Barely a week passes without a fresh report of a new software bug. My two IT people have so far managed to patch the downloads we need but I fear we are skating on thin ice and will one day miss something and get hit. How do I ensure I have all bases covered and where can I get good quality, reliable advice?
Find a specialist partner and outsource your protection
Mick Hegarty, ICT general manager, BT Business
Although software companies are increasingly recognising that security and reliability should take precedence over rushing out the latest release, this is likely to be a problem for a long time to come. And it is a problem that is going to get more resource-hungry, not less.
More and more businesses are recognising that it is better to stick to their core activity, and rely on an expert partner to provide best-in-class protection and advice when it comes to IT. There is a cost, but it needs to be weighed up against the potential costs of a serious security breach.
There are many IT specialists available, locally or nationally. Some businesses will choose a smaller partner as they prefer to deal with a company like themselves. Others feel keeping up with the latest security issues calls for partners of a certain size: the threat is simply too pervasive and fast-moving for smaller companies to keep on top of it.
My advice is to look for a partner that can demonstrate it understands the security issues facing your business, and that routinely provides protection for a large number of businesses like yours, deploying best-in-class anti-virus software and managing updates for your firewall.
Finally, do not assume that once you have found your partner, nothing can go wrong: it is unlikely, but it is better to be safe than sorry. Outsourcing your protection does not mean you should skimp on things like automated back-up and other security measures.
Ensure you stay on top of operating system updates
John Coulthard, head of small business, Microsoft UK
Microsoft recognises that we all face an increasing threat from virus attack. To protect yourself, you need to do the following:
- Implement firewall technology
- Set up "automatic update" for your operating system - you will need to check the bulletins for additional updates
- Make sure your anti-virus software is up to date.
That takes care of the immediate issues. You now need to look at a programmatic approach to securing your IT. I recommend you ensure you have an effective systems and data back-up process and that this is linked to a business continuity plan. Next, develop a security policy that details who is responsible for what.
It is often useful to have a good IT firm to help you with these last two points. A good place to start is www.bcentral.co.uk, where you will be able to search for a partner in your area. You will also be able to order a copy of the British Chambers of Commerce guide to growing business through IT, which has a section on selecting a partner.
Make sure you keep abreast of all new vulnerabilities
Trevor Lucas, managing director, SME reseller TAL Computer Services
The ad hoc patching of systems is potentially problematic. You should not rely on users to install updates: even if you have policies to control the use of computers, they tend to be forgotten over time. The media concentrate on the most commonly exploited Windows vulnerabilities, but there are many more areas a hacker could exploit. For instance, even a relatively minor gap in your firewall could quickly be turned into a serious flaw.
Adopt broad policies that encompass support and maintenance of your entire system and keep abreast of new threats. The large suppliers issue bulletins and updates on a regular basis, so the information you need to update and manage your policies should be relatively easy to find.
Depending on the nature of your business and the complexity of your systems, you might need help designing and implementing policies. Do not fall into the trap of assuming that a supplier with Microsoft accreditation will only know about Microsoft products. Accredited staff are now trained across many disciplines, so you should be able to get all the help you need from one supplier.
For extra peace of mind or to address specialised issues, you can seek out a Microsoft gold partner that specialises in security provision.
Of course, these policies and the security of your computer systems are very important, so you need to be sure you are working with the right supplier. You should always take up references, even when working with an accredited supplier, because bad advice will ultimately be worse for your business than no advice at all.
Join a local business club to share expertise
Peter Scargill, National IT chairman, Federation of Small Businesses
The fact that you have two IT people successfully applying patches is a good start - certainly more than many SMEs can hope for. The important thing is to ensure that this is a regular job, not something you or your team do when you have a spare moment. Many of the anti-virus companies, such as McAfee and Symantec, have excellent websites with the latest updates and advice. As far as your ISP is concerned, ask whether it offers anti-virus and anti-spam options.
You should seek the advice of an expert to make sure your procedures are good enough, but reliable advice is not easy to find. One way is to benefit from the experiences of others by joining a local business club and finding out what others are doing. Check your ISP's website to see what it has to say. Finally, take a look at www.ukonlineforbusiness.gov.uk/cms/template/infor-security. jsp?id=212908 for more general advice and links.
Individual staff must take their share of responsibility
Stephen Benson, Business Link Hertfordshire's UK Online IT centre
No matter what precautions you take in respect of the software you use and the anti-virus protection you run, it is vital that individuals accept their share of responsibility for taking reasonable precautions.
Start by writing a simple policy document covering internet use at work, ban the installation of third-party software and downloads without permission, and regularly change passwords to access the system.
It is common sense to tell staff not to use their business e-mail for personal contact or distribute their company e-mail address to third parties who may use that information for e-shots and compiling listings for junk mail as all of these increase the risk of infection from malicious attack. If in doubt, a "safety first" policy should be followed by staff.
The essential starting point is the purchase and installation of a reputable anti-virus package, one that is regularly updated, ideally automatically. There should be a corporate firewall in place or, if more appropriate to the small business, individual firewalls. This becomes more important if users have laptops. On company premises, corporate protection may be good, but protection levels may drop off site.
When buying anti-virus and firewall products, always ensure the supplier has a good reputation and offers a high level of customer support.
For information on current risks, use the BBC website and other industry sites where threats are reported regularly alongside information on how to deal with the risk.
Minimise risk and keep your policy as simple as possible
Mike Lucas Regional technology manager, Compuware
Minimise the points of entry to your IT systems. You can reduce risks by considering whether all your staff really need e-mail and internet access, and only giving access to those who do.
Businesses should carefully consider whether they need to upgrade operating systems or applications. If you are happy the systems you are using provide the functionality and stability needed, why upgrade? Change always brings an element of risk.
Do not overcomplicate your security systems and policies. If they are too complicated for people to use, you will be open to even more threats as there will be lots of security holes you do not know about.
Train up and invest in your two IT staff to enable them to become security experts.
Pool resources with other local businesses to share the cost of a security specialist. Contact your local Chamber of Commerce to see whether it can facilitate this for you. Work with an accredited consultancy with security experience to implement security measures and policies.