And just to be clear: even the biggest enterprises concede that their systems are not 100 per cent foolproof. They spend thousands of dollars to keep the internal security team abreast of the latest in security trends and issues. At the same time, they still turn to external consultants to regularly check that systems, policies and processes are up-to-date, and compliant with regulations.

How much would a security breach cost? Is all the expense paid to keep the internal team up-to-date worth it? A survey by Forrester of 28 companies that had experience a data breach puts this figure between US$90 to US$305 per lost record. It doesn’t sound much when you count your data if you have a handful of customers. However, if your customer database is in the tens of thousands, you are looking at millions in lost opportunity and not to mention the impact of losing your customers’ trust.

“After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number,” said senior analyst Khalid Kark Forrester Research in the report. “Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization’s bottom line, especially if it is ill-equipped, and it’s important to be able to make an educated estimate of its cost.”

More recently, the Ponemon Institute LLC, an information security research group, pegged the cost of exposing data such as Social Security and credit-card numbers to US$7.3 million per incident, up 7 percent from last year.

Edward Ferrara, a security and risk analyst at Forrester laments that building your own security is in itself fraught with challenges. “Security is so hot that good people are hard to find, and they’re expensive! So even if you wanted to build your own security organization, it would be hard to do that,” he adds.

This is where outsourcers, such as managed security service providers, come in. These organizations use economies of scale to provide security-related services at what would be a fraction of the cost if you were to do it yourself. You pay for how much service you believe you will need – no more, no less. Your outsourced security expense can scale with your business: up or down. This is very appealing for many SMBs because it gives them the sense of security they need, and allows them to protect their fledgling brand which is an important asset for anyone who has been in business long enough.

Just so I am clear about this again.  There are tens, if not hundreds, of companies willing to sell you their security services for a monthly fee. Choosing the right provider is actually not as difficult as it may seem.

The first thing to do is ask around from friends, business partners or industry groups, for referral. There are bound to be people who have gone the outsourcing way and they can offer you field experience.

When you’ve got the list down, look for a provider with technology and expertise that meets your specific security needs. Ask about response times, the size of the support team, the number of customers they currently service, the type of customers they currently support, and of course, ask for references. If you handle financial or medical data, make sure the provider can help you comply with relevant data-security regulations.

Ask the provider what your options are in terms of the type of services you will likely need. Will they install new equipment at your premises? Will your traffic run through their data centers before it comes to you? If you’ve started using virtual machines in your operation, can your MSSP secure both physical and virtual servers?

You may also want to verify platform compatibility, i.e., will their platform support both your physical and virtual platforms. This is important because it will ensure seamless transition to their platform.

If you have a budding ecommerce business, look for a provider with experience blocking security threats to sites while boosting site speed and performance. Ask them if their platform also supports social networks and is geared towards interactivity. A good benchmark is if they use Parallels Web Presence Builder. Combined with Parallels Plesk, it offers organizations a platform for rapid deployment of websites that serve a business function and work extremely well for visitors.

IT security is a full time, 24×7 pre-occupation! Your customers do not expect you to have your own SWAT team. On the other hand, they expect you to protect their information to the best of your ability. You don’t need to set up your own team to protect your business and your customers. There are plenty of services that can give your company effective protection at a reasonable cost.

And just to be clear: even the biggest enterprises concede that their systems are not 100 per cent foolproof. They spend thousands of dollars to keep the internal security team abreast of the latest in security trends and issues. At the same time, they still turn to external consultants to regularly check that systems, policies and processes are up-to-date, and compliant with regulations.

How much would a security breach cost? Is all the expense paid to keep the internal team up-to-date worth it? A survey by Forrester of 28 companies that had experience a data breach puts this figure between US$90 to US$305 per lost record. It doesn’t sound much when you count your data if you have a handful of customers. However, if your customer database is in the tens of thousands, you are looking at millions in lost opportunity and not to mention the impact of losing your customers’ trust.

“After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number,” said senior analyst Khalid Kark Forrester Research in the report. “Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization’s bottom line, especially if it is ill-equipped, and it’s important to be able to make an educated estimate of its cost.”

More recently, the Ponemon Institute LLC, an information security research group, pegged the cost of exposing data such as Social Security and credit-card numbers to US$7.3 million per incident, up 7 percent from last year.

Edward Ferrara, a security and risk analyst at Forrester laments that building your own security is in itself fraught with challenges. “Security is so hot that good people are hard to find, and they’re expensive! So even if you wanted to build your own security organization, it would be hard to do that,” he adds.

This is where outsourcers, such as managed security service providers, come in. These organizations use economies of scale to provide security-related services at what would be a fraction of the cost if you were to do it yourself. You pay for how much service you believe you will need – no more, no less. Your outsourced security expense can scale with your business: up or down. This is very appealing for many SMBs because it gives them the sense of security they need, and allows them to protect their fledgling brand which is an important asset for anyone who has been in business long enough.

Just so I am clear about this again.  There are tens, if not hundreds, of companies willing to sell you their security services for a monthly fee. Choosing the right provider is actually not as difficult as it may seem.

The first thing to do is ask around from friends, business partners or industry groups, for referral. There are bound to be people who have gone the outsourcing way and they can offer you field experience.

When you’ve got the list down, look for a provider with technology and expertise that meets your specific security needs. Ask about response times, the size of the support team, the number of customers they currently service, the type of customers they currently support, and of course, ask for references. If you handle financial or medical data, make sure the provider can help you comply with relevant data-security regulations.

Ask the provider what your options are in terms of the type of services you will likely need. Will they install new equipment at your premises? Will your traffic run through their data centers before it comes to you? If you’ve started using virtual machines in your operation, can your MSSP secure both physical and virtual servers?

You may also want to verify platform compatibility, i.e., will their platform support both your physical and virtual platforms. This is important because it will ensure seamless transition to their platform.

If you have a budding ecommerce business, look for a provider with experience blocking security threats to sites while boosting site speed and performance. Ask them if their platform also supports social networks and is geared towards interactivity. A good benchmark is if they use Parallels Web Presence Builder. Combined with Parallels Plesk, it offers organizations a platform for rapid deployment of websites that serve a business function and work extremely well for visitors.

IT security is a full time, 24×7 pre-occupation! Your customers do not expect you to have your own SWAT team. On the other hand, they expect you to protect their information to the best of your ability. You don’t need to set up your own team to protect your business and your customers. There are plenty of services that can give your company effective protection at a reasonable cost.

Things haven’t really changed much in 2012. The just released January 2012 Symantec Intelligence Report revealed that while spam and viruses have been on the decline since the latter half of 2011, the types of attacks have changed. Phishers and spammers are being more specific in their targets and their attack approaches have become much more sophisticated. Some have started to use legitimate database sources and even recognizable brand websites. In addition to popular social platforms, malware purveyors are also using real distribution lists to improve their success rates.

Spammers have discovered that small to midsized businesses or SMBs are easier to target because they don’t have the same resources as the big boys to counter threats coming from the Internet.

And while the growth of the Internet has become the preferred channel for attacks, the Internet has also become an enabling platform for the creation of cost-effective security solutions that cater to just about everyone. Managed security services (MSS) is a systematic approach to managing an organization’s security needs. Usually outsourced to a service provider that oversees other companies’ network and information system security needs.

Functions of a managed security service include round-the-clock monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, performing security assessments and security audits, and responding to emergencies. There are products available from a number of vendors to help organize and guide the procedures involved. This diverts the burden of performing the chores manually, which can be considerable, away from administrators.

What makes MSSPs popular with SMBs, particularly in Asia, is the relatively cost-effective offerings available in the market. From simple web filtering of emails, to 24×7 protection of websites and e-commerce applications, MSSPs use economies of scale to offer the same level of protection previously only afforded by large enterprises. After all, can you afford to hire an information security professional and keep these experts reasonably up-to-date with the latest in infosecurity best practices? Probably not!

With global ecommerce estimated to have reach USD711 billion in sales in 2010 (eMarketer) and China’s growing affluent consumers projected to spend USD134 billion online by 2012 (IDC), businesses of all sizes are scrambling to ride on this opportunity. But like all new ‘blue ocean’, caution must be exercised and efforts protected to ensure that risks are mitigated in this journey towards a globally connected world.

Like all things outsourced, identifying the right MSSP presents both an opportunity and a challenge. Just as importantly, identifying the right technology that offers the right level of security will be critical towards ensuring that your investment goes a long way towards achieving your business objectives.

