Small Business Computer Security
报告了一项关于小企业计算机使用及安全措施调查的结果,指出小企业因数据丢失可能迅速倒闭,而现有研究多关注大型系统,对小企业关注不足。
SMALL BUSINESS COMPUTER SECURITY Due to a number of events widely reported in the press, public awareness of the importance of computer security has increased.1 Most computer security studies, however, have focused on issues related to large, multi-user systems rather than on small business systems.2 The topic is important to the small business operator because a small business which loses its records could quickly fail.3 This concern has resulted in U.S. Congressional action requiring the Business Administration to provide training to small businesses related to computer security issues and computer crime prevention measures, despite the fact that some argue that inadequate accounting systems contribute a greater threat to small businesses.4 1 Beware, Hackers at Play,' Newsweek (Sept. 5, 1983), pp. 42-48; and Security, What Can Be Done,' Business Week (Sept. 26, 1983), pp. 126-130. 2 D. E. Denning and P. S. Denning, Data Security,' Computing Surveys (September, 1979), and Donn Parker, Computing Security Management (Reston, Virginia: Reston Publishing, 1981). 3 Hearing before the Subcommittee on Antitrust and Restraint of Trade Activities Affecting Business, regarding Small Business Computer Crime Prevention Act,' H.R. 3075, 1984, p. 4. 4 Public Law 98-132, Small Business Computer Security and Education Act of 1984,' 98 STAT. 431. See also SBA Given Task of Educating Firms on Computer Security,' The Wall Street Journal (June 4, 1984), p. 23. Computerization should not be permitted to introduce errors into small business management and record keeping systems. The proper time to begin worrying about security is during planning.5 Whenever computers are used to manage sensitive data, it is appropriate to worry about computer security regardless of the state of the accounting system. The purpose of this article is to report the results of a survey of small business computer use and the measures taken to secure small business computer systems. 5 James Martin, Security, Accuracy, and Privacy in Computer Systems (New York: Prentice Hall, 1973), p. 4. BACKGROUND Computer security problems may be classified according to their origin and nature, as illustrated in figure 1. Threats to security can result from human, environmental, or systems factors. The nature of the damage includes loss of computer availability, loss of data integrity, and loss of privacy. For the purpose of this survey, four categories of controls were identified: physical security, management controls, system safeguards, and recovery measures. Computers need to be protected from a variety of physical threats such as fire, power surges, and spilled coffee. Adequate premises security is the first ingredient in providing physical security (e.g., locks, smoke alarms, etc.). Additional precautions may be taken to protect the computer itself. Most important among these is isolation of the machine in a safe room. A variety of ancillary devices, such as power surge filters, waterproof covers, and lockable anti-theft tie-downs' may also be useful. Management controls include rules and procedures governing computer use. Unless the owner is the only user, lack of explicit rules governing the use and protection of the computer (or failure to monitor those rules) indicates lack of management control over the system. The safeguards used to protect large systems are frequently inappropriate for small systems. For example, pass-word protection is of limited value in protecting a microcomputer database, as even moderately sophisticated users can easily defeat some available methods. Use of the correct software is the most essential aspect of any computer system. Even commercial software houses which employ expert programmers do not guarantee their products;6 thus, the quality of any software written by inexperienced programmers is suspect. …