"We prescribe an inordinate amount of narcotics and other very powerful drugs because of the kinds of patients we deal with," explained the chief financial and technical officer of The Pain Institute, a healthcare company specializing in pain management. "We are trying to get away from paper prescriptions, and yet the last thing we need is for people to be able to hack in and write themselves prescriptions of some sort."
With just 20 employees, The Pain Institute faces the same dilemma encountered by many small business. Its resources are limited, and yet its security needs are pressing.
"Small businesses often feel that because they are small, it is easy for them to hide. They think that there is some kind of safety in numbers. But research says otherwise," explained Geoff Stedman, director of worldwide marketing for Internet security firm SonicWALL. "There are enough people out there looking for open ports and back doors into computing resources, that even small businesses often get hit, and they made not even know it."
Experts say the best way to address the situation is to start on the outside and work your way in.
"For small businesses the entire issue with security is that it has to be cost effective, so you start by securing the perimeter," said David Eaves, CEO and president of the Internet Security Corporation in Sunnyvale, Calif. He recommends an off-the-shelf security appliance to take care of basic firewall needs. "These cost about $100 and it's a one-shot deal that gets rid of about 50 percent of your risk."
There still are incoming threats, however, even with a firewall in place. Connect to the Internet, and you've entered the land of swarming viruses, explained Robert Swan, vice president and co-owner of IT consulting firm NSK & Associates.
There are easy protection methods that cost nothing. Swan tells his clients to use their Internet Explorer settings aggressively don't automatically install cookies or plug-ins. Do not use the Explorer auto-completion option, which automatically broadcasts your user name, password and other information at fill-in-the-blanks web sites. Finally, create and enforce a simple and very strict policy: No one is to open unsolicited attachments. "That will protect you from probably 90 percent of the viruses out there," he said.
The most common mistake Swan sees in small business is the failure to install and update anti-virus software. Such software is inexpensive, easy-to-use and absolutely essential.
At Symantec, one of the largest security-products providers out there, Group Product Manager George Sluz said small businesses can buy peace of mind with minimal effort and expense by spending up front on the services of a savvy security vendor. In addition to putting safeguards in place, such an expert also can rig the system in such a way as to make it largely maintenance-free.
"They can set up a security perimeter so that when one of those potentially threatening situations happens, you will be notified. That way you don't have to sift through logs of data events. You only need to know about the ones that could potentially be issues," he said. "Most vendors will help you set that up."
Another simple safeguard has to do with the structuring of a business's computer resources. Eaves for example described a financial-services company whose payroll data, management information, and other vital records all were kept within a single database. "If somebody were to break through one outer layer, everything would be compromised," he said. Better to disperse information, while at the same time creating security at various levels, so that a single breach does not expose the entire system. As a structural solution, rather than a product enhancement, this tactic can cost almost nothing.
At The Pain Institute, meanwhile, Steve Friedman knew one thing for sure: He could not go it alone. "I thought about it at first, handling security in house, but the deeper and deeper I got into it the more I realized that it was going to become a full-time job for several people. I don't have that kind of staff here," he said.
He shopped around for a network-security provider, checking with several vendors and exploring a diversity of product options. Ultimately he decided to team with SonicWALL. He liked the firm's products, but given the particular needs of a small business, he had other criteria that were even more significant.
"As you look at these providers, they all have certain basic capabilities. They all have certain bells and whistles," he said. "But ultimately it does come down to the kind of service you get. That is really what I was looking for."