Tips to Securing Your E-Business

As we approach the busiest time of the year for many retain web sites, an important issue to consider is e-business security. According to a study released by Notre Dame University in July 2000, the Internet is far more prone to malicious attacks than many people realize (or want to acknowledge). During the same month, Information Week released the results of a PricewaterhouseCoopers survey of 4,900 IT professionals in 30 countries revealing that viruses and other destructive actions by computer hackers will cost businesses around the world $1.6 trillion this year alone, as almost 40,000 “person years” of productivity will be lost to computer downtime.

Carl Kessler, Vice President and General Manager, Security of security solutions provider, Tivoli, offers up his opinion: “If you are going to establish your company as an e-business, you need an aggressive and proactive security policy. No company would ever consider establishing a physical presence without locks on their doors, video cameras, alarm systems and security people. Yet every day, hundreds of new Web enterprises do exactly that.”

With this matter in mind, we thought that we’d digress from marketing matters for this week to help you generate a security checklist for your e-business. We’ve also included a glossary at the bottom for those new and unfamiliar terms.

(1) Devise and implement a thorough and aggressive security plan, which includes firewalls, access controls and employee policies.

(2) Install firewalls on internal (between marketing and engineering departments, for example) as well as on external borders. Be sure to change the default settings, which can be easily defeated.

(3) Use intrusion detection software. This is like having burglar system for your network. Just as with the firewall, intrusion detection should be set up on internal as well as external networks.

(4) Utilize antivirus software and update it frequently. The best antivirus systems will have easy, effective update capabilities.

(5) Establish rules for password selection. Determine very clear guidelines for passwords (such as “six characters with at least one numeral”) and an easy way to verify whether or not a password is acceptable. Passwords should also be changed periodically.

(6) Designate someone as the main network security contact and determine clear procedures for reporting and responding to security issues. Employees should clearly understand who to report incidents to and should feel safe to report all incidents that seem to breach the security policy.

(7) Ensure that system administrators stay abreast of security advisories to be able to make security-related changes in a timely manner. They should also alert the rest of the company about issues so as to avoid perpetuating or spreading a problem.

(8) Perform security audits on a regular basis. These should be unannounced and random — some electronic, some physical. The ultimate goals of these audits are to get into the target system, access valuable data if possible, and determine if the intrusion was even noticed by the staff. Attempting to hack one’s own site or system is called “ethical hacking.”

(9) Remind employees on a regular basis (through posted policies, memos, emails, certification offerings, etc.) of their security responsibilities.

(10) Have a clear policy for action when an employee leaves for any reason. Actions to take quickly include disabling an ex-employee’s building and computer access, deleting or redistributing computer accounts, and changing all passwords and access codes that employee may have known.

Firewall: A computer or device that’s set up between the Internet and a site to prevent against unauthorized tampering or destruction.

Intrusion Detection: the process of identifying real security threats to help security or systems administrators respond with counteractive security measures.

 back to top