Web of Security

Not only is maintaining a high level of IT security a good idea for your business—in some cases, it’s required by law.

In federal law, the Gramm-Leach-Bliley Act of 1999 requires financial institutions (which include colleges and universities) to protect the privacy of their customers’ non-public, personal financial information. Similarly, the 2002 Sarbanes-Oxley Act tightened compliance regulations pertaining to the disclosure of financial records. If sensitive information is compromised due to weak authentication or encryption, it will be easier to make a case for failure to comply under Sarbanes-Oxley.

Closer to home, in 2005, Minnesota was one of 19 states that passed a so-called security breach notification law, which requires businesses to notify anyone whose personal information has been disclosed to unauthorized parties while the data was in the business’s custody.

Beyond legislation, there’s the simple matter of legal liability. Companies can be and have been sued when private customer data fell into the wrong hands. “There are many consumer-fraud liabilities organizations face if their own Web sites are used for e-commerce and are not SSL secure with an appropriate certificate,” MacLeslie says. “There are also specific laws and rules regarding vendor relations and other data security concerns, depending on your industry.”

Knowledge is Power

One bit of good news in the security area is that along with consumers, businesses are becoming more and more savvy about hackers and other threats and how to head them off.

“Over the years, there has been an increasing awareness and acceptance of the needs for Web security,” McGee says. “Generally, we spend less and less time educating on the importance of application security because business owners and managers are becoming proactive in investing in basic software and infrastructure measures.”

“Business owners and managers are beginning to recognize that security is now a critical component to the health and wealth of their organization,” Garlock agrees. “This acknowledgment is certainly a step in the right direction.”

“Your company isn’t like a building,” MacLeslie says. “You can’t just set the lock and walk away. It’s a constant problem that needs frequent feeding and care. The best IT managers will employ a continuous process to audit and evaluate their security.”