The fight against malicious hackers and virus writers is proving an expensive one.

There is always a tradeoff between convenience and security, and senior executives need to realize this, says Ross Wilson, senior regional director for Southeast Asia at Symantec. To decide how much security is required, you have to evaluate the price of a security failure. "You have to consider opportunity cost, the cost of lost business, the cost of continuing business, and the cost to your credibility," he says.

The bad news is, unless you sever all ties to the Internet, you can never be completely secure. The good news is that today's small and medium businesses can achieve higher levels of IT security than they ever have in the past.

Assessing the value
A security audit is the first step. Either your IT staff or your security vendor needs to assess what you have of value. This could include customer databases, proprietary data, and marketing plans, in addition to the more obvious bank account and financial data.

Once you know what you have, you have to decide how valuable it is to you. What can you afford to lose? If you buy mailing lists for US$500 apiece, you may not want to spend US$20,000 protecting them. Consult a reputable reseller or a hire a consultant to help you. Once you have determined what you need to protect, you have several security options:
• Desktop software
• Network hardware/software
• Outsourced solutions

Desktop software is similar, if not identical, to the security packages many home users have. These antivirus and personal firewall programs can help ensure a minimum level of security. While the cost per computer can be low, each PC needs a copy and every machine needs to be regularly updated and scanned for infections.

Network-level appliances: Many companies are opting to add a layer of security at the network level. Perhaps the simplest way to do this is with what are known as appliances. These are small, affordable devices that provide several types of protection, such as virus scanning, firewalls, and spam filtering. Such equipment is easily installed and can block many threats before they get into your network. Do not, however, become complacent, warns Wilson. If your staff has access to modems and telephone lines or are allowed to install and maintain their own accessories, such as PDA's or mobile telephones, you have large holes in your security fence. Closing those loopholes--and making sure they stay closed--is crucial.

Outsource: A number of services are now available for businesses that wish to outsource some or all of their security services. On such firm, MessageLabs, offers users a range of services, including scanning e-mail for viruses and trojans, blocking spam, archiving, as well as content filtering.

CEO Nick Hawkins believes such protection is well-suited to the needs of small and medium businesses. "Most don't have full-time IT staff," he says, which makes viruses, worms, and unsolicited e-mail a much bigger threat than in larger firms.

Both Wilson and Hawkins agree on the importance of layering your security. No one single solution is going to secure your network. Just as threats to IT security are becoming more complex, your response must become more sophisticated as well. Preventing malicious traffic before it gets into your network is the most desirable situation, but you should have desktop solutions to serve as your final line of defense and to minimize damage if anything does get through.

There is no single solution and network security is never complete, says Wilson. "The major problem is that the executives think there is an answer."

Back to Special Report Home