A central tenet all MSSPs often choose to keep secret is the ability to use automation to deliver uninterrupted service 24×7. Partnering with innovators like Parallels has allowed many hosting service providers like us to achieve the economies of scale our business demands while ensuring our customers remain secure in the knowledge that their systems are protected 24x7xforever.

In my coming blog, I will list out proven steps to identifying what to look for in your MSSP so you are able to protect your investments and achieve the best outcome for your money. I’ll also uncover some of the best kept technology secrets in the hosting business. Stay tuned.

Things haven’t really changed much in 2012. The just released January 2012 Symantec Intelligence Report revealed that while spam and viruses have been on the decline since the latter half of 2011, the types of attacks have changed. Phishers and spammers are being more specific in their targets and their attack approaches have become much more sophisticated. Some have started to use legitimate database sources and even recognizable brand websites. In addition to popular social platforms, malware purveyors are also using real distribution lists to improve their success rates.

Spammers have discovered that small to midsized businesses or SMBs are easier to target because they don’t have the same resources as the big boys to counter threats coming from the Internet.

And while the growth of the Internet has become the preferred channel for attacks, the Internet has also become an enabling platform for the creation of cost-effective security solutions that cater to just about everyone. Managed security services (MSS) is a systematic approach to managing an organization’s security needs. Usually outsourced to a service provider that oversees other companies’ network and information system security needs.

Functions of a managed security service include round-the-clock monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, performing security assessments and security audits, and responding to emergencies. There are products available from a number of vendors to help organize and guide the procedures involved. This diverts the burden of performing the chores manually, which can be considerable, away from administrators.

What makes MSSPs popular with SMBs, particularly in Asia, is the relatively cost-effective offerings available in the market. From simple web filtering of emails, to 24×7 protection of websites and e-commerce applications, MSSPs use economies of scale to offer the same level of protection previously only afforded by large enterprises. After all, can you afford to hire an information security professional and keep these experts reasonably up-to-date with the latest in infosecurity best practices? Probably not!

With global ecommerce estimated to have reach USD711 billion in sales in 2010 (eMarketer) and China’s growing affluent consumers projected to spend USD134 billion online by 2012 (IDC), businesses of all sizes are scrambling to ride on this opportunity. But like all new ‘blue ocean’, caution must be exercised and efforts protected to ensure that risks are mitigated in this journey towards a globally connected world.

Like all things outsourced, identifying the right MSSP presents both an opportunity and a challenge. Just as importantly, identifying the right technology that offers the right level of security will be critical towards ensuring that your investment goes a long way towards achieving your business objectives.

A central tenet all MSSPs often choose to keep secret is the ability to use automation to deliver uninterrupted service 24×7. Partnering with innovators like Parallels has allowed many hosting service providers like us to achieve the economies of scale our business demands while ensuring our customers remain secure in the knowledge that their systems are protected 24x7xforever.

In my coming blog, I will list out proven steps to identifying what to look for in your MSSP so you are able to protect your investments and achieve the best outcome for your money. I’ll also uncover some of the best kept technology secrets in the hosting business. Stay tuned.

b. Use sender score to make sure that sending reputation of your e-mail server is good.

c. Use DNSStuffs.com to make sure that your IP address for e-mail sending is not being blacklisted.

d. Send e-mails on tuesday, wednesday and thursday

e. Average open rates is usually 45% for paying customers

f. Average open rates are usually 15% to 20% for prospects

g. Remove e-mails that didnt open e-mails for a long time

b. Use sender score to make sure that sending reputation of your e-mail server is good.

c. Use DNSStuffs.com to make sure that your IP address for e-mail sending is not being blacklisted.

d. Send e-mails on tuesday, wednesday and thursday

e. Average open rates is usually 45% for paying customers

f. Average open rates are usually 15% to 20% for prospects

g. Remove e-mails that didnt open e-mails for a long time

Acceptance of credit cards for payment has grown exponentially at small businesses across the US. Small merchants of all sizes should be aware of the risk for theft and fraud, and take action to combat this by certifying with the industry standard for handling credit card data, called the Payment Card Industry Data Security Standard (PCI-DSS). The PCI DSS is required for all businesses accepting credit cards.

