Printer friendly version (PDF)
As the Internet becomes a mission-critical component of more and more small
businesses, security is possibly the single greatest concern they face. When
security breaches and large-scale viral attacks make national headlines, consumers
typically feel helpless. This guide will introduce you to the topics of computer
security on the Internet and provide practical tips to defend yourself.
Perhaps the most overlooked topic when discussing security is that of offline
security. People panic at the thought of “hackers” breaking into
their computer and stealing their identity, yet it is far easier to walk down
a back lane on trash day and get all the personal information one would ever
need. Similarly, there are numerous cases of companies selling off old computers
without properly deleting sensitive information on the hard drive.
All businesses in Canada are now subject to the Personal Information Protection
and Electronic Documents Act (PIPEDA), and one of the Act’s ten principles
is that of safeguards. It is your responsibility to protect the physical safety
of the personal information your organization collects, and to dispose of it
Data Isolation and Backup
If you are familiar with computers, you know that inevitably you will need
to reinstall your operating system. Hardware can fail; systems become sluggish
and bloated with unnecessary and partially uninstalled programs; and despite
your best efforts, viruses and spyware can infect your system beyond repair.
The downtime of mission-critical systems during an operating system reinstall
can be very costly to an organization.
Get into the practice of separating your documents and data from the applications
being used. An ideal system would have one main directory (with any number
of subdirectories) containing all of the company’s documents that could
be transferred from one computer to another if necessary. Some applications,
especially older ones, like to save files to the same directory as the application,
so pay attention. Storing all of your business documents in one place will
significantly reduce the time and risk associated with reinstalls and data
Now that all of your important files are in one place, backing up your business
data should be much simpler. With the low cost of CD and DVD burners, you should
be backing up this data to removable media like read/writable discs on a regular
basis. There are excellent backup and recovery software packages available,
but sticking to a schedule of manually backing up data should suffice for most.
As an extra precaution, if your burning software allows for it, data can be
verified after writing to a disc for additional peace of mind.
Critical Systems and the Internet
What is the easiest way to limit online attacks against a critical business
system? The answer is simple – do not connect it to an external network.
This may not be practical in a small business where one computer is used to
do the accounting, word processing, file storage, and web browsing. On the
other hand, if your home office computer is the same one the kids cruise the
web and play games on, eventually you can count on having a serious security
issue. With computers being relatively inexpensive, perhaps it is cheaper in
the long run to have separate machines for these purposes.
Is your bank card’s PIN your birthday? Is your password the same word
as your username, a simple word in an English dictionary, or even worse, a
blank? Do you use the same password for everything? If you answered yes to
any of these questions, rethink your strategy. “Strong passwords,” consisting
of at least 6-8 random alphanumeric characters, should be used at all times.
You should not use one multi-purpose password. No one carries around a single
key on their keychain that starts their car, opens their house, and gets into
their safety deposit boxes.
Keeping Your System Up To Date
New security vulnerabilities appear constantly within operating systems and
software. Minimize these potentially devastating threats by keeping your system
as up to date as possible. There is always the risk that a system may lose
stability after upgrades, but this risk is usually smaller than the potential
of a severe security hole in a particular application. Operating system vendors
usually provide free mailing lists that notify subscribers of security upgrades
so that you can try to stay ahead of the game.
A firewall is hardware or software (or both) that inspects, allows, and/or
blocks traffic along a particular network, usually between yourself and the
Internet. The hardware that typically connects two networks together is called
a router, and part of its function can be to serve as a firewall between networks.
Software firewalls running on personal computers are becoming more and more
common, with many becoming simple enough for ordinary users to deploy.
Firewalls are often your best defense against intrusions over the Internet.
Therefore, their configuration and maintenance is best left to the professionals.
The standard approach is to lock down everything initially, then gradually
open “holes” in the firewall for Internet services you either use
or provide to the outside.
When most people think of malicious software, the term virus is often used.
This is not entirely accurate, because computer viruses have distinct behaviours. Malware is
the general term that refers to any type of malicious software, including:
Viruses – While there is still some debate on the
exact definition of a computer virus, most agree that a virus refers to a
program whose primary purpose is to replicate existing files, usually with
a malicious result.
Worms– Instead of infecting existing
files, a worm replicates itself and infests a network, consuming system resources
in the process. For example, an e-mail worm will spread from an infected
computer by sending itself to all email addresses in the infected machine’s
Trojans – Like the Trojan Horse from Greek mythology,
trojans attack by masquerading as legitimate programs hoping to obtain sensitive
information from an unsuspecting user.
