KEEPING INTRUDERS OUT of the network isn’t just a big company’s headache. Small businesses that swipe customers’ credit cards but have limited resources to beef up security are increasingly becoming the subject of hacker attacks.
Nearly one-third of businesses with fewer than 500 employees experienced some kind of security incident in 2006, according to the Computer Security Institute’s most recent computer crime survey. Overall, businesses in the U.S. suffered an average annual loss of $350,424 last year, up significantly from $168,000 in 2006. And according to Robert Richardson, CSI’s director, these reported losses typically underestimate the actual number of attacks.
“Small businesses are more and more becoming targets, as larger businesses build out more adequate business security structures,” says Adam Hils, a principal analyst for small-business security at Gartner, a research firm in Stamford, Conn. Many big businesses, for instance, are installing expensive intrusion-prevention systems (or IPS), which inspect network traffic that gets past a company’s firewall and blocks viruses, spyware and other unwelcome arrivals.
An IPS system, which can be attached to a company’s network via hardware or downloaded as software to a personal computer, can help a company comply with regulatory measures, too. For instance, the Payment Card Industry’s Data Security Standards, which are security rules imposed by credit-card companies Visa and MasterCard, require any business housing credit-card information to use, at the very least, intrusion-detection systems (or IDS). These systems, which are the precursor to IPS, simply detect bad traffic but don’t block them like IPS does.
Many small businesses simply don’t have deep enough pockets to install IPS systems, which can cost up to $250,000, plus an annual 20% maintenance fee. A number of alternatives, however, are available.
Building Your Defense
Not sure your small-business network is secure? Nelly Yusupova, the chief technical officer for Webgrrls International, a tech-centric networking group, offers some best network security practices.
Use firewalls. For businesses that don’t deal with highly sensitive information such as customer credit-card data, a simple firewall, which acts as a wall between your computer and the Internet, will do. “If you have a small network, you can get away with just a software firewall,” says Yusupova. However, larger networks should install a hardware firewall as well. “A hardware firewall is more secure and allows a single point monitoring of your whole network,” she says.
Set up strong passwords. Require employees to use strong passwords, which typically include numbers, special characters, uppercase and lowercase letters. “The more characters you put in, the harder it will be to break your password,” she says. Also, set passwords to expire once every one to three months, she suggests.
Update often. It’s not good enough to just have a firewall or a more advanced security system: You also have to update it, says Yusupova. Be sure that your server, operating system and applications are equipped with the latest security patches. These measures will, she says, “close the security holes that can be exploited by hackers.”