Log in to view the full article
Pennington Hardwoods in Clarksville, Ind., is a nationwide distributor and retailer of hardwood flooring that is small in staff but big in volume. In 1999,Pennington sold more than $2 million worth of hardwood flooring, with much of the sales coming from business conducted over the Internet. Kevin Pennington, the company's president, is excited about the Internet's potential, but he's also concerned about the security threats it poses to his growing business.
"Over the past year, we've shipped orders to all 50 states, and much of that business is the result of our presence on the World Wide Web,"Pennington says. "We never see our customers,and we accept credit cards from many who are located in remote parts of the country. The Internet will be a big part of our future, but we have to look closely at the security risks and threats it poses."
Like many companies in the hardwood flooring industry, Pennington Hardwoods is hoping to profit and benefit from a dynamic Internet presence. The Web carries the potential to reach millions of customers directly in the time it takes bits of data to cross phone lines, but it's akin to a wild commercial frontier, and hardwood flooring retailers need to take reliable security measures to protect their businesses' resources.
"Computer security should be a concern to any company in the hardwood flooring industry that has a Web site or is interacting with the Internet," says Jim Dion, a senior partner with the Chicago-based J.C. Williams Group and a consultant to the retail industry.
Consider the chilling potential for disaster. Suppose a computer thief or hacker breaks into your operation's accounting system. Or what if a computer virus eats into your system via the Internet. Customer lists and financial records are vital to your company's success, but think what would happen if an unscrupulous competitor got hold of them.
Sound far-fetched? Well, all these scenarios have actually happened to retail businesses —many times, and they're bound to happen again. In a 1997University of Michigan study, 93.6 percent of the 200businesses surveyed said computer crime struck their operation at least once. "If a retail business has an Internet presence, it should make security its top priority because there are a lot of malicious people — hackers — in cyberspace who take a lot of pleasure in breaking into computer systems and wreaking havoc with businesses,large and small," says Dan Burphiaume, managing editor of Retail System Alert, a publication that provides a monthly update on automation news and trends for retailers.
So how do you go about protecting your business while still maintaining a dynamic presence on the Internet. You need to use a combination of approaches that includes the application of technology, the use of common sense and the establishment of the proper business mindset.
"Ensuring Internet security is part of the ongoing cost of doing business on the Information Superhighway, and it should be an integral part of your business's marketing plan," says Robert Kulhawy, CEO of Calgary-based HFI Flooring Inc.
Protect against the threat
To begin protecting your business against the computer security threat, ask yourself this important question: Who should be allowed access to your store's computer system and the Internet. The bottom line, as we noted in part one of this series: Some employees only need e-mail access to the Internet, while others may also need access to news groups. Some employees will require unlimited access to all Internet resources.
"A hardwood floor store should be careful about which employees have access to the Internet. It's best to put one person in charge of granting that access," says Tony Rosso, owner of the Hardwood Floor Centre in Toronto. "I'm the one who does it in my store."
Use passwords wisely
Next, be careful in the selection of the passwords you choose to protect the store's computer information. "Your objective in selecting a password," advises Mike Corby, a consulting director with M. Corby and Associates, an information technology consulting company based in Weston, Mass., "is to make it as difficult as possible for a criminal to guess intelligently what you've chosen. You want to frustrate the criminal by forcing him to use every possible combination of letters, numbers and punctuation."
So don't use the obvious — your spouse's or your child's birthday, passwords less than six characters, or those that are all the same digits or letters, for example.
"Everything that is on our computer is password protected," Rosso says. "We change our passwords frequently, and we use a combination of letters and numbers."
Beware of viruses
According to a 1998 survey by the Computer Security Association, 33 of every 1,000 computers were infected by a virus in a given month in 1997, more than double the number in 1996. Moreover, an estimated 1,800 new viruses are created every three months by hackers, as well as disgruntled employees and customers.
"A hardwood flooring store should be running an antiviral program in each of its computers all of the time," says Sebastien Charroud, a business and Internet consultant based in Rock Hill, S.C. Charroud points out that the popular Norton and McAfee antiviral programs cost between $50 and $75. Both Rosso and Pennington use the Norton antiviral program in their stores.
"Norton is not expensive," Rosso says. "Looking at it from a security point of view, not having virus protection is like driving your car without insurance. Is it expensive to buy car insurance. I don't think so, given what can happen if you don't have it."
Be concerned about the source of the software program you put into the store's computer system. "A retailer needs to sit down with his or her staff and make it clear to them that nobody brings disks from home and uses them on a store's computer without permission," says Alex Nichols,president of the Latham, N.Y.-based Wood Floor Store.
The good news: Almost any security problem can be corrected if you make backup copies of all your important information. "Practical procedures call for identifying the type of information you need to protect and devising a schedule or procedure for ensuring that it's backed up to another disk drive, a tape drive or other type of media such as a CD-ROM," says Glenn Pritchett, director of systems and networks for Logos Research Systems, an Oak Harbor, Wash.-based company that sells Internet software. "There are many different programs and methods for performing backups, but none are any good if they are not performed and performed often so that the most current information is saved."
