With the majority of small businesses now connecting to the internet via broadband and providing IT equipment for their employees to work remotely, the need to ensure their important business information is safe from a growing number of threats has never been greater.
The extent of the problem was underlined by the recent Department of Trade & Industry Information Security Breaches Survey 2006, which discovered that the cost of computer crime to small companies in the UK has risen by 50% over the past two years.
Of the 1,000 businesses polled, the DTI found they had each suffered an average of eight security breaches in 2005 compared with an average of five attacks two years ago.
So what should companies be doing to ensure their IT systems are secure? Caterer and Hotelkeeper asks the experts.
Protect against malware
There's a lot of bad software out there, such as viruses, worms, Trojans, and spyware, that can cause havoc with your company IT systems or bring about serious security breaches. Today's IT security vendors tend to club these threats together and use the generic term malware to describe them.
"Users don't care about the geeky difference between spyware, viruses or Trojans, they just want to prevent all bad stuff getting on to their systems," says Graham Cluely, senior technology consultant at IT security firm Sophos, whose clients include Kempinski Hotels. Sophos helps businesses expose all these varieties of malware by installing detection software on their systems. This alerts users to known threats and also identifies previously unidentified code that shows all the signs of behaving like malware.
Companies like Sophos also have an extensive network of experts working around the clock to discover new malware before it becomes widespread. The company then creates an antidote, known in IT circles as a "patch," which is automatically sent to users' machines so they are protected.
And after all, you're my firewall
According to Andrew Clarke, vice-president of international marketing at IT security specialist Secure Computing, any company that gives its employees access to the internet should make sure it has an adequate firewall in place.
Firewalls are computer programs that sit at the gateway to a company's network and examine each packet of data to determine whether to forward it toward its destination.
There are a number of firewall screening methods. A simple one is to screen requests to make sure they come from acceptable or previously identified domain names and IP addresses.
Many firewalls plug into anti-malware software to offer what is known as a unified threat management (UTM) service.
Don't take too much stick
USB memory sticks and other removable media, such as iPods, are here to stay because they are easy to use and cheap. But they also pose a security threat.
According to a recent survey commissioned by security firm Pointsec Mobile Technologies, double the number of people in the workplace are now using removable media to store corporate data compared with this time last year, and the majority aren't using any sort of security.
The main security risk of storing corporate information on USB sticks comes from when they are lost or misplaced. Imagine a list of your clients' bank details getting into the wrong hands and you have some idea of the potential impact this could have on your business.
Pointsec's managing director Martin Allen suggests companies encrypt all data on memory sticks. Encryption is a means of disguising or scrambling data according to a secret key known only to the company using the software. "With encryption, if people do lose the device the data cannot be accessed," says Allen.
Because the vast majority of malware comes from e-mail attachments or dodgy web downloads, Microsoft UK's technical security adviser Stephen Lamb advocates businesses adopt a strategy of "least privilege", where users are prevented from opening attached files and downloading web content unless it's essential to their work.
This will obviously reduce the chance of an attack but exactly how far users' privileges are moderated will depend on the type of business you run. It's common practice, says Lamb, for some enterprises handling highly confidential information to lock down desktops completely.
Other companies, such as many in the hospitality sector, will require more open-web access or have users on the road who need more flexibility from their IT services. "Companies need to reach a workable compromise. Users might get frustrated if they don't have a similar IT experience to what they get at home, but reducing privileges will lessen the chances of malicious software getting on to your system," says Lamb.
Watch your website Just like with any piece of software, you must ensure that your website is properly maintained and that any software patch updates are installed where necessary. Failure to do so could lead to hackers finding a back door to your website and editing or defacing it, which could be damaging and embarrassing for your business.
Even worse, if your website is being used to collect customer names and details, a hacker may be able to access your customer database via the website. "It's important the ISP you work with or your internal team make sure your website is hardened," says Cluely of Sophos.
In an bid to reduce the chance of an attack, according to Cluely, some companies have replaced their Microsoft web server software with less high-profile web server software such as the open source Apache, because Microsoft products are seen as more of a target for hackers.
Be wary of wireless With more and more workers connecting to the internet and company networks via wireless hotspots, it's vital they take adequate security precautions, says Geoff Sweeney, chief technical officer at security firm Tier3.
First of all, he says, it's important company laptops don't miss out on security updates and are configured to receive the latest security patches when a user goes on to the web.
Companies might also want to think about setting up a virtual private network, which protects data travelling between the company and the laptop by encrypting data at the sending end and decrypting it at the receiving end. Wireless laptop users should also have strong authentication measures in place when accessing corporate networks.
Sweeney says simple password measures are not adequate today, as there's a chance someone else using the hotspot may be using "sniffing" software that can intercept wireless traffic and pick up passwords. He recommends wireless users adopt security tokens or smart cards - small hardware devices that the owner carries to authorise access to a network service. Combined with a PIN, these devices generate unique security identification numbers every five minutes or so.
Responsible IT use While internet filtering and anti-malware software should cut out most threats, businesses can help themselves by making sure their employees use their computers responsibly.
Calum MacLeod, a senior consultant at security company Cyber-Ark, says companies should make sure employees are aware of what's acceptable and what's not acceptable use of computers in the workplace. Part of the induction process for new staff should be to ensure they understand the do's and don'ts of IT. This message can be reinforced by sending out
e-mails with reminders of your IT policy from time to time.
Similarly, when someone leaves your company or changes jobs, you should check that all their IT user accounts and log-ins are shut down or their privileges are changed accordingly.
"Realistically, not everyone is going to do what they're told and any policies should be complemented by security technology which can enforce them," says MacLeod.