According to the 2005 FBI Computer Crime Survey, 2.8 million U.S. businesses experienced at least one computer security incident (such as a virus infection) during 2005. During the same period, nearly one-fifth of U.S. businesses experienced 20 or more incidents. The resulting reported financial losses, says the FBI report, reached $67.2 billion per year — or more than $20,000 per company.
“Smaller businesses are generally more vulnerable to computer security threats than larger ones, because large companies are more likely to have the best hardware and software systems and computer security specialists on staff to minimize threats,” says Marc Meyer, senior network engineer for SS&G Financial Services, a comprehensive accounting, business consulting and management firm. “Smaller business owners and managers are generally so busy taking care of their core businesses that computer security systems are placed on the backburner.”
Even so, Meyers says, there are measures all companies can take to keep their computer systems’ safe from hackers and other cyber threats. Here’s what he told Smart Business.
How should businesspeople begin to improve computer system security?
Start with programs that protect computers against viruses, spyware and hackers. There is no one magical product that will do it all. Effective computer security takes a layered approach. A security system should include virus and spyware protection programs and some sort of firewall.
Most of the major companies such as Symantec, McAfee and Trend Micro have program packages designed for business and small businesses. These programs are generally reasonably priced. It’s important, however, to update the programs to protect against new threats. Most programs have automatic update features.
How often should computer security programs be reviewed?
Weekly checks are recommended to review the basics — including critical updates — and to see if automatic updates are turned on and working. Also, it’s important to review programs to renew subscriptions in a timely manner.
Do threats beyond viruses, hackers and spyware exist?
There may also be internal threats to systems. An employee who may be ready to leave the company on less-than-friendly terms may want to do some damage. Also, there is a threat that unauthorized personnel may have access to sensitive information.
You can protect yourself by restricting system administration to an authorized person and creating strong passwords. In some smaller companies, everybody can administer the system. In some, people even share the same passwords. Appointing a person to administer the system and creating strong passwords limit system access and reduce the opportunity for hacking.
What constitutes a ‘strong’ password?
Strong passwords are long, consisting of at least six or eight characters. Those characters should include a combination of letters, numbers and symbols such as question marks. Also, create a policy that passwords be changed regularly — such as every six months — and that passwords may not be reused until a specific length of time has passed.
How can businesses protect sensitive information on computer disks or on laptops?
Laptops are generally protected by passwords created by the manufacturer that are very difficult to breech. However, a laptop can be lost or stolen. Newer systems have the ability to encrypt files to protect any information that needs to be secured. Also, some laptop users may want to consider using a secure USB drive designed specifically for storing sensitive information.
To protect information stored on computer discs, you should have a policy that all disks containing sensitive data — such as client information — must be stored in locked desks or file cabinets to prevent unauthorized access.
How can businesses formalize their computer security initiatives?
Create a written computer security policy to establish rules about system administration authorization. Create a system that makes changing passwords at particular intervals mandatory. Establish rules about storing sensitive information. You may also hire an outside consultant who can evaluate your computer security systems and make recommendations and offer advice about protective programs and hardware and how to create computer security policy.
Failing to protect business computer systems is costly. While it is impossible to estimate what the average financial cost is to specific businesses after a security incident, there are real clean-up costs as well as loss of productivity and downtime incurred while the clean-up is taking place. So, whatever you do, it’s critical that you invest in computer security and protection systems. It’s cost effective to be prepared.
MARC MEYER is a senior network engineer for SS&G Financial Services Inc. Reach him at (800) 869-1834 or [email protected].
