Just find a hosting company with good security ...

For most small and midsize organizations, use the following formula to find a Web host provider: Price (where low is good and high is bad) divided by services (where more is better) equals "our decision." There are some nonintuitive factors that must now be brought into play to get the

For most small and midsize organizations, use the following formula to find a Web host provider: Price (where low is good and high is bad) divided by services (where more is better) equals "our decision." There are some nonintuitive factors that must now be brought into play to get the best hosting provider for your organization. But first, let me set the stage for this discussion with a real-life example.

I'm on an e-mail thread started by Diane Steinhauser, the executive director of the TAM (Transportation Authority of Marin). This thread, along with several long phone calls that I've had with Diane reveal that business leaders must also consider hosting security as part of the selection criteria. The problem is that there isn't an independent rating system or licensing body for Web host providers. Thus, picking a "good" hoster now also means asking a lot of questions about reputation and security services that are likely far beyond the scope of most businesspeople.

Very small organizations need to be on the Web to conduct business. In the case of TAM it's desirable to put meeting announcements, spending decisions, board of director information and job postings online to make sure the TAM constituency knows what's going on with their public funds. This worked fine until TAM's site got hacked to serve up porn and drugs, which I've covered previously on this blog.

So Diane Steinhauser and I have had an ongoing conversation about how to find a reliable, secure Web hosting (and e-mail provider; they need that too.) We discussed the following things:

1. There is no formal rating service or licensing body that oversees hosting providers. At this point we are still in the "wild west" of Internet hosting, where just about anyone who can incorporate a business can be a Web hoster.

2. This means that reputation is about the only way to find a reliable hoster.

3. And this further means that setting up a Web presence now involves a nonintuitive action of looking beyond price (usually most important for small business) and features to now ask about some in-depth security questions that go beyond the immediate grasp of most organizations that want to put up a simple Web site.

Alex Eckelberry, of Sunbelt Software, a rather vociferous critic of TAM, offered a few suggestions on how a small-business person, such as Diane Steinhauser, might find a reliable Web hoster. In an e-mail sent to Diane and the press, Eckelberry offered these suggestions on what to consider in a Web hoster:

1. What are their security policies and procedures?

2. Have they ever had a security breach? These might include DNS hacks at the facility or hacks from unpatched software.

3. What software platforms do they offer? A Linux-based hosting system is fine, as long as there are good security policies in place and they routinely keep the servers updated with the latest software.

4. Do they conduct internal security audits?

5. Do they have an in-house security team that is accessible 24/7? What are their response times for security issues?

Eckelberry said that this is not an exhaustive list.

These questions are certainly the right ones to ask. The problem is that Diane, and her predecessors DID ask questions similar to these. An analogy is going to an automobile show floor and saying, "Before I buy this car, I want to know a few things about the dealership service department. Is it well-stocked? Does it employ mechanics who specialize in my make and model? Will the mechanics and parts be readily available over the life of my car?" Any self-respecting car salesperson will enthusiastically say "yes" to all these questions. Depending on a Web host operator to self-report serious security problems leaves organizations like TAM out in the cold.

Seems like a licensing agency is the right thing to help ensure that businesses can more easily choose to do the right thing and host their Web site with an entity that won't let them get hacked without a fight.