more than once, and incorporate punctuation, numbers and symbols. Stay away from obvious passwords like a spouse or child's name, birthdates and other personal information such as social security or telephone numbers.
Scaling The Wall
Depending on your security needs, the next line of defense to consider is a good firewall. A firewall consists of software or hardware that lets you decide who is allowed into your system. Firewalls, also called proxy firewalls, prevent direct connections from Internet hosts to internal hosts (you). Proxies in the security software intercept each Internet data packet, analyze the source and destination of data, then decide whether to pass it forward or block it. Firewalls are a good idea for companies with network connections to the Internet, which make them more vulnerable to intrusion.
When Digital Magic Inc., a Cleveland-based pre-press shop, began offering clients remote access to annual reports and other confidential information on its servers, owner Mark Goren, 42, and MIS manager Jordan Levy, 32, decided to invest in a firewall. "Before, none of our servers were accessible through the Internet, but now they are," explains Levy. "We wanted to give our clients a sense that their data was going to be secure."
The solution: Firebox II (starting at $4,995) from WatchGuard Technologies Inc. Firebox II, a bright red box that plugs in to and resides between your router and LAN, offers an integrated security solution that includes access control and user authentication. It also has features for data encryption. The Virtual Private Networking feature lets you use the Internet as your own private network for transferring sensitive information between sites.
Levy was particularly impressed with the product's ease of use. Its graphical user interface (GUI) makes it easy to add new security proxies and set up user access. "Because everything's done through the GUI, it's really easy to manage," Levy says.
Many firewalls offer advanced solutions that require some knowledge of network security and come with features you may not need. Levy, for instance, doesn't use some of Firebox II's features for blocking employee access to certain Internet sites and for tracking areas they visit. For companies with less complicated security needs, consider SonicWALL from Sonic Systems (starting at $499). This product, formerly known as Interpol, delivers high security at an affordable price. SonicWALL offers basic packet inspection to determine if data is allowed through the firewall, and a version called SonicWALL Plus DMZ offers protection from "denial of service attacks," which occur when hackers flood your network with spam.
Network-based firewall solutions that run on an operating system such as Windows NT are another option. Novell's BorderManager Authentication Service for operation with Novell's NetWare network software has single-point administration for easy access-privilege setup. BorderManager offers advanced firewall protection that includes packet filtering and other kinds of high-level checks and balances.
To take the hassle out of installing and maintaining a firewall, consider a managed firewall service. Managed services are convenient, but they're also fairly pricey and generally targeted at large companies. For several thousand dollars per year, Sprint, AT&T and GTE (among others) will provide complete managed firewall services that include installation, configuration and remote management.
No matter what solution you choose, experts strongly advise selecting a firewall with plug-and-play features that simplify use. Misconfigured firewalls with gaping holes for perpetrators to enter can be as dangerous as not having one at all.
Inside Job
Sadly, current employees and disgruntled ex-workers are the most common violators of company data. However, there are precautions you can take to minimize this risk.
SecureWin Technologies offers a desktop security solution and a line of client/server products to centrally install and manage security applications. One of its products, SecureWin 2.0, offers a well-rounded security solution with features like Secure Boot to prevent unauthorized system access, Secure Delete to remove sensitive files, and centrally administered control over user access to programs and files.
SecureWin also offers high-quality e-mail and file encryption features. Even if you're not familiar with public-private key encryption, SecureWin makes it easy to protect files by scrambling their contents so they can't be read. The Automatic Encryption feature provides transparent file and folder encryption and decryption, so files on your desktop or network are automatically decrypted when opened and re-encrypted when saved or closed. There's also a Secure Sign-on feature that allows one-time-use identification through a single password prompt during login, limiting access to network resources. SecureWin Desktop Edition 2.0 costs $49.95 for an individual license or $450 for a 10-seat license; SecureWin 2.0 Small Business Server costs $495.
Computer viruses also pose a significant threat to small-business data security. Every company should make use of a good anti-virus program like Symantec's Norton AntiVirus (Version 5.0 for Macintosh or version 4.0 for Windows 95, 98 and NT costs $69.95.) Norton AntiVirus provides continuous virus protection that runs invisibly while you work, one year of free virus definition updates, and protection against new viruses.
Sometimes, data can be compromised by employees who delete or harm computer files accidentally. The best way to protect your business is to back up your data. Back up your hard drive before installing any new programs and perform regular backups weekly or even daily, if possible. It's also a good idea to unarchive backup data occasionally to make sure your system is working properly.
Finally, no security plan is complete without a written security policy distributed companywide that provides clear rules on how your organization manages, protects and distributes information. Digital Magic, for instance, has a policy that requires all its clients' disks and Internet files to be scanned, and all its employees to have anti-virus software installed on their machines. A good data policy also covers issues like employee access to information stored in hard-copy files and digital format, remote user access, and data backup procedures. Also, clearly outline what must be done when employees are terminated, such as automatic restriction of rights to online accounts or networks.
No computer system is ever 100 percent secure. The important thing is to minimize your major security risks by implementing the best security precautions you can afford. If you're on a tight budget, take advantage of inexpensive solutions such as passwords, user IDs and data backup. That way, you can rest easy knowing you're doing all you can to protect your valuable business data.
This story appears in the October 1998 issue of Entrepreneur. Subscribe »
