A trial-and-error approach to network security is one that most companies will find they simply can't afford.

The threats, both internal and external, are too numerous and varied and the consequences too potentially damaging in cost, confidence and productivity.

There's a Catch-22, though, for smaller companies with limited resources: While they cannot afford to ignore security issues, they can't afford to be distracted by them either. That's where expert advice comes in.

Companies rely on the accuracy of their accounting procedures and the stability of their banks to protect their assets. So, too, a small business should be able to work with a competent network adviser to address data security, so that the company can focus on its business.

Should your company work with a network security expert and, if so, what kind of services can you expect? Here are three tips.

1. Grow your business but shrink your risk.

Small organizations often call upon consultants when they are launching e-business initiatives that put sensitive information or mission-critical business applications "on the line," literally over the Internet and at risk.

But an e-business initiative is not the only reason to consult a security expert. A small business should seek out expert advice if the company has:

• The need to offer partners, customers and employees access to network-based resources and/or access to information via virtual private networks, extranets, dialup connections or other external connections.
• Broadband or wireless connections.
• An internally hosted Web site or any Web site that handles sensitive e-business transactions.
• Employees who telework (telecommute) or connect to the network while traveling.
• A firewall as the company's only network safeguard, or any security device that is not receiving regular, proactive maintenance or review.
• Security products (for example, firewall, intrusion detection) from multiple vendors.

2. Make an assessment before taking action.

Carpenters have a saying, "measure twice and cut once." When it comes to security, it is important to do an assessment before jumping to implement a solution.

If you implement a solution that is too much for your needs, you may not notice it except in your pocketbook or perhaps some network performance overhead. But if the security falls short of effectiveness, you may not know it until after some hefty damage has been done.

A security assessment should give you an accurate "snapshot" (at a given point in time) of your network's vulnerabilities. This should include an analysis of the network from the perspective of an outside hacker and an analysis from the perspective of a disgruntled employee. The assessment should test the effectiveness of current safeguards and determine your ability to detect and respond to attacks.

3. Consider a managed service.

If the Internet presents companies with some of their biggest security problems, it is also the Internet that provides one of the best remedies: managed services. The concept of a managed service is to outsource responsibility for the security infrastructure (or individual components, such as virtual private networks) to an Internet service provider (ISP). For most small companies without dedicated Internet-technology staff, this is the ideal way to get state-of-the-art security and accountability without investing in either staff or equipment.

For smaller companies, however, the challenge may be selecting an ISP that is both trustworthy and qualified. Some of the things to look for include:

• A security offering built with equipment from a recognized security/networking vendor.
• Multi-layered security (not just firewall protection).
• Personnel qualifications and experience, including internal training and development programs.
• Approved methodologies and tools.
• Industry recognized staff certification.
• Approved facilities.
• Industry standard solutions.

Note: Don't panic if you don't know what an industry-standard solution or approved facility look like. We can help evaluate these for you.