Build firewalls
Now is the time to look at your Internet connection and make sure no one from outside your retail store can get unauthorized access to its data. The most popular way of doing this is to build a"firewall" between you and the Internet. A firewall is software that sits between your data and the Internet,filtering the packets generated by the Internet's baseline protocol, TCP/IP,which wasn't built for security. The firewall acts like a security net, limiting access to your computer system from the Internet and approving or stopping traffic as it moves in and out, according to a well thought-out plan.
"Our Web site is hosted by the local Internet service provider, and it uses firewalls to protect my business,"Pennington says. "It's most definitely important to have one. I spent three months working on getting our Website up and running, and I would be really upset if a hacker did damage to it. Sure, I could fix the site, but it would be an annoyance."
A firewall can be built to allow access only from special hosts and networks, or you can set it up to prevent access from specific hosts. "You definitely need a firewall if you have employees with work stations that allow them direct access to the Internet," Pritchett says.
Corby adds, "If you host your own Web server, the worst business decision a retailer can make is to put it on the Internet without the protection of a firewall. You are inviting disaster."
Hardwood flooring retailers can build their own firewall,or use a company that specializes in Internet security. Having the firewall built for your store can cost between$10,000 and $25,000, but software is available that allows you to do it yourself for as little as $2,000. A search of the Yahoo search engine on the World Wide Web using the term "firewalls" found more than 90 companies that sell firewalls. The Internet Computer Security Association offers books and information about firewalls.
"A lot of hardwood flooring stores may consider constructing a firewall a costly enterprise, but they should consider it just a part of doing business on the Internet,"Dion says.
Corby believes it's important to have your Internet connection done by an Internet service provider (ISP) that can show you it's knowledgeable about Internet security. "A lot of ISPs are geared to the home user, not the businessman, so computer security is not a big concern for them," he says.
Encrypt your communication
Worried a little about the privacy of your business e-mail. Using encryption tools like Pretty Good Privacy (PGP) will allow you to protect sensitive e-mail by encrypting either the mail itself or the files attached to it, so that nobody but the intended parties can read it.
"PGP has proven quite capable of resisting the most sophisticated forms of analysis aimed at reading encoded messages," Corby says.
Rosso farms out his store's encryption. "We've hired a consultant who comes in every two to four weeks and encrypts our data," he says. "It's not expensive, considering the damage that can be done to non-encrypted information. Besides, I sleep better at night."
Network
Where should you go for help. How can you keep up with and evaluate the computer and Internet security tools inundating the market. By networking and taking advantage of free resources. For example, Infosecurity News, a free newsletter that comes out six times a year, doesn't recommend products, but it will point readers inthe right direction and tell them about problems users have experienced with certain products.
The International Computer Security Association evaluates firewalls and many other kinds of Internet security products as well. Meanwhile, Computer Incident Advisory Capability, an arm of the U.S. Department of Energy, is one of several federal agencies that can offer practical advice and information about Internet security.
And don't forget your company's computer itself. "The Internet has lots of information on computer security issues," Charroud says. "So browsing the World Wide Web is perhaps one of the best ways to learn about security."
Put it in writing
Finally, put your computer security policy and procedures in writing. Don't rely on your store's old hands to get the new employees to understand the policy.
"The retail industry has a lot of turnover, so it makes sense for a hardwood floor store to have its security policy in writing," Dion says.
All the practical advice in the world can't guarantee your business 100 percent security either in the brick-and mortar world or on the Internet, but you can avoid many of the nightmares that have plagued other businesses.
"The bottom line," says Nichols, "is that the hardwood flooring retailer needs to spend some time and money protecting his business investment. How else can he expect to be successful."
Security Highlights
• Limit access to your database and the Internet. Access to your store’s computer system and theInternet should be limited to employees who need it to perform their jobs.• Change passwords often. Also, avoid obvious, easy-to-guess passwords.• Install antivirus software. Also, make sure any software you install or files you let into yoursystem come from a reputable source.• Back up your data. Identify the information you need to protect and devise a schedule to ensureit’s backed up to another disk drive, a tape drive or CD-ROM.• Build Internet firewalls. Software is available that allows you to do it yourself for as low as $2,000. If you contract with an Internet service provider (ISP), use one that is knowledgeable about Internetsecurity.• Encrypt communications. Protect sensitive e-mail by encrypting either the mail itself or the filesattached to it.
Security Resources on the Internet
• International Computer Security Association1200 Walnut Bottom Rd.Carlisle, PA 17013-7635Phone: 800/488-4595www.ncsa.com
• Pretty Good Privacy (PGP) thegate.gamers.org/~tony/pgp.html
• Computer Incident Advisory Capabilityciac.llnl.gov/
• Infosecurity Newswww.infosecnews.com/