Every day, more and more businesses are moving their operations online. But even though entrepreneurs are rapidly embracing the Internet for commerce and communication, a valid concern is still at the forefront for most Internet users: security.

As it stands alone, the Internet is not a secure way to send information from point A to point B because its network is completely open to the public.

And Internet misuse and abuse abounds. Creative hackers can send viruses via email, intercept and view data moving through the wires, and infiltrate private networks to steal highly sensitive company data.

So what's a business to do when protection is so crucial? We've designed this buyer's guide to outline your options - both hardware and software - in the framework of five major areas of Security Software: Firewalls, Virtual Private Networks, Secure Web Servers, Email Security, and Consulting Services.

Firewalls

Unfortunately, as critical as the Internet has become to doing business, it's a wide-open gateway into your computer systems. Any weak spot in your software systems leaves you vulnerable. Without a firewall, you may as well be displaying a welcome mat, inviting hackers in to wreak whatever havoc they might.

For example, if you're an e-commerce business, a hacker might try to access your customers' credit card numbers or email addresses.

And though it's hard to imagine why, some bored computer experts infiltrate systems not for personal gain, but for the simple joy of being where they shouldn't be.

Plus, don't overlook unethical insiders. Disgruntled employees aren't always above using private company data for unsavory purposes.

What is a firewall?

A firewall prevents unauthorized access to your private network. Essentially, it screens all information coming into or going out of your private network to make sure it meets certain select security criteria predetermined by you.

Not only can a firewall help prevent outsiders from accessing your data, it can also guard against unauthorized access within your own company walls.

How does a firewall work?

There are two kinds of firewalls: software-based and hardware-based. Software-based firewalls consist of software that typically runs on a standard server (a high-end computer dedicated to performing one particular task). Also available are hardware Internet devices that help connect your computers to a LAN (local area network) while also providing Internet security functions like firewalls.

Both methods allow you to determine what types of information can both enter and exit your network. And firewalls aren't just roadblocks; they are also security guards, and can alert you when potentially destructive data is trying to enter your network, so you can better attempt to pinpoint a culprit and motive.

Who needs a firewall?

You should set up firewalls if your business uses an Internet connection to do any of the following: send and receive email, FTP (to transfer files), telnet, browse the Web, participate in news groups, access computers remotely, video conference, use Internet telephony, and instant message.

How do I get a firewall?

For businesses of less than 10 employees that aren't dealing with highly sensitive data, straight-out-of-the-box software solutions ($40 to $100) are your easiest and more affordable option. They can be installed right onto your desktop computers.

For more than 10 employees, or to protect a more sensitive operation, you'll want an enterprise level software solution. This will require using a server -- a high-end computer dedicated to performing one particular task. Annual costs for a commercial-grade firewall can easily run from $5000 to $30,000 and then some, including set-up fees, maintenance charges and ongoing software updates. And for this level of security, you'll want the aid of a full-time IT manager to maintain proper performance.

If you're in the process of setting up a network in your home or office, consider a hardware Internet device that helps connect your computers to a local area network (LAN) while also providing Internet security functions like firewalls. These types of device are great solutions for small business supporting up to 100 employees. Prices for these devices range from as low as $150 to as high as $700 depending on the number of users it supports and its features.

Here's something to keep in mind as you explore your firewall options. Though most solutions will be more than adequate for the needs of your average business, no security solution is foolproof. If you're running a particularly sensitive operation, a security consultant or one of your own IT staff may advise you to double your efforts by incorporating both a hardware and software solution.

Virtual Private Networks

There was a time when accessing your company's data network from a remote location, or having two or more offices connected to the same private network, was reserved only for companies with deep pockets who could afford to lease private lines from the phone company.

So many businesses of all sizes are now relying on the use of Internet-based Virtual Private Networks, also known as VPNs.

What is a VPN?

A VPN is a software solution that, theoretically, allows your company to send and receive data securely over the Internet. Because the Internet reaches nearly all corners of the globe, an Internet-based VPN provides great coverage.

