REDMOND, Wash., April 25, 2005 — Microsoft and the U.S. Chamber of Commerce kicked off National Small Business Week today with a message to business owners and their employees: Make computer security a priority by learning the facts about cyber threats and taking steps to help protect your company’s vital information. The help they need is available in the new Security Guide for Small Businesses, which was written by Microsoft’s U.S. Small Business team and is sponsored by the U.S. Chamber. The two organizations are releasing the guide today.
Cindy Bates, general manager of Microsoft’s small business group says the contents of this new guide reflect an approach to security that spans both technology and social issues. Microsoft is seeking to make small businesses aware of potential threats so they can be empowered to make their computing environments–and by extension the Internet at large–more secure, said Bates.
Cindy Bates, General Manager, U.S. Small Business Group, Microsoft
Security also is a key focus for the U.S. Chamber of Commerce because its members rely heavily upon information technology and the Internet to run their businesses, said Andrew Howell, the organization’s vice president of homeland security policy.
PressPass recently spoke with Bates and Howell about the kinds of computer security issues small businesses face, the tools and resources available to combat security threats, and the importance of ongoing education about such issues.
PressPass: Why are you releasing the Security Guide for Small Businesses now?
Bates: National Small Business Week, which runs through April 30, is a time when many small business owners evaluate their priorities for the coming year, and statistics show computer security should be among them. For example, the Information Technology Solution Providers Alliance has reported that Internet attacks are growing at more than 60 percent each year. These are serious threats with serious consequences, yet many small businesses have not yet taken the relatively simple steps to safeguard their IT systems. For some businesses, it’s a matter of limited resources, but most small business owners simply are unclear about the steps they should take or even where to start.
Howell: That’s where the new Security Guide is valuable, because it gives small business owners practical, easy-to-understand steps for managing the security of their computers and the Internet. It removes the mystique and complexity often associated with computers, and therefore eliminates a significant barrier to managing the risks one faces when putting a computer online.
PressPass: Why should small businesses be concerned about computing security?
Bates: Computer and online security is a growing concern for businesses of all sizes, but there are several factors that make small businesses more vulnerable than their larger counterparts. For instance, large companies often have IT professionals at their disposal. Small business owners, on the other hand, must make their own decisions about how to secure their computers. Today, security is becoming tighter than ever at large companies, so small business networks are looking increasingly tempting to attackers. What’s more, small businesses often end up affected by larger attacks, such as mass worm outbreaks or efforts to harvest credit card numbers.
Howell: Small businesses should care about computing security because just like large firms, they have assets, pricing information, customer information, supplier data, payroll and the like on their computers as well as on the Internet. All of these assets are vulnerable to hackers and identity thieves.
Andrew Howell, Vice President of Homeland Security Policy, U.S. Chamber of Commerce
PressPass: What are the biggest computing-security threats facing small business owners?
Howell: Not all security threats come from outside an organization. You have good people working for you, but no matter how dependable they are, simple human error can be the culprit in data loss. Unintentional errors can result when, for example, an employee opens an email-based virus that crashes a network or reveals sensitive corporate information. Remember, your employees have the greatest access to your company’s business information and they use your computer network daily. They must be trained properly on how to mitigate security breaches.
Bates: In addition, there are many external threats. A study by America Online and the National Cyber Security Alliance, the AOL/NCSA Online Safety Study, revealed that 62 percent of computer users have not updated their antivirus software and 91 percent have spyware on their computers. Spyware can cause extremely low performance, excessive pop-up ads and hijacked home pages. In a different survey conducted by the Information Technology Solution Providers Alliance, small business technology consultants reported their clients were hit by hackers or viruses an average of more than seven times last year.
PressPass: How can small business owners protect themselves against these threats?
Howell: The Security Guide is a valuable reference tool for small businesses as a first step toward protecting themselves from the threats that face all computer users with access to the Internet. The steps in the Security Guide, complemented by regular training of employees and reminders on what to avoid doing when using e-mail or the Internet, can significantly reduce vulnerabilities online.
PressPass: What are the steps described in the Security Guide?
Bates: The guide contains seven core steps that explain what small businesses need to do to improve security. One of the first steps to computing security is getting the software they need to protect themselves. Businesses should make sure they have up-to-date antivirus software and that it’s updated regularly. They also should install a firewall to prevent access to the system by unauthorized users. Microsoft Windows XP has a built-in firewall, so businesses running Windows XP should make sure it’s turned on. Next, they should ensure their software is up-to-date and is set to receive regular computer updates. There’s a function for Windows XP PCs called Automatic Update that can do this automatically. If you have an older operating system, such as Windows 2000 or Windows 98, you can download the most recent updates from the Windows Update website. Also, downloading Windows XP Service Pack 2, or SP2, will help protect small businesses against viruses, hackers and worms. This free download also includes a pop-up blocker and other tools to help protect privacy. Another good source of information is www.microsoft.com/security.
Planning is another important step for improving security. Companies must implement security practices to help anticipate, prevent and, if necessary, respond to security breaches. But many small businesses don’t have a disaster plan to cope with a major computing security issue. Such a plan should include backing up critical files, safeguarding the network and servers, and adhering to policies for safe Internet use, such as avoiding questionable Web sites. Small business owners also should make sure business critical information is restricted to the people who truly need it. The Security Guide includes a sample security plan for a small business.
PressPass: Where can small businesses find help implementing these security practices and procedures?
Bates: Since most small businesses do not have dedicated technology staff, hiring a consultant can be an excellent means for small business owners to determine the right security solution for their needs. Just as a small business owner would turn to an accountant to manage business financials, it makes sense to bring in an IT professional to help get the most benefit from technology. Small businesses can find an IT expert in their area by checking out the Partner Finder Tool at Microsoft’s Small Business Center (www.microsoft.com/smallbusiness).
PressPass: What role can businesses and government play together?
Howell: Due to the global nature of the Internet and the anonymity it affords, prosecuting cyber criminals is very difficult. However, law enforcement agencies are increasing their focus on cyber criminals and forging partnerships with fellow agencies around the globe. For example, Virginia authorities recently convicted one of the world’s largest spammers of violating the state’s anti-spamming law.
Regarding legislation, recent high-profile security breaches also appear to be shifting the focus from prosecuting the perpetrators of Internet crimes to assisting the victims of security breaches. Legislation increasingly is focusing on what companies must do to ensure the privacy of customer data. This makes it even more important for small businesses to implement sound cyber security practices.
Bates: At Microsoft, we’ve welcomed the opportunity to assist government agencies in their investigations of those who would use the Internet for criminal purposes. Our recent collaborations with the offices of the attorneys general of New York, Washington, Texas and Florida, for example, have led to civil actions against networks of cyber criminals, including spammers whose volume of illegal e-mail is ranked third and fourth in the world. These collaborations have worked, and we pledge to continue to assist law enforcement agencies. Microsoft also helped establish Digital PhishNet, an alliance of law enforcement and the technology industry aimed at expediting arrests and convictions against “phishers” — who steal peoples’ personal financial information by posing as reputable companies online.
PressPass: Will computers ever be 100 percent secure?
Bates: Technology exists for protecting systems, but processes and awareness are also key parts of an overall security strategy. While no software is immune to malicious attacks, computers can be set up and maintained in ways that minimize risk. Microsoft understands that technology alone will not make the Internet safer. That’s why we need to work in concert with the industry and our customers on awareness and education. Microsoft will continue to stress security readiness via evolving tools, training and education as well as continue to help prosecute those who threaten the viability of the Internet.
PressPass: Where can small business owners get a copy of the Security Guide?
Bates: They can download a free copy from the Microsoft Security Guidance Center (http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx) and from the U.S. Chamber of Commerce Web site (www.uschamber.com/sb/security).