Cyber-security vulnerability is big news these days. What's striking is how this news has changed focus: away from the crackers who breach Web site protections and steal confidential information and toward identifying organizations caught with their pants down who are "allowing" Web site break-ins. The last thing companies need, whether large or small, is public notice that they can't be trusted. Security isn't just for large corporations anymore.
What you should worry about
Recent research from the Cutter Consortium located in Arlington, Mass. uncovered alarmingly low levels of expertise and investments in security.
Cutter discovered that 31 percent of 134 large to enterprise-level global companies surveyed don't even use firewalls. So even basic security technology expertise levels are low. Global enterprises such as these are now getting a clue: results from the "2000 Information Security Industry Survey" conducted by Information Week show security budgets up 188 percent over the last two years for companies spending more than $1 million annually on computer security. They nearly doubled their budgets in the last 12 months. These companies are leaders in e-commerce and realize the importance of being online for their customers.
Small businesses can become major online competitors these days and can have global reach, thanks to cost-effective information technology services. Leveraging Internet technology is now mandatory in order to compete for customer dollars, whether locally or globally. Not surprisingly, "big" business becomes your business in cyberspace -- your online presence is not determined by your physical assets, but by the size of your virtual organization.
Your security worries will now be twofold: 1) internal security breaches, and 2) online black hats (yeah, the bad guys) who are tired of targeting newly hardened enterprise-level sites and are increasingly looking for easier pickings -- "small" business gateways.
The same "goodies" available through large corporate networks are usually available for hackers through small business infrastructures (e.g., customer account information, company information, slave site nesting for attacks on other sites). Unfortunately, hacking small business networks now requires comparatively less effort and offers less risk of being caught and prosecuted than cracking highly visible corporate portals.
E-commerce is risky but necessary
E-commerce raises the ante in terms of Internet technology investments and threats to corporate (and customer) assets. Since most firms either operate, or are building, e-commerce Web sites in order to remain competitive, management faces understandable tradeoffs between greater opportunities and more complexity.
For a small business, an e-commerce outsourcing service is a most appealing option. With e-commerce come the issues of company and customer protection and privacy. Since professional cyber-security personnel are expensive and hard to find, internal security is normally relegated to the few IT specialists currently working for or contracted to a firm. That's not enough for protection.
While security outsourcing is one of the lowest priorities for large corporations, it will be one of the highest for small business. Because large corporations have extreme difficulty keeping up with Internet security, small businesses will have even less success at protection on their own.
Where to start, what to do
Get a leg up on those corporate giants by knowing your risks and vulnerabilities before identifying the right security path to take.
Create a security plan. By conducting a threat analysis, you can identify both physical and cyber security strategies that will protect your company (only you will know what issues will be pertinent).
Develop security policies. Policies will implement the strategic goals outlined in your Plan. Ultimately these policies will be loaded into security program directories for online interactive execution.
Conduct vulnerability analyses of current physical, network, and Internet assets. Numerous firms are available to do system vulnerability analysis.
Conduct background checks on your employees. Since internal security breaches are more likely to be perpetrated by staff in small businesses, this is a very important item.
It will get better than this!
Once you have an understanding of your firm's security threats and vulnerabilities, you will have succeeded in overcoming a major security-planning hurdle. Then you'll be ready to request security proposals from managed security services providers (MSP). These firms can help you by matching their security management expertise and technologies with your company's needs at far less expense than you would incur on your own.
Dr. Goslar is principal analyst and founder of E-PHD, LLC -- a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM