Today, the same phrase can be applied just as well to companies that depend on networks to run their businesses, including using the Internet to increase revenues, improve efficiency, and lower operating costs.

There's no question that companies can use the Internet to enormous advantage. But at the same time, putting a business online involves risks. The Internet is a public electronic highway, and companies who travel this route are more exposed than those who stay confined to a closed, private road.

Small and medium-sized companies may feel less vulnerable to security-related problems because they think that only large institutions — such as government agencies and Fortune 500 companies — would be targets of hackers. After all, who would take the time to launch a denial-of-service attack against a small law firm or an auto parts dealer?

The truth is, however, that companies of all sizes are at risk from indiscriminate, self-propagating viruses and disgruntled employees. In fact, small and medium-sized organizations may be more vulnerable because most don't have the luxury of employing dedicated security staffers or even network operations pros to help secure their networks.

In general, a company is vulnerable to security breaches if it has any of the following characteristics:

• The need to offer partners, customers and employees different levels of entitlement and/or access to information via the Internet.

• Employees who telework (or telecommute) or connect to the network while traveling.

• A firewall as its only network safeguard.

• Security products (e.g., firewall, intrusion detection) purchased from multiple vendors.

Security threats are more than just a distraction. An attack directed at financial or personal records or mission-critical applications is potentially devastating.

But even indiscriminate attacks can result in the loss of valuable data, high costs to repair damage and close security holes, negative publicity, legal liability, and the loss of hours or even days of productivity.

In addition, the specter of security vulnerabilities can be damaging to a company's reputation. When virus attacks against major corporations are featured on the nightly news, smaller companies may find themselves needing to reassure customers, business partners and even employees that their information and transactions are safe.

Companies must institute policies and safeguards that not only are effective but are also perceived as effective.

Keeping business information and network resources safe is a much broader challenge than simply locking out viruses. According to the FBI, 70% of information-related crime is committed by internal sources. Angry employees might infect corporate networks with viruses or delete crucial files.

Employees don't even have to be disgruntled to do harm to corporate networks. Very often they simply don't follow common-sense security policies, such as choosing hard-to-guess passwords and changing them frequently. They may violate privacy by attempting to snoop around for salary information, end-of-quarter financials or other sensitive data. When security measures are not in place, even an innocent mistake, such as unintentionally downloading harmful files from the Internet, can bring down a network.

External threats come in many different forms, ranging from jokester hackers to "crackers" with malicious intent. The most common tools of attack for hackers and crackers are viruses, Trojan horse programs, data interception, spam, and various forms of denial-of-service attacks.

A successful security solution requires integrated safeguards through the entire network infrastructure — not just one or two specialized security devices.

Given the many types of security threats, companies put themselves at great risk by implementing a point product, such as a firewall, and declaring the network safe. But putting in a firewall alone is a little like locking the door to a house and leaving all of the windows open. Most companies deploy firewalls at the perimeter of the network to guard against external threats, not to protect against internal attacks or accidental damage by employees (except, perhaps, for employees connecting to the network from remote locations).

A firewall alone may not even be sufficient to prevent against external threats. For example, the "Nimda" worm bypassed firewalls and caused billions of dollars in damage. This damage might have been prevented by the integrated use of a firewall and an intrusion detection system. In fact, sometimes companies are not even aware that their security has been breached because they have not incorporated the right monitoring and analysis tools as part of their overall security solution.

With a multilayered approach, even if an intruder is able to bypass one access point, overlapping layers of security ensure that the break-in will be stopped by another mechanism. Similarly, overlapping security can prevent either accidental or intentional harm to information resources or the network by employees.

A modular approach means that customers can implement security measures that meet their unique exposure and budget requirements, while at the same time maintaining the flexibility and scalability to layer in other security mechanisms as company needs grow and change.

Security is a dynamic, ever-changing requirement. As a company's business needs change, its vulnerabilities may change as well. And new security threats come along on a frequent basis. It is extremely important, especially for small and medium-sized organizations, to implement a security system that is easy to manage day-to-day.

Two significant security problems are:

• Using point products only
• Lack of putting virtual private networks (VPNs) and wireless local-area networks (LANs) under a security blanket

When companies buy only point products from different vendors, security becomes difficult to manage. Each mechanism has to be programmed to distribute and enforce policies, and then synchronized with every other security appliance in the network. If all of the products don't act in concert, there likely will be gaps and therefore greater exposure to malicious mischief.

Another problem is that most point product security vendors do not include VPNs or wireless LANs under their management umbrellas. That means that these portions of the network will have to be managed separately. For these reasons, multi-vendor security solutions tend to be more unmanageable and difficult to scale than a more complete, integrated and modular solution.

When point security devices such as firewalls were first developed, they were created with conventional Ethernet LANs in mind. But over the last few years, more and more small and medium-sized organizations have started taking advantage of wireless and combined voice/data networking.

While some people still distrust the Internet, and would never submit their credit-card information even to a secured Web site, their numbers are shrinking. Network security has come a long way in a relatively short period of time, enabling the explosive growth of the Internet as an essential vehicle for commerce and business communications.

For more information on networking systems, please visit Cisco Systems' Web site.