Keep Thieves   Out of Your System

At best, hackers can embarrass your company. At worst, they can cost your firm thousands or even millions of dollars in damage.

For many hackers, the primary motivation is stealing credit card numbers. Others are in search of a challenge — they damage a site just because it's there. Perhaps, the worst kind of attack is sabotage from disgruntled current or former employees

A Cautionary Tale A computer security expert was summoned to an executive's office to assist with a problem. There on the executive's computer in plain sight was a key password scrawled on a Post-It note. "With that information," the expert explains, "I could have gotten into the whole corporate system."

because they know your vulnerabilities.

Here are 12 things to help keep unwanted users out of your computer system.

1. Stay alert all the time. It doesn't take long for hackers to do a lot of damage. In less than an hour, an unwatched system can be badly compromised. If your company can't monitor systems during non-work hours, consider hiring a managed security service to do it for you. These firms can watch your system 24 hours a day, seven days a week. Typically, the services aren't cheap, but they could be a bargain if they prevent disaster.

2. Put a security policy and a disaster plan in place. Just locking the door every night isn't enough. Include key personnel in discussions about business requirements. Review key issues such as: How are you protecting the crown jewels — customer databases? Who inside the company needs information, what kind and when? If damage occurs, how will your company respond? From those and other answers, develop a written manual that outlines security issues and spells out what should happen if disaster strikes.

3. Separate information that is Web accessible from mission-critical data. Keep customer databases separate from external databases. This may seem obvious, but some operations run everything on one computer or even one set of servers.

4. Make security an issue with personnel at every level. Risks must be communicated to employees so they understand what's at stake. In particular, people who deal with the public, such as salespeople, need to be persuaded of the importance of observing security rules.

5. Don't be frugal about updating software. If you have early software versions on your computers or servers, those versions may have bugs that can make you vulnerable. Software manufacturers offer patches or updated versions.

6. Erect firewalls and make sure they don't have holes in them. A firewall can protect you from unauthorized access, but not if the configurations and software are out of date or full of holes that were poked when you experimented with technology and then forgot to close them. Off-the-shelf software may not be good enough. Get knowledgeable help.

7. Have a security audit. Your ISP and other commercial firms may offer services to look for loopholes or vulnerabilities in your system. But be careful who you employ. You want experts in hacking, but not experts with criminal records — known in the trade as "black hat hackers." Remember, you're trusting your system security to an outsider.

8. Monitor. Giving the public access to your Web site is the name of the game, but with that comes a certain vulnerability. At the very least, monitor the access log for any anomalies that might suggest a hacker attack.

9. Try to keep employees satisfied. A recent survey found that 58 percent of security breaches were committed by authorized employees. Implement good personnel policies that produce a comfortable environment to reduce any inclination that employees might have to do damage. Beyond that, employ good hiring and security procedures and give access only to those employees who have a need to know. When staff members leave, eliminate their access. Even good people who no longer work for your company have less of an interest in protecting your data.

10. Back up all data and systems so that if something does get hacked, you have a quick and easy way to restore service. Encrypt credit information and store it off the premises.

11. Implement a strict company policy on passwords. Get rid of weak passwords with everyday words or names. Require longer passwords with less common mixtures of letters, numbers and characters and change them frequently.

12. Make it tough to gain access remotely. Giving away the keys to your system obviously makes it vulnerable so make sure that people who work off-site have limited access to only the parts of the system they need to reach.