Protect your business from malware, hackers and more.

By Amanda C. Kooser

You have locks on your office doors and an alarm system in your car. It’s just common sense in an uncertain world. The same precautions need to apply to your business technology, especially when it comes to internet security. Hackers, viruses, worms, Trojans, phishing e-mails, pharming, spam, malware and key loggers are all threats lurking on the internet. Fortunately, an informed entrepreneur can do plenty to protect his or her business. A combination of education, planning, and smart hardware and software choices can help you sleep easy at night. 

Defining Internet Security
Before we dive into the how-to portion of our program, we should define just what the term “internet security” encompasses. Anti-virus may be the first thing you think of. That’s a good start. “Anti-virus [protection] is completely necessary, but it’s not sufficient,” says Laura Yecies, general manager of Zone Labs (www.zonelabs.com) Consumer and Small Business Division at Check Point Software Technologies. It’s also about securing your web presence, your e-mail and all your computers that have web connections. Subjects that can fall under the internet security umbrella include malicious programs, employee training on safe surfing habits, network security and anti-spam measures.

The thought of hackers trying to break into your network may seem far-fetched for your small business. So why should you make internet security a priority? “If I’m a small business and I get hacked, and it makes it to the news, it could be devastating. It’s a credibility killer,” says Jared R. Greene, division president and lead assessor with IT services provider InfoSight (www.infosightinc.com).

There has been a shift in the internet threat landscape: More focused and targeted attacks by hackers mean growing businesses are more vulnerable than ever. “In the past, you had hackers that were hacking for glory. Now the attacks are worse in that. They’re more dangerous,” says Yecies. “[Hackers] can do more damage because they’re motivated by money.”

Hackers target smaller businesses because they’re betting they don’t have sophisticated internet security systems but may still maintain valuable data like credit card numbers or proprietary information. The “2005 FBI Computer Crime Survey” of 24,000 organizations (most with fewer than 100 employees) showed that 87 percent experienced some type of computer security incident. Viruses, spyware and port scans topped the list. It’s your duty as a business owner to make sure you take reasonable precautions and keep your customers’ data safe.

Planning for Security
Now that you know what you’re dealing with, it’s time to get down to the nitty-gritty of formulating an internet security plan. If you’re just starting a business, you’re in a good position to get a plan implemented from Day One. If you’re already established, it’s not too late to get your business in line and your employees onboard with a new set of policies. “First things first—you need to have a risk assessment to understand what your risks are,” says Greene. This is where you take inventory of the ways your business touches the internet. Do you have a website? Do you sell items online? Do your employees use e-mail? Do they have net access? Do you have any remote workers or telecommuters? Do you use wireless networks?

One word we heard several times from our experts is layered. Internet security isn’t just an anti-virus program or a firewall. Multiple layers of protection are your best bet for keeping your business safe. Says Greene, “At a mini-mum, if you have an internet web presence, you need anti-spyware, anti-malware and anti-virus. You need a stateful packet filtering firewall at the perimeter and to have somebody come in and validate the configuration.” We’ll talk more about bringing in a third-party consultant later.

All those programs may seem like a lot to keep up with, but a single security suite can cover the bases in one convenient package. Suites are available from companies like McAfee (www.mcafee.com), Norton (www.norton.com) and Zone Labs. “The best defense is to go to the source of where most of the risk is, which is on the individual PC,” says Yecies. Software suites can be very cost-effective, especially when you consider the cost of cleaning up a computer or business network after it’s been hacked or infected with a virus.

Don’t overlook laptops and computers used by home workers. These should have the same security software installed to protect your employees and your business no matter where they’re getting online. A VPN is a must for your mobile workers and telecommuters when they’re connecting to your business network. Jay Schwartz, 35, founder of Santa Barbara, California-based creative services agency Idea-Work Studios LLC (www.ideawork.com), has a couple of employees who telecommute a few days a week. “We deal with sensitive data from time to time,” he says. “Data transmitted over the internet has to be secured. When we log in from our home accounts, we use a VPN.”

An important component of any internet security plan involves keeping your employees educated. Schwartz says, “My employees know that our business is relying on the security and fidelity of our customers’ information. They’re trained not to take that lightly. There is no personal use of work e-mail.” Some common-sense policies include not clicking on attachments from unknown sources, not using your work e-mail address in online forums and not downloading unauthorized software.

These precautions can help protect your company from social engineering—a way to break business security by using people. An example of this is a phishing e-mail that looks like it came from a legitimate source and causes an unwitting user to click on it and surrender vital information like passwords. “It doesn’t matter how big you are—security awareness training has got to become a huge part of your organizational enterprise security stance,” says Greene.

Proper password usage is a major point. Simple and short passwords are easily broken. A combination of letters and numbers, upper and lower case over eight characters in length is a good starting point. Special characters and using words that aren’t found in the dictionary are good ideas as well. Change passwords often, and do not keep them written down near your desk or computer. This goes for passwords used for e-mail, for secure databases or information access, and for websites.

Don’t just set an internet security policy and then forget about it. Greene suggests that business owners assign a person to be in charge of the policy and then review the policy on an annual basis, updating it as needed. Software updates should be part of this process as well. Be sure to install the latest patches for everything from your operating system to your firewall and router. Most patches are security-related. Says Greene, “If you’re not doing updates, that could become the weakest link on the network.” 

Going for Help
You don’t have to be a technology whiz to install and set up an internet security suite on your PC. Very small offices can often handle it on their own. But as your business grows and your network becomes more elaborate, or as you move into areas like e-commerce, internet security can become a more complicated proposition. Unless you have the time and expertise to do it yourself, you may want to consider getting outside help.

Nina Korelitz-Matza and Gail Auster, both in their mid-40s and founders of WhoMi (www.mywhomi.com), a women’s products startup in New York City, knew from the get-go that they wanted to find a trusted third party to help set up their internet security. But finding an internet security consultant isn’t as easy as thumbing through the Yellow Pages. “We spoke to a lot of people we knew through business and personally who had developed websites for their own businesses and asked them for names, and we interviewed several people whose work we respected,” says Korelitz-Matza. They chose a web consultant who emphasized security to ultimately help them build their site and set up their e-commerce system.

Says Auster, “We monitor activity on our site on a daily basis. We really believe in providing a safe environment for our customers. We do not store our customers’ credit card numbers.”

Here are some tips for business owners looking to hire outside help. Check out a provider’s credentials. A Certified Information Systems Security Professional, or CISSP, designation is a good indication that a consultant is prepared to handle your internet security needs. Ask for references, and check up on several of them. Ask for references that aren’t on their regular list to delve more deeply. “Don’t cut corners,” says Schwartz. “Work with a professional who has the skills and experience to do this. It might cost you a little bit more in the short term, but it will save you a whole lot of money and headaches in the long run.”

Internet security is a process and a mind-set. It’s about being a responsible business owner and protecting your business and customer data. “We’re trying to build long-lasting relationships with our customers. If you breach security with your customers, they’re not happy with you as a company and you’ve lost them forever,” says Korelitz-Matza. It may seem like there is an overwhelming number of potential threats lurking about the internet, but a little forethought and preparedness go a long way. Don’t get scared; just get busy selecting and installing the right software and hardware for your business.

Amana C. Kooser is Entrepreneur magazine’s assistant technology editor.