Your 10-point guide to keeping hackers at bay

But saying "it won't happen to me" is simply not enough.

Harm to your systems and data can be a fatal blow at the heart of your company, affecting your ability to trade, your credibility and your reputation with customers.

It is not just high profile multinationals that need to protect against a digital threats.

Even if you think you are safe enough with measures you have already taken, you might like to consider a recent survey by IBM which showed almost 30 per cent of money currently spent on information technology security in Europe was either misplaced or wasted.

Evolution has worked with Andy Burt, IBM business manager in the South-East, to put together the following ten-point guide to protecting your business.

1. Know the risks you face and turn them into a security policy.

You cannot protect yourself unless you have thought about what threats you face and how serious they are.

There is no one-size-fits-all list of risks. Every business has individual vulnerabilities and priorities.

For example, if your network extends to suppliers, customers and partners, this automatically means network security must be given high priority.

Make your own list to help you determine a unique security policy and the level of protection you will need.

Risks typically fall into three categories:

Intentional threats
from unauthorised users like hackers, saboteurs and thieves.

Network users who
leave their computer badly protected, providing opportunities for unauthorised users.

Equipment malfunctions
or natural disasters such as fires, floods and accidental damage.

2. Get help to find hidden weak points.

Not all the risks you face will be obvious, especially if you do not have a full time information technology expert in-house.

Have an audit or penetration test carried out by an independent security company to find holes before you purchase protective hardware or software.

This avoids purchasing tools for problems you do not have. It is vital to ensure that whatever security products you invest in are relevant to your business needs.

3. Make fixed assets physically secure.

Your building's alarm system will put off thieves from outside but that does not stop anyone inside opening a machine and stealing memory or a processor.

You can buy an inexpensive security kit that consists of a hacksawproof cable and padlock, which will prevent a computer being opened or physically removed.

You should consider security tags which will help police track down the property's legal owner in the event of recovery.

Put your most valuable material, like servers and archived data, in an access-controlled room rather than leaving it distributed around your premises.

4. Don't make it easy for hackers.

Lots of hackers target big companies for "ethical" reasons. But they are not averse to creating a bit of chaos anywhere they can. And they probably know more about your computers than you do.

There are precautions you can take which amount to common sense.

The United States Federal Bureau of Investigation (FBI) lists the following as the most common mistakes companies and their employees make which leave their data vulnerable:

Default installation
of operating systems and applications.

Weak passwords

some 40 per cent of us use "password".

Incomplete back-up
of data.

Unneeded ports left
open.

Data packets not
filtered for correct incoming and outgoing addresses.

Use password management software to help employees choose strong passwords. Have password expiration.

Create stronger authentication by combining passwords with biometrics.

5. Remember the internet is as vulnerable as it useful.

Every business needs a web site, even if it does not use it to trade with customers and suppliers.

But the internet has vulnerabilities all its own. An average of 200 web sites are breached every day in the UK and the average cost of such breach has been estimated at £16,000, bad news for a large organisation and crippling for a small one.

Don't listen to anyone who recommends you purchase a separate firewall for every connection you have.

Instead, rationalise your internet connections and direct all incoming traffic through one point of entry, requiring only one properlyconfigured firewall.

Securing an e-business not just about technology.

It also means educating employees about the importance of information security.

6. Computer viruses, like human ones, affect everybody.

Melissa, Bill Clinton and I Love You are viruses that have caused millions of pounds-worth of damage in the last couple of years.

Like most security threats, they hit smaller companies as much as large ones. Protecting against them is not as simple as deploying a software package and forgetting all about it.

Making sure you do not lose data to a virus means constant reviews, patches and vulnerability signature updates.

This will do no more than improve the odds of staying ahead of virus authors, who are perfecting their craft as fast as virus protection specialists can develop solutions.

Your best protection is down to policy and procedure as much as technology.

Employees must have rigorous instructions concerning receipt of suspicious emails and what to do in the event of infection.

7. If communications matter, encrypt them.

Many companies live or die by email. While no one would pretend all email messages are equally crucial or sensitive, there will be times when you are sending a business plan or a quotation you definitely don't want anyone else to see.

If you want your company network to extend to remote workers, or over wireless links to customers and suppliers, then you would be mad not to employ at least some basic form of encryption that makes it hard for outsiders to tap in.

Encryption, such as public key infrastructure (PKI), wraps up important data so it can only be read by someone with the right "key". This not only protects sensitive data in transmission but makes the internet a much safer and more trustworthy medium for e-business.

If your budget extends to it, you could set up secure connections to a variety of destinations over a virtual private network.

8. Think of security as an ongoing process.

The nature of security measures is that you cannot just worry once and rest forever.

Ideally you need a good and reliable partner to help you address the numerous elements that make up a security policy.

This needs to be a company with a broad perspective, since computer security is made up of many unrelated markets and products.

A good security supplier will be accredited to one or more leading security product manufacturers.

Security will be something it specialises in, or at least can demonstrate a track record in.

Make sure you ask for customer references and case studies so you can see work it has done in the past.

9. Don't forget that security is a matter of degree.

Security is a sliding scale. At the bottom is total lack of security, with your data open to the four winds.

At the top is security so tight that people in your company can access what they need without remembering a ten-step procedure and referring to a manual of security codes. It will not always follow the information technology solution you want is the most secure.

That's life. Organisations may have to choose between their preferred solution and one with the optimum security.

10. Prepare for the worst.

You cannot protect against everything but you can be prepared.

Ensure your organisation has clearly understood and well-rehearsed recovery procedures in place as contingency against system failure.

One in five organisations will suffer a major disaster every five years, according to the Computer Security Institute, which classifies a disaster as something on the level of a flood or a fire or a network damaged by sabotage or by accident.

It claims about 80 per cent of companies experiencing a critical disaster without appropriate procedures never re-open.

Andy Burt said:

"There's a lot to think about when it comes to security and perhaps the conclusion from all of this is that you shouldn't be complacent.

"Poor security measures can have catastrophic effects on business.

"At IBM, we've pulled all our resources together for our customers to be able to begin their planning process."