Love Bug II, enticing e-mail recipients in every corner of the enterprise; denial of service (DoS) attacks that leave your Web servers paralyzed and quivering; evil-genius hackers scaling your firewalls and making off with the crown jewels. Such assaults are the stuff of nightmares for today's webmaster or system administrator, trying to do e-business in an insecure world.

What's even scarier--to customers, shareholders and defense lawyers--is that many Net businesses are babes in the woods when it comes to security. Small- to mid-sized firms, which can't afford large, highly trained IT staffs, are particularly vulnerable to malicious exploits. Case in point: October's cyber burglary at Microsoft, which has more than enough resources to handle it, didn't even know about the hacker (despite its own claim) for days. Or, the theft earlier this month of hundreds of credit card numbers from the Web site of a U.S.-Israeli lobbying group--another heavy hitter hit hard by hackers. They haven't come to terms with the dark side of e-business--the danger inherent in opening up once insular networks to any Tom, Dick and Mary with Internet access.

"You don't know whether the person who comes to your door today is there to buy things or break something," says Donald L. Pipkin, an Internet security expert with Hewlett-Packard who has written several books, including "Information Security: Protecting the Global Enterprise" and "Halting the Hacker: A Practical Guide to Computer Security."

The ubiquity of the Web means that more bad guys than ever before are scheming to steal information from you, or embarrass you. "The hacker is a very small percentage of the people out there, but as the number of people (on the Net) grows exponentially, that small percentage gets bigger and bigger," Pipkin observes. Also, thanks to Moore's Law and an explosion of bandwidth through DSL and cable modems, bad guys have more potent weapons at their disposal with which to search for unwitting targets--often smaller companies that have failed to shield themselves against known vulnerabilities.

Then there's the unseemly haste with which Web applications are rushed through development in an effort to hit a fleeting market window. Often these applications--everything from instant messaging to budget sales force automation--are released onto the Web without rigorous security testing, riddled with holes. Harried system administrators rarely take the time to go back and download patches for those holes. "Internet speed is really killing security," Pipkin says.

A survey this year by Cutter Consortium of Arlington, Mass. found a shockingly low level of security expertise among 134 global companies--large enterprises that supposedly have the know-how and resources to do better. Thirty-one percent didn't protect their e-business site with firewalls; 61 percent didn't use certificates, which are electronic keys that identify legitimate site visitors; and 68 percent admitted average- to below-average skill with data encryption. What does that say about the security readiness of small companies, the kind where the CIO is Web strategist, security wonk, and code grunt all rolled into one?

Pipkin and other security experts say that companies put too much faith in firewalls as a first line of defense against data thefts and malicious code. Because of the imperatives of e-business--the need to share information with customers, vendors, and business partners--firewalls become a veritable data sieve. Configuring firewalls to admit only authorized users takes skill and constant vigilance; all it takes is one misconfigured router to open a chink in the armor. And firewalls only protect the bottom half of the networking stack, leaving the top half--Web servers, operating systems, and Web applications--at the mercy of the unscrupulous.

Any e-business, whether it's an e-tailer, B2B vendor or participant in Net exchanges, needs to take a comprehensive approach to security that safeguards every entryway into the Web enterprise. Besides installing and properly configuring top-notch firewalls, covering your assets entails:

This level of attention to security doesn't come cheap. A small, growing company may find it difficult to justify the cost of implementing the latest technologies and hiring top-notch people who can probe for and rectify security weaknesses. But the alternative--system downtime, loss of proprietary information, lawsuits and adverse publicity because of privacy breaches--is worse. Ensuring rock-solid security is the cost of doing business in the era of the hacker.

One option for small- to mid-sized companies is letting somebody else (see Who ya gonna call?) lie awake at night worrying about worms and script kiddies. Managed firewall services (see Rent-a-Firewall), remote hosting in Internet data centers, and issuing PKI certificates through companies such as VeriSign and Baltimore Technologies are examples of security outsourcing. Contracts often provide for compensation and legal remedies in the event of security breaches. Another antidote to security anxiety is the type of insurance policy offered by San Jose-based Counterpane Internet Security and Lloyd's of London, covering firms whose information stores or operations are damaged by security failures.

It's all about managing risk, something that CEOs take for granted in other aspects of their operations. You can't eliminate the possibility that your e-enterprise will be hacked, just as you can't eliminate the chance that your building will burn down or be swept away in a hurricane. But with forethought and a well-balanced security strategy, you can make yourself a less inviting target, and minimize the fallout when--as inevitably it must as Net technology becomes ever-more powerful and pervasive--your number comes up.

Phil Davies is senior editor of ComputerUser.com.