Security experts: Can you afford them?

By now you've heard about the security breach at Microsoft that could have leaked trade secrets and instigated significant intellectual property losses. Lots of folks are chuckling, wishing Big M the worst, thinking this is a just reward for a company that cares nothing for the likes of the little guy. If the world leader in software development can't nail down its weaknesses, then who can?

You can. Security must be a top priority for small businesses, from the owner on down to the clerical level, because as large enterprises become increasingly effective at stopping hackers, small businesses will more often become hacker targets.

If your firm employs a staff of more than 25, or if you plan to pursue, or currently outsource, e-commerce, you should have at least one full-time IT professional with security expertise. Small companies, however, often don't have the resources to attract the highly trained and experienced security experts who can protect the information assets of the firm. In fact, the majority of all firms currently operate without dedicated security staff.

Nevertheless, there are some basic steps you can take to put security into practice. The first step is to prepare a security plan to identify those business areas that represent the greatest threat to your business success were they to be attacked. Your senior staff is best equipped for this process and will learn a great deal from the experience.

At a minimum, your plan should provide details on how you will:

1. Update your in-house IT staff on major security issues that uniquely impact the firm.
2. Secure the physical facility including computer and telecommunications hardware.
3. Establish password procedures and practices as well as data access and distribution protection (e.g., limit database downloads from servers to PC hard drives).
4. Oversee outsourced e-commerce services to assure the privacy and security of both customer and company information.
5. Maintain security software (e.g., anti-virus, firewall, e-mail attachment), and keep application software current with the latest security patches.
6. Direct the human resources department to check employees' backgrounds, and coordinate with HR staff during employee outprocessing. Internal breaches are more of a threat for small businesses than external hackers.
7. Train end users to be aware of security issues and effective practices, and institute reporting procedures.

As part of the planning process conduct a security audit using external consultants to identify physical security weaknesses. Have other consultants complete a system vulnerability analysis to uncover holes in your network infrastructure. Don't expect one contractor to be able to competently conduct both the audit and system vulnerability analysis -- each requires a separate set of skills.

Any physical security weak points your consultants identify -- including laptop computer theft, a major physical security threat for many organizations -- by can be shored up by installing such items as pass code or biometric access devices, locking server closets or storage rooms, using area access barriers, and requiring employee badges.

If the vulnerability analysis identified cyber-security holes, you can patch them with software updates or additional software. Vulnerability analysis is usually a "foot in the door" for further security services, so your contractors should have specific recommendations to harden your network against attack.

Can you afford security staff? Frankly, you can't afford to do without them.

Dr. Goslar is principal analyst and founder of E-PHD, LLC - a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce.