There are new, and growing, online security threats to your business. MIKE PRESTON runs through how to avoid them.
By Mike Preston
There are new, and growing, online security threats to your business. Here’s how to avoid them.
It is possible to buy a person’s credit card details online for less than $1 if you know where to look. Want somebody’s bank account details? It’ll cost you just $30.
The bargain basement price of personal financial information is a sign of how common online data breaches have become. Every day, new ways to attack your business are being devised. You need to know your vulnerabilities, and you need to protect yourself.
A recent survey of Australian small and medium sized business owners by online security software company Symantec found that 46% of businesses have been hit by an internet security threat such as a virus or phishing scam.
And the cost to business of internet security breaches is going up: according to the 2006 AusCERT computer crime and security survey, the average business suffered an annual loss of $241,500 due to electronic attack, computer crime or unauthorised computer access, up 63% from 2005.
In concrete terms, a breach of internet security could put all your customer records in the hands of your main competitor, have your company credit card being used to purchase luxury goods in eastern Europe, or have the details of your next big product launch being auctioned online to the highest bidder.
Or perhaps something less financially damaging, but no less embarrassing – say the hijacking of your company website to advertise the political cause du jour of some teenage hacker.
The scariest thing, however, is that in many cases businesses have no way of knowing they are a victim until afterwards.
Flower and gift business Roses Only is a classic example. In 2007, Roses Only was informed by its bank that an unusually high number of its customers’ credit card details had subsequently been used fraudulently by scammers, with some of the cards reportedly used to make luxury purchases in south east Asia.
Chief executive James Stevens says he didn’t then, and still doesn’t, have any direct evidence that the credit card details were stolen from Roses Only’s data systems, but says he was still forced to take quick action to beef up the business data security.
“It was difficult, because we still haven’t found if our data was compromised, but we couldn’t afford to take things for granted, and so we have significantly lifted security,” Stevens says.
“Losing confidence is very important for an online business, so we acted to earn the confidence of our customers and I think we’ve done that.”
Stevens won’t disclose what it has cost him to improve his IT security, but will say Roses Only will soon be the only business in its sector to achieve tier-one accreditation under Payment Card Industry data security standards.
His advice for business owners? Be proactive in putting the latest data security measures in place.
“We had everything in place to make our business secure as it could have been, but someone still tried to come into our business and have a look around,” Stevens says. “There are people out there constantly working to try and break the system, so you can never take security for granted.”
How the hackers attack your business
Recent data from AusCERT (the national Computer Emergency Response Team for Australia) shows that the most common form of external online attack on Australian business are:
- Malware or virus infections – suffered by 66% of businesses.
- Unauthorised access to business systems– suffered by 15% of businesses.
- Theft of proprietary or confidential information – suffered by 14% of businesses.
- Website defacement – suffered by 8% of businesses.
And a Symantec survey of Australian small and medium businesses conducted late last year reveals where the next threat is seen to be on the IT horizon – 33% of businesses see internet and email enabled mobile phones and PDAs as a key emerging security threat.
Steve Martin, mid-market manager Australia and New Zealand with Symantec, says now that most business are switched on to the four basic building blocks of data security – anti-virus and anti-spam software, firewall protection, data storage and back-up, and tight data use policies – internet connected mobile devices are becoming a business information Achilles’ heel.
“The bad guys are seeing mobile devices as a key entry point to access information, and connectivity means that once they get access to a mobile device they have an open door into a businesses network,” Martin says.
Common wireless technologies such as Bluetooth mean mobile devices can receive messages or information just through physical proximity with a transmitter. According to Martin, retailers are already using this method to send product messages to shoppers as they walk past, but it could just as easily by used to transmit something much more dangerous.
The upshot, he says, is that any device that can connect to your business’s network has to be installed with anti-virus and firewall software, while mobile devices may also need specialised anti-SMS software.
The threat from within
External threats from the likes of malware and phishing tend to dominate the headlines when it comes to online security, but the reality is that businesses are just as likely to suffer an information security breach at the hand of their own staff.
Up to 70% of businesses and public organisations suffered an insider abuse of internet access, email, computer system resources or unauthorised access to information, with half of those breaches resulting in some financial loss, according to AusCERT.
Many businesses don’t realise that while they focus on foiling hackers and catching spam, valuable information theft is going on right under their nose everyday, according to Noric Dilanchian, a lawyer specialising in intellectual property and IT law.
Dilanchian says unauthorised removal of customer contact details by employees are by far the most common type of information breach he sees in his practice.
New portable technology that makes it possible to download and store large amounts of information makes information theft by employees much easier than it once was.
“Data breaches occur when employees take company mobile phones to the next job, when a USB card or iPod is used to download information, or through social networking or instant messaging that goes unmonitored,” Dilanchian says.
While unauthorised access to information can be limited by firewalls or internal access protocols, they will do little to prevent the removal of information by authorised staff – for example, of a customer list by a departing sales person.
The bottom line for protecting information, according to Dilanchian, is to make it clear to employees that it is valuable to your business and that action will be taken if rules governing the use of that information are breached.
To have the best chance of embedding a culture of respect for information in a business, and ensure the best chance of taking successful legal steps after any information is stolen, Dilanchian says businesses should:
- Put solid policies and procedures in place to make it clear what information is valuable, who has access to it and for what purpose.
- Ensure those employees, consultants or contactors given access to that information have clauses written into their contracts prohibiting use of that information for unauthorised purposes.
“Getting your policies to be bulletproof is the first place to start. Business owners often see that as incredibly boring and don’t want to do it, but if an employee walks away with your valuable information the non-existence of a policy and procedure manual can mean the difference between legal success or failure,” Dilanchian says.
Top 10 tips to protect your internet security
1. Install and use protective software
The first essential step any business connected to the web needs to take is to use protective software such as anti-virus and anti-spyware software to check for and remove any viruses, worms, trojans or spyware installed on your computers.
And if you have any information worth protecting, don’t download your anti-spam software from any old free website you find on the web. Not only is free or very cheap software unlikely to do the job, free software can be a favourite lurk, ironically, for purveyors of malware and other dangerous bugs.
2. Install a firewall to stop unauthorised access to your computer
Firewalls control who accesses what in your system, both for internal and external users – a bit like a security guard for your systems.
Like anti-spam software, a proper functioning firewall is an essential component of any decent IT security system and shouldn’t be done on the cheap.
3. Avoid harmful emails and spam
However good your anti-spam and junk mail software, some unrequested and potentially dangerous email will inevitably get through.
The most innocuous messages can cause grievous damage to your business – clicking on a link to an e-card, or clicking to accept a seemingly authentic software add-on, can be all that online predators need to get into your system.
Always be cautious about opening emails and email attachments from unknown or questionable sources, and make it clear to all staff that they need to do the same.
4. Back up your data
Filing used to be a basic function in just about every business, but with the rise of the net information storage seems to have dropped off the radar a little.
And backing up your data is not just a matter of creating a folder to save old emails. For data of any ongoing value – customer and financial records in particular – an offsite data archiving facility is just about mandatory.
The good news is, technology improvements mean data back-up systems are now relatively cheap. You can buy a hard drive with a couple of terabytes of storage for about $1000 that you can use to back-up all your business data at the end of the day and take off-site.
Increasingly, however, remote archiving via the web is being seen as the most cost effective and safe data storage solution. Remote data storage solutions can be purchased for as little as $30 a month, with prices depending primarily on the amount of information involved.
5. Develop a system for secure passwords
It’s all very well putting in place an iron-clad firewall to prevent unauthorised data access, but it’s not going to be of much use if the password keys it operates on aren’t secure.
Make sure passwords to your important information are kept secure and constantly changed. If a staff member leaves, or a contractor/consultant is given access to your system, make sure relevant passwords are changed.
6. Keep your software up-to-date
There are thousands, if not millions, of tech savvy bad guys out there working around the clock to crack business IT security software, so failing to keep your software up-to-date is tantamount to not having any protection at all.
Most reputable IT software vendors offer constantly updated anti-virus and anti-spam software, but if you would prefer to focus on your business, outsourcing your IT security needs to a managed service firms could be an option.
7. Keep mobile devices secure
Any device connected to the net needs some form of IT security software – and, increasingly, that means mobile devices such as laptops, PDAs, mobile phones and BlackBerrys.
Keep a tight inventory of the mobile devices authorised to access you systems, who has them and the security software running on them – and make sure they are kept up-to-date.
8. Encrypt data stored in mobile devices
Many mobile devices, particularly laptops, are capable of containing a large volume of potentially sensitive work-related information. Access to those devices needs to be password protected and encrypted so that if they are lost or stolen, the new owner of your work laptop can’t just turn it on and download a list of your customer contact details.
9. Restrict the use of data storage devices at your workplace
Large capacity USB memory sticks or even the humble iPod now have sufficient capacity that they can hold almost the complete business information of most small businesses.
It is prudent to put USB locks on your computers and require password access for downloading large volumes of information. Some businesses prohibit employees bringing data storage devices into the workplace.
10. Develop and maintain an IT security policy
Establish an IT security around some basic rules such as:
- Who has access to data and passwords.
- What websites are allowed to be browsed.
- The consequences of unauthorised access.
And once you’ve done that, don’t just put the document in the bottom of a drawer and forget about it. Make sure all employees read the policy and comply with it.