How do VPNs work?

Through a combination of hardware and software, the data is first encrypted before it is sent out over the Internet, and then decrypted when it reaches its final destination.

Who needs a VPN?

Even small companies often have offices in multiple locations. In such cases, having all your offices able to securely access a central data network is ideal, particularly for transfer of sensitive data.

A VPN is also ideal for traveling employees who can use their laptops and hotel phone connection to access their company's network, or for full-time employees that may work at home at night.

How do I get a VPN?

You can set up a VPN by purchasing a VPN software package from a software vendor that specializes in Internet security. A bonus is that VPN software packages often include firewall software for added protection.

You'll also need to purchase a server ($3000-5000) to run your VPN software, and possibly some networking cards ($70-100). Software prices vary a great deal depending on your service level needs, but you can expect an average of $500 for your server software, and around $70 for each client (i.e., desktop PC or notebook computer) you add to your network.

Your software vendor should also provide, or at least refer you to, a consultant that can help you understand the hardware requirements for running a VPN. If you're going to set up your own VPN, though, it's best if you have at least one full time IT person on staff. Like any network, a VPN will require regular attention from an IT expert.

An alternative, albeit more expensive, way to set up a VPN is to outsource the operations to a telecommunications service provider. A VPN service provider is paid to take care of the details so you don't have to - they will implement the VPN and provide around-the-clock management and monitoring from an off-site network center.

Prices will vary by your company size but a typical software package generally starts at around $3500, and the annual service subscription fees start at around $800.

Secure Web Servers

Sometimes criminally-minded entrepreneurs masquerade as legitimate Web businesses, intercepting e-commerce transactions intended for the legitimate business. Any good customer - particularly online customers - is very skeptical. When it comes to the Net, they are often fearful. In order to process transactions or collect personal information, your customers must have confidence that the data they send will be protected, whether it's credit card numbers, mailing addresses, or email addresses.

Secure Web servers provide this protection using a security protocol known as Secure Socket Layer (SSL). Web servers can encrypt data and authenticate both the server and the client (in this case, the customer) for a secure TCP/IP connection (the protocol used to transmit data on the Internet).

You can make your Web server secure - and guarantee this security to customers -- by using digital certificates.

How do secure Web servers work?

When a customer needs to send information to your site, an identification process called a "handshake" initiates a secure session. The great thing about the "handshake" process is that your customer doesn't need to do a thing. The whole procedure is handled by the customer's browser and your secure web server.

A "handshake" works like this:

The client (or customer) sends a request (in the form of https://servername.domain.com) via his Web browser to connect to the secure server. The server sends its certificate to the client's browser (typically Netscape or Microsoft's Internet Explorer).

The browser then examines the server certificate to see if a trusted party issued it. The browser compares the information in the certificate with the server's domain name and public key (a unique code). If they match, the server is accepted as authentic.

How do I get a digital certificate?

In order to obtain a digital certificate, you have to purchase it from a Certificate Authority (CA). In addition to that, you need an actual Web server, a high-end computer dedicated to performing your task.

Think of a Certification Authority as a passport office. Like a passport agent, a CA must take steps to establish the identity of the people or organizations before issuing an ID - in this case, a digital certificate.

What does it cost?

Digital certificate costs can vary significantly depending on encryption level. For a higher certificate price, the CA may offer to help train you on setting up the certificate process, as well as offer an insurance policy. Whether you need an insurance policy or not depends on how critical you think preventing a security breach would be to the survival of your business. Coverage generally ranges from $25K to $250K.

Annual fees for the standard 40-bit SSL encryption generally cost around $300-$600 per certificate. Annual fees for 128-bit SSL encryption, mainly recommended for financial and banking institutions, are typically $900-$1300. Each additional certificate, as well as renewal fees for each certificate, is typically around the same price, though some Certificate Authorities might give a price break on additional purchases and renewals.

You'll also need to consider the cost of a good server, which will probably run you around $3000 to $5000.

