ness. With Woods, this security includes strict adherence to standards established by the Payment Card Industry Data Security Standards Council. Woods points out, “Anyone who captures and handles any personal data can help ensure the safety of this information by becoming and maintaining compliance with the PCI DSS guidelines.” Clancy disagrees and says small businesses don’t have to do that. “There’s no reason for the average small business to worry too much about things such as PCI DSS,” he says. “That’s something they pay their banks to worry about.” Instead, for small businesses, Clancy suggests the focus be on standard digital hygiene. According to Demian Pace, a Microsoft certified systems engineer, PCI DSS guidelines are important for dealing with credit-card companies or the banking industry. Therefore, those running e-commerce websites need to adhere. Most small e-commerce sites use a third party to do that processing and therefore the third party provider has the PCI certification, not the e-commerce site. As the senior systems administrator for an insurance pool management services company, Vaco Risk Management Programs, Pace must be on top of cyber security risks. Pace thinks businesses of all sizes should be concerned about security and aware of consequences that can result from a loss of data integrity. Problems can lead to a damaged reputation and financial damages, fines and adverse court judgments and proprietary code being copied by competitors. According to Pace, business risks can often be profound: · Contractual obligations may include direct damages for data loss. · Entire business models can be damaged.
· Relationships with vendors, clients and partners can be adversely affected. · Your reputation in an industry can be lost. “IT staff should be constantly monitoring new vectors of attack. Proper standards of infrastructure design and maintenance must be maintained,” Pace says. To keep a site secure, he gives these suggestions: · Separate your internal network and data from your external facing network via good firewalls and other network infrastructure design and equipment. · Virus and spam filter all emails. · Allow only the minimum necessary data to flow out of your network. · Follow best practices in web design to prevent hacking and database corruption. · Keep all software up to date and all security patches installed. · Have a secure remote network connection topology if mobile users need access to internal resources. This topology should allow only minimum access. · Place limits on what internal personnel can and cannot do with their work computers. · Frequent backups and redundant systems should be in place. · Limit physical access to network equipment and servers. · Disallow personal computers, smart phones and other devices from connecting to the internal corporate network. · Database design and security should be a prime consideration. · Implement two-way encryption for all data traveling across the Internet. Mitigation can be as much of
a financial strain as the threats themselves. Clancy offers perspective, “As to whether or not a business should be worried, it entirely depends on their market and the value of information they have on their computer systems.” Like Pace, Clancy recommends mitigation and says, “At the end of the day, for most companies it’s an economic decision — the amount you spend on securing your network should not be more than the value of the compromised information times the probability of an intrusion.” However, this financial factor for small businesses might make them targets. Woods maintains that diligence is needed in all businesses that capture any personal or credit card data. According to him, the need applies equally to brick-andmortar businesses and online businesses. He says they must pay attention, “otherwise, sooner or later they will experience stolen or misused information.” Still, there is no perfect answer for businesses, only a need to be aware and to seal off as many doors as financially possible. Pace explains, “If your data is available to anyone internal to your company, you are at some risk of data integrity loss either intentional or accidental. If your electronic data is available to the Internet in any form, you are at much greater risk for data integrity loss. “The only way to prevent all risk of data loss is to store it on a system without any connections to any other system, then lock it in a room with limited physical access. Now your data is very secure but not at all useful in today’s world.” Pace also recommends proper management and weighing risk versus reward. With this, Pace says, “Your chances of loss and the severity if one occurs can be greatly lessened, but never completely removed.” ROANOKE BUSINESS
15