Adware – This potential type of malware forces users
to display ads for software that is very difficult to remove from your system.
Spyware – Spyware collects marketing information
behind the scenes while you use your computer. Malicious spyware attempts
to obtain sensitive information without your knowledge.
Protection from Malware
Viruses can corrupt operating systems, physically affect hard drives, destroy
files, and spread like wildfire. Internet worms have been responsible for shutting
down major corporations. Trojans can give hackers backdoor access to your system.
Worse yet, most attacks are now combinations of all three. Your single best
defense against such threats is to prevent getting infected in the first place.
Through painful experience, most people now see the benefit of having antivirus
software. Antivirus software continually scans your system behind the scenes.
It monitors programs running in system memory, files being saved to your hard
drive, and incoming email. When malware is detected, the antivirus will identify,
isolate, and try to remove the offending software. If you want to think of
firewalls as a locked door to your house, then antivirus software is the house’s
Antivirus software has become commonplace, but many entrepreneurs still do
not update their virus definitions. The software needs to be continually updated
as new threats emerge daily. Most programs give you the ability to automate
virus definition updates, so be sure to update your software regularly. For
computers that are not connected to the Internet, virus definitions should
be manually updated along with your online systems.
Adware and spyware are slowly being considered as threats by antivirus software,
but protection is still limited. Fortunately, most spyware and adware can be
removed by scanning with removal tools developed specifically for this threat.
Until antivirus and spyware removal tools are merged into one, you will need
to run both types of software protection.
The security of your computer is extremely important, but you also need to
secure your communications with the outside world. Imagine the secrets someone
could learn if they were able to eavesdrop on all of your telephone calls.
Secure Sockets Layer, known as SSL, has become the most common technology used
for encrypting data sent over a network.
Most people encounter SSL encryption when they are asked to enter sensitive
information on “secure websites.” These websites’ URL begins
https:// instead of the usual
Your browser may inform you that any data sent to this website will be encrypted.
While SSL can be used with other Internet services, secure websites use this
technology most frequently.
Another important aspect of SSL is that it can be used to authenticate the
identity of both the sender and receiver. This rather amazing feature is a
basic component of the public-key encryption algorithm used by SSL. Cryptography
is an extremely advanced subject, but in layman’s terms, it provides
the ability for users to digitally “sign” their messages, in much
the same way that your handwritten signature can identify you. These digital
signatures are often referred to as certificates. Website certificates are
called Server IDs, and personal certificates are called Digital IDs.
For those of you who are still not bored to tears with this technical stuff,
you may have realized that something is still missing when it comes to establishing
trust between two unknown parties. Seeing someone’s signature is meaningless
unless someone you already trust can vouch for its validity. We encounter this
situation offline when we use public notaries to officially attest to a person’s
The equivalent to a “public notary” on the Internet is a Certificate
Authority (CA). If a CA has put their signature on a verified SSL certificate,
you can trust that the CA vouches for this person’s or website’s
identity. There are relatively few well-known Certificate Authorities that
are trusted by your browser. VeriSign is the most widely known CA to the public.
So now let’s put the whole process together. When you visit a secure
website, the website sends its certificate to your browser, which includes
the domain name for verification signed by a recognized CA. If the domain name
in the certificate does not match the name in the URL, your browser will generate
a warning before allowing you to continue. This warning is also generated if
the certificate is not signed by a trusted CA, or if the certificate has expired
(a certificate signed by a CA is typically valid for only a year or two, and
must be renewed). If you ever encounter this warning, you cannot trust that
the website is who they say they are and you should stop communications with
Trust is considered to be one-way with secure websites, as they almost never
require that you have a Digital ID. Most user authentication is done by other
means, such as having a user account with an associated password. Requiring
users to authenticate with Digital IDs is a powerful technique, but this would
require consumers to pay for their own Digital IDs to be signed by a CA at
a certain cost to the consumer. One of the few places Digital IDs are currently
used is with secure e-mail. Secure e-mail, however, has been slow to be adopted
by the general public. Until fundamental business, government, and logistical
issues are sorted out, Digital IDs will continue to be rarely used by the general
Internet security is not something that should be taken lightly. You need
to be proactive in identifying ways to protect your clients’ personal
information and your sensitive business files and communications. Following
secure procedures is the most important thing you can do to keep threats to
a minimum. You may consider having an experienced security expert audit your
system, jus as you would a chartered accountant your financial statements.
We hope this guide has increased your awareness of Internet security issues
and will help you develop an action plan to deal with them in your small business.