Email Security

How private is the content of your emails? Probably pretty private. Odds are, the only person you want reading that email is the person to whom it is addressed.

When you send email through the Internet, you're using a public communications network - anyone with a computer connection can screen or intercept any data passing through the Internet's communication lines. The fact is, though it may feel as if sending email through the Internet is private, it's not.

Plus, once you delete your email from your in-box, that isn't the end of its life. Your Internet Service Provider (ISP) probably keeps a copy of your mail on its server for an extended period of time. Copies of email that you send from a networked computer are also probably kept on a server for a certain amount of time. And any computers that the email passes through on its way to the recipient can retain a copy of that email.

If your Internet connection is not behind a firewall, or if you don't have a secure Internet connection with a VPN, you can use Public Key Encryption technology so that no one but you and the addressee can access the contents of a particular email.

Who needs to encrypt email?

Public-key encryption is for situations where you might want to send some highly confidential plans or ideas to another party via email. Or does your business have some particularly aggressive competition? If so, it might not be a bad idea to take some extra precautions when sending email that contains some sensitive information for your business.

How does encryption work?

You can encrypt email messages with a unique code referred to as a "key." When encrypting email using public key cryptography, an individual or organization has two complementary keys -- one called a public key, and one called a private key. Any information encrypted using the private key can only be decrypted using the public key. Conversely, any information encrypted using the public key can only be decrypted using the private key.

To an outside party, the text of an encrypted email looks like scrambled letters, numbers, and symbols. Then, once the recipient receives the mail, it is decrypted so it can be read.

How do I get encryption technology?

For individual, non-commercial use, there's a popular freeware, public-key encryption package for Windows called Pretty Good Privacy (PGP). [http://www.pgpi.org]

If you're seeking an email security solution for your entire business, though, you should consider purchasing a software package from a vendor that that can help you easily and tightly integrate the software with your current email system.

You can set controls on when your employees can encrypt messages and when they cannot, and enterprise software also provides a better, faster solution for encrypting large amounts of data. The cost for enterprise solution encryption software is typically $50-70 per user.

Consulting Services

Implementing Internet security measures can be a very daunting task for a non-technical person. Most Internet security solutions are complex to set up and require regular attention, maintenance, and upgrades.

Unfortunately, not all businesses can afford a full-time onsite Information Technology (IT) specialist. There are, however, IT consultants you can hire on a part-time basis to help you choose what type of Internet security measures match your business needs, who can walk you through the set-up and outline a maintenance plan. You can also agree to have the consultant come in every few weeks or months to make sure that things are still in perfect working order.

You can also hire an IT consultant even if you already have a full-time IT staff. IT consultants can often provide expertise in areas that may be unfamiliar to your own IT team. This is particularly useful when you have a specific IT project to implement.

Any consultant you hire should have an immediate rapport with your own IT staff. This is important because the consultant and your team will work together to come up with solutions that will work best for your company and to establish and ongoing maintenance plan.

How do I hire a consultant?

If you've never used consultants before, you can ask an IT consulting agency for a referral. Give the agency as much detail as possible on the type of project you have in mind so you can get the best match.

Or, if you're a small firm, you may have some partnerships or client/customer relationships with larger, higher-profile companies that use a lot of IT consultants. Get in touch with the head of their IT department and ask for a referral -- at best, names of specific individuals.

Getting names is useful since there is a lot of turnover in the IT consulting industry, and it may in fact have been a particular person that made a consulting job so successful, not necessarily the firm itself.

Cost

Some consultants will prefer to bill by the hour while others will set flat fees for specific projects with concrete start and finish dates. Ideally, you should find a firm that really wants your business and is willing to customize a price plan based on both your budget and the project's scope.

The price of IT consulting can be exorbitant. You can expect to pay upwards of $80 an hour for consulting services. If you are a start-up, especially an Internet one, and are seeking funding, it's best to factor in the cost of IT consultants into your financial needs.