Web of Security

The dos and don'ts of Internet security for business.

››› DO hire experienced developers for complex and unusually vulnerable applications such as e-commerce, and make sure they’re up to date with the latest industry standards and certifications. Braafladt suggests: “Ask the developer if they are familiar with and follow the guidelines of the Open Web Application Security Project,” a nonprofit effort devoted to Web-application security .

››› DO have a good Internet firewall—one that makes it easy to block unwanted traffic and viruses and resist hackers, and that is simple to configure—to protect your internal networks. Secure any wireless access points by making sure only authorized users have access to the computers running on the wireless network.

››› DO encourage good user-name and password habits—and discourage employees from sharing, revealing, or displaying passwords. The old story about passwords being written on Post-It Notes and stuck on monitors for the world to see is all too often true.

››› DO let IT and other professionals know about your security breaches, and don’t worry about saving face. “Unfortunately, most security breaches go unreported,” Braafladt says. “The hacker community freely shares detailed information on how to get into many types of systems and applications. But system administrators often don’t share any information on security breaches because of company image, proprietary information, or even embarrassment.”

Braafladt suggests turning to organizations such as the CERT Coordination Center that will help to identify threats, get the information to the “white hat” community, and keep the reporting parties anonymous in the process.

Take Special Care

Security is a concern for any business, but some types of companies are more at risk than others. Chief among them, obviously, are those that deal with large amounts of money, whether they’re financial institutions or companies that simply do a great deal of online commerce.

“Any company that processes credit-card information is a prime target,” Braafladt says. “Less likely targets, but still at risk, are companies with trade secrets that would be valuable information to their competitors, or that could be used as blackmail.”

Also vulnerable are companies or organizations with an especially high profile. Troublemakers who are trying to make a name for themselves are often less concerned with robbing you than they are with making you look bad—and making themselves look good to their fellow “black hats.”

“There are hackers who deface Web sites just for the fame,” says Braafladt.