What is PCI DSS? The five major card networks (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa Inc.) established the PCI DSS as a set of requirements for business of all types to use when configuring their IT and payment-processing environments. Understanding the requirements is the first step. Some businesses will need IT support to ensure all of the requirements are met prior to taking action to certify compliance. (For additional information, please visit www.pcisecuritystandards.org.) The 12 requirements are as follows:

• Install and maintain a firewall configuration to protect data

• Do not use vendor-supplied defaults for system passwords and other security parameters

• Protect stored data

• Encrypt transmission of cardholders data sensitive information across public networks

• Use and regularly update anti-virus software

• Develop and maintain secure systems and applications

• Restrict access to data by business need-to-know

• Assign a unique ID to each person with computer access

• Restrict physical access to cardholder data

• Track and monitor all access to network resources and cardholder data

• Regularly test security systems and processes

• Maintain a policy that addresses information security

Acceptance of credit cards for payment has grown exponentially at small businesses across the US. Small merchants of all sizes should be aware of the risk for theft and fraud, and take action to combat this by certifying with the industry standard for handling credit card data, called the Payment Card Industry Data Security Standard (PCI-DSS). The PCI DSS is required for all businesses accepting credit cards.

What is PCI DSS? The five major card networks (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa Inc.) established the PCI DSS as a set of requirements for business of all types to use when configuring their IT and payment-processing environments. Understanding the requirements is the first step. Some businesses will need IT support to ensure all of the requirements are met prior to taking action to certify compliance. (For additional information, please visit www.pcisecuritystandards.org.) The 12 requirements are as follows:

• Install and maintain a firewall configuration to protect data

• Do not use vendor-supplied defaults for system passwords and other security parameters

• Protect stored data

• Encrypt transmission of cardholders data sensitive information across public networks

• Use and regularly update anti-virus software

• Develop and maintain secure systems and applications

• Restrict access to data by business need-to-know

• Assign a unique ID to each person with computer access

• Restrict physical access to cardholder data

• Track and monitor all access to network resources and cardholder data

• Regularly test security systems and processes

• Maintain a policy that addresses information security

There are two components required to validate or “prove” that a business has achieved PCI DSS compliance certification:

• Self-Assessment Questionnaire: All businesses are required to self-assess their IT and payment processing environment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Please see the PCI Security Standards site for examples of the four questionnaires, www.pcisecuiritystandards.org

• Vulnerability Scanning: Depending on how you process payments and the Internet connection, network vulnerability scanning may also be required. (This step requires an Approved Scanning Vendor (ASV). The list of ASVs can be found at (https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml)

The questionnaire and the scanning will help identify if any weaknesses or vulnerabilities exist in the network. These issues must be fixed before PCI DSS certification can be achieved.

Certification with PCI DSS is achieved with both a compliant, passing questionnaire and if necessary for your business, a compliant, passing vulnerability scan. There are many tools available in the marketplace to help small merchants achieve these steps easily. Your business may have been automatically enrolled in PCI DSS Compliance programs by your bank, processor or acquirer. If you are unsure if you are PCI DSS compliant or enrolled in a program, please call your payment processing provider.

ReadySpace partner with Trustwave who is both an ASV and a Qualified Security Assessor (QSA) for the card brands.

There are two components required to validate or “prove” that a business has achieved PCI DSS compliance certification:

• Self-Assessment Questionnaire: All businesses are required to self-assess their IT and payment processing environment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Please see the PCI Security Standards site for examples of the four questionnaires, www.pcisecuiritystandards.org

• Vulnerability Scanning: Depending on how you process payments and the Internet connection, network vulnerability scanning may also be required. (This step requires an Approved Scanning Vendor (ASV). The list of ASVs can be found at (https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml)

The questionnaire and the scanning will help identify if any weaknesses or vulnerabilities exist in the network. These issues must be fixed before PCI DSS certification can be achieved.

Certification with PCI DSS is achieved with both a compliant, passing questionnaire and if necessary for your business, a compliant, passing vulnerability scan. There are many tools available in the marketplace to help small merchants achieve these steps easily. Your business may have been automatically enrolled in PCI DSS Compliance programs by your bank, processor or acquirer. If you are unsure if you are PCI DSS compliant or enrolled in a program, please call your payment processing provider.

ReadySpace partner with Trustwave who is both an ASV and a Qualified Security Assessor (QSA) for the card brands.