Safe IT for Small Business

Mercer Business, Jan 01, 2005 by Hill, Maggi S

A recurring Saturday Night Live sketch depicts a cocky young office computer geek, who swoops around the company's cubicles like he's Superman, full of disdain for the workers not versed in bits, bytes, and virii. With a few broad keystrokes and a wink at the audience, he goes about solving the various computer system malfunctions, and then dashes Off, all the while spouting a multitude of condescending comments at the hapless co-workers.

While large, national corporations usually employ in-house Internet technicians (although, hopefully not as egotistical as the character on SNL), most small business owners can't afford a full-time IT, and are left to find creative ways to safeguard their valuable company information.

Crucial considerations for small businesses when putting together a technology plan include regular risk assessment, vigilant oversight, and staying on top of the most current resources available. It is also important to tailor your plan to your specific business, and to perform a cost/benefit analysis to determine how much you will need to spend.

If no one on your staff is computer-savvy, one viable option is to hire a consultant to help you set up and maintain your system.

Ed Grubb, from Langhorne-based Network Alternatives, a systems integration/computer-consulting firm, says that the first step in setting up a company's computer system is to identify their software and computer needs, in addition to the type of network environment requirements the client may have. The consultant will then put together a proposal to deliver a turnkey solution to install and support your system.

"Basically, a consultant is utilized to supplement in-house expertise, and the plan is tailored accordingly," Grubb explained.

During an analysis of the system's security, Grubb said the consultant would initially identify areas of weakness, and then prioritize based on the severity and probability of risk. Backing up data is critical, he noted. "If your business has more than one location, you can easily replicate the data between offices; because the data is live and the recovery time is shorter," he said. If you have only one office, Grubb advised that backup media be stored offsite, in either a fireproof safe, a bank vault or safety deposit box.

"Typically, a small business takes backups offsite, where they will then have to rebuild the information system," he said. "There were firms at the World Trade Center that kept backup tapes in a vault in the basement there, which, of course, were unrecoverable."

Security problems that are prevalent today, according to Grubb, are intrusion, constantly evolving viruses, spyware, and pop-ups, or spamming.

"Firewalls (a combination of software and hardware) which have ports of entry, are highly effective [against these problems], because you can open specific ports, while locking down others," he noted. "Many small businesses today are also hiring third party companies to filter their e-mail, who then use scan engines to determine certain virus characteristics, without actually opening up the e-mail. The suspicious email is quarantined, and the end user can determine if the sender is legitimate, and the mail, therefore, safe to open."

Ultimately, the challenge is to stay one step ahead of your system's inherent vulnerabilities. The Federal Trade Commission (FTC) provides information and consensus lists of vulnerabilities and defenses, so that every business and organization can take basic steps to minimize the risk.

A few resources readily available on the web are:

The 20 Most Critical Internet Security Vulnerabilities (www.sans.org/top20), was produced by the SANS Institute and the FBI. It describes the 20 most commonly exploited vulnerabilities in the Windows and Unix operating systems. Although thousands of security incidents affect these systems each year, the majority of successful attacks target one or more of the vulnerabilities on this list. This site also has links to scanning tools and services to help you monitor your own network vulnerabilities, at www.sans.org/top20/tools.pdf.

The Open Web Application Security Project (OWNSP) produced The 10 Most Critical Web Application Security Vulnerabilities (www.owasp.org). It describes common vulnerabilities for web applications and databases, and the most effective ways to address them. Attacks on web applications often pass undetected through firewalls and other network defense systems, putting at risk the sensitive information that these applications access.

For more information on privacy and information security, visit www.ftc.gov/privacy.

The New Jersey Society of Certified Public Accountants (NJSCPA) offers the following steps to help protect your cornpany's information systems from internal and external threats.

- Use a Surge Protector. Sudden increases in voltage, such as those that occur during a storm, can internally damage or destroy computers. But dont expect a surge protector to safeguard your computer during a direct lightning strike. For the best protection, you should unplug your computer and modem during severe storms.