SMALL BUSINESS COMPUTER SECURITY
Due to a number of events widely reported in the press, public awareness of the importance of computer security has increased.1 Most computer security studies, however, have focused on issues related to large, multi-user systems rather than on small business systems.2 The topic is important to the small business operator because a small business which loses its records could quickly fail.3 This concern has resulted in U.S. Congressional action requiring the Small Business Administration to provide training to small businesses related to computer security issues and computer crime prevention measures, despite the fact that some argue that inadequate accounting systems contribute a greater threat to small businesses.4
1 "Beware, Hackers at Play,' Newsweek (Sept. 5, 1983), pp. 42-48; and "Computer Security, What Can Be Done,' Business Week (Sept. 26, 1983), pp. 126-130.
2 D. E. Denning and P. S. Denning, "Data Security,' Computing Surveys (September, 1979), and Donn Parker, Computing Security Management (Reston, Virginia: Reston Publishing, 1981).
3 Hearing before the Subcommittee on Antitrust and Restraint of Trade Activities Affecting Small Business, regarding "Small Business Computer Crime Prevention Act,' H.R. 3075, 1984, p. 4.
4 Public Law 98-132, "Small Business Computer Security and Education Act of 1984,' 98 STAT. 431. See also "SBA Given Task of Educating Small Firms on Computer Security,' The Wall Street Journal (June 4, 1984), p. 23.
Computerization should not be permitted to introduce errors into small business management and record keeping systems. The proper time to begin worrying about security is during planning.5 Whenever computers are used to manage sensitive data, it is appropriate to worry about computer security regardless of the state of the accounting system. The purpose of this article is to report the results of a survey of small business computer use and the measures taken to secure small business computer systems.
5 James Martin, Security, Accuracy, and Privacy in Computer Systems (New York: Prentice Hall, 1973), p. 4.
Computer security problems may be classified according to their origin and nature, as illustrated in figure 1. Threats to security can result from human, environmental, or systems factors. The nature of the damage includes loss of computer availability, loss of data integrity, and loss of privacy. For the purpose of this survey, four categories of controls were identified: physical security, management controls, system safeguards, and recovery measures.
Computers need to be protected from a variety of physical threats such as fire, power surges, and spilled coffee. Adequate premises security is the first ingredient in providing physical security (e.g., locks, smoke alarms, etc.). Additional precautions may be taken to protect the computer itself. Most important among these is isolation of the machine in a safe room. A variety of ancillary devices, such as power surge filters, waterproof covers, and lockable anti-theft "tie-downs' may also be useful. Management controls include rules and procedures governing computer use. Unless the owner is the only user, lack of explicit rules governing the use and protection of the computer (or failure to monitor those rules) indicates lack of management control over the system.
The safeguards used to protect large systems are frequently inappropriate for small systems. For example, pass-word protection is of limited value in protecting a microcomputer database, as even moderately sophisticated users can easily defeat some available methods.
Use of the correct software is the most essential aspect of any computer system. Even commercial software houses which employ expert programmers do not guarantee their products;6 thus, the quality of any software written by inexperienced programmers is suspect. …