Web Site Security What Small Businesses Need to Know

A Web site can help business owners promote their companies, build customer confidence and even streamline some business processes. However, the California Society of CPAs (CalCPA) points out that a Web site's effectiveness hinges on its security. Web site security embraces a number of complex issues, including system and network security, authentication services, privacy issues and cryptology. CalCPA presents this primer to help small businesses minimize Web security risks.

Understand Security Risks

As soon as your Web site is launched, your company is exposed to a variety of risks. These can include bugs or misconfiguration problems in the Web server that allow unauthorized users to break into the system, content that damages or crashes the browser or the user's system, employee access abuses and the misuse of personal information provided by the end user. To minimize these and other risks, you should implement effective security measures.

Develop A Security Policy

The first step is to develop a security policy that essentially outlines who uses the system, what they are allowed to do and the level of access for various user groups. The policy also should indicate the individual(s) responsible for granting and revoking user access, remote and local log-in methods, and system monitoring procedures. Circulating such a document among staff will alert them to the importance of Web site security. Ongoing enforcement of the policy is vital to ensuring the security of your site.

Protect Confidential Documents

Depending on the nature of information posted on the Web site, most companies want to restrict access by either external groups or from within their organizations. There are three types of access restrictions available:
  • Restriction by IP (Internet provider) address or domain name. Essentially, individual documents or entire directories are protected in such a way that only browsers connecting from certain IP addresses, IP subnets or domains can access them. Be aware that servers vary in their ability to restrict browser access to individual documents or portions of documents.
  • Restriction by user name or password. Documents or directories are protected so that the remote user must provide a name and password to gain access. For this type of restriction to be effective, passwords should not be easily identified words.
  • Encryption. Encryption technology is one of the most important security features to implement when setting up your site. Encryption scrambles information from a readable to a nonreadable form. If your company plans to process credit card information online, you'll want to make sure you have secure sockets layer (SSL), a type of encryption technology that protects credit card data before transmission. SSL is currently implemented commercially on several different browsers and many different servers.

Use Firewalls

Firewalls are a fundamental means of protecting your computer system. Generally, firewalls are configured to protect against unauthenticated interactive log-ins from the "outside world," thus preventing computer hackers and others from logging on to machines in your network. Firewalls also can provide important logging and auditing information by summarizing the kinds and amount of traffic that passed through.

Keep in mind, however, that firewalls cannot effectively protect your system against all viruses. Rather than trying to screen viruses out at the firewall, it's wise to make sure that up-to-date virus scanning software is on every computer in your organization and is run every time each of these machines is rebooted.

Ask A CPA About WebTrust

WebTrust is a consulting and certification process that CPAs can use to help your business identify and reduce certain security risks and provide assurance to your customers. As part of the WebTrust program, there are principals and criteria that establish best practices in the areas of security, confidentiality, privacy, transaction integrity and others. Through these best practices, CPAs assess a Web site's controls and ensure that it meets WebTrust standards. Once the CPA has ascertained that the site meets these standards, you have the option of receiving a WebTrust seal or stamp of approval that can be posted on your site.