Taking Internet Security Off the Backburner
It’s the whole company’s job, not just IT.
December 2 2005 by Champ Mitchell
Identity theft, spyware, adware, spam, phishing, pharming, online fraud: these modern-day threats require CEOs to constantly reassess the emerging dangers of the Internet and reconsider what they’re doing to protect the company, employees and customers. Not focusing on Internet security is like opening the cash register to hackers and thieves. I know from experience. When I joined Network Solutions in 2001, our fraud rate was an astounding 19.88 percent. One out of five dollars was a fraudulent transaction. Nothing was being done about it; today, our fraud rate is 0.18 percent, lower than the most popular offline merchants.
Yet today, the problem of security is worse for business than it was in 2001. The types of security violations have multiplied. The creativity and savvy of hackers and scamsters has grown. Why should businesses care? If your systems are infected, the cost and disruption of a cleanup are large. If you sell online, a sense that the Internet cannot be trusted means customers spend less. Even if you sell nothing on the Internet, it can be a powerful tool to reduce costs for your business, such as Internet-based customer support. If customers feel their information is not secure, they will not use the medium. Even more, if your business is the one publicized for a security breach, who is going to trust you with important information necessary to transact business with you? If someone puts up a Web site that looks like yours and collects customer information, when the word gets out will customers still come to you?
Internet security must be a top-level priority. The first step: Don’t fall into the trap of thinking that Internet security is solely the job of your information technology team. Frankly, most IT people do not think like crooks. Even when the IT department has the capability to design protective systems, that alone will not stop the bad guys. As long as employees can communicate with the outside world from their desk, you have a hole. So the responsibility of Internet security rests with every single employee who has any connection to the outside world (including those who manage online logistics, inventory management, and e-billing), anyone who sends an e-mail.
At Network Solutions, we filter out millions of spam messages daily, and in addition, we post security alerts and tips on our internal Web site and ask all employees to notify the IT department of any suspicious e-mail activities or network performance issues. We scan desktop systems daily for adware, spyware, viruses and worms. At times, we even disable communications systems such as Instant Messenger if we learn other companies are experiencing security violations through them. This helps keep our own systems clean and cuts down on the chance of a violation of customer information through the back door. Regardless of how strong your security policies and programs are, people are still both the biggest risk factor and the bestdefense.
And don’t think that the world’s biggest companies are the biggest targets. The vast majority of these security breaches happen in small businesses. No matter what size business you run, the bottom line is that your bottom line is only as good as your Internet security. Some basic measures we should all make a priority:
Realize that security is not the real cost. Not having proper security measures and focus in place is the real cost:the cost of fraud, the cost of cleanup, the cost of lost customers:which could put you out of business.
Internet security is not just an in- house concern. With many more services being outsourced, it’s vital that confidentiality and protection of sensitive materials be maintained both contractually and by checking the provider’s security history.
Quick communication should be automatic when security breaches occur, internally and with external partners. This is not the time to hide bad news (in fact, it is illegal to hide a security breach under the laws of several states).
Limit the collection of sensitive personal information. We’re seeing a move away from using such sensitive data as social security numbers as identifiers.
If it’s sensitive, encrypt it. A firewall is no guarantee. Consider encrypting customer data you store and getting an SSL digital certificate to secure data in transmission. It gives customers a much greater sense of security.
If you have a Web site, get a site seal. This allows customers to know the site is yours, not a phishing or pharming operation to steal their information, which more than half of them fear.
While these precautions do require the focus of the business community, we need to make systems as user-friendly as possible. Dedication and attention to detail is one thing; an overloading and complex burden on users is another.Internet security is only as strong as peoples’ compliance.
The Internet has changed the way in which we all conduct business, almost all for the better. Yet we also need to get serious about making business on the Internet safe. It’s the only way we can continue to make people feel confident about the Internet. And that confidence is the only way we’ll see this medium reach its full potential.