Unfortunately, security experts say, most businesses do little to protect their Web sites today. Adding to the problem -- which can be especially serious for those conducting transactions over the Internet -- is that security help doesn't necessarily come cheap.
"Building a Web page isn't a free service, and protecting the site isn't the developer's job. It's a management concern that can't be overlooked," says William Hugh Murray, executive consultant, Information Protection for Deloitte & Touche, a computing consultancy based in Wilton, Conn.
LYING AWAKE AT NIGHT
Even if a company Web site isn't used to transmitting information or documents over the Internet, and it strictly provides company information, the thought of what happened to the Justice Department and the CIA is enough to keep some people awake at nights.
According to industry analysts, in both the CIA and Justice break-ins, hackers escaped from Web server applications and gained access to operating system functions via the log-on information still loaded on the Web server.
A primary precaution not taken by the CIA or Justice was to remove access to the operating system used to set up the Web site, before allowing public access.
"In the Justice Department, and CIA Web site break-ins, if there had been no log-on in those servers, they could not have been hacked that way," Mr. Murray says.
In a nutshell, security is a matter of policies, enforcement and diligence.
"It's an ongoing process -- not a one-time matter," says Curt Stammberger, director of technology marketing for RSA Corp., a leading cryptography company.
And even though securing your Web server is a technical issue, the marketers and business executives who manage corporate Web sites need to know what questions to ask their IT department and outside Web developers.
In general, Web site security boils down to a few key elements:
Businesses must decide on a companywide basis which security measures are important. "Not everyone needs privacy. If purchase orders are flying over the Internet, you may not need privacy but authentication will be important to you," says Mr. Stammberger.
To get an idea of the enormity of the security products, Web site managers may want to browse http://www.rsa.com to view the hundreds of third-party products listed by RSA in a Security Solutions Catalog.
The first step, especially if you aren't trained in Web and Internet security issues, is to do your homework. Some analysts recommend books like the "Security Issues for the Internet and World Wide Web" by Computer Technology Research.
Others recommend contacting the National Computer Security Association (NCSA) in Carlisle, Pa..
The NCSA is a for-profit association that creates and maintains security-related certification programs. Its newest, started last summer, is a Certified Web Site program, designed to assure Web users that certified sites meet minimum requirements for a range of security issues.
"There is no 100% security guarantee, but this certification will greatly reduce the chances of a break-in," says Sam Glesner, marketing director for NCSA.
For a fee of $8,500 for the first Web server, and an additional fee for multiple Web servers, NCSA will certify your site, protecting it from a variety of possible breaches.
STEPS TO TAKE
According to Mr. Glesner there are several things that businesses can do to improve their Web site's security, including: