Ever had a question about internet security that you were too afraid to ask? Mark Sunner delivers a practical, non-technical guide to security online for IT managers and business owners.
It’s hard to imagine modern Australian business without the internet but in the last few years it has become fraught with danger. Internet crooks are the dotcom entrepreneurs of crime, using the power of computers and the interconnections of the network against innocent businesses to make money. Make no mistake: viruses, spam and spyware are the products of a global ‘business’ that is worth as much as $60bn a year. To put that into context, online crime is bigger than the global drugs trade. With so much money at stake, it’s not surprising the problem is getting worse.
In November 2008, web hosting service McColo Corp was taken down after being credited with hosting up to 75 percent of email threats. In the days following the takedown, spam levels declined massively by 65 percent. Yet by the end of November, the threats had surged again, returning to two-thirds of what they had been.
The risks are only part of the story. Internet security is also a competitive advantage. Customers and suppliers want to understand what security arrangements are in place to protect their privacy and protection. Who will contact your customers if a computer security incident hits your business? IT security isn’t just good practice, it’s good business.
Viruses, spam and phishing
According to MessageLabs’ analysis of more than a billion emails a week during 2008, one email in every 100 contains a virus. One in nearly 200 is a fraudulent phishing email. Seven in every 10 contain spam. Put simply, unless you protect yourself properly, email and web access is always going to give you problems.
But what do these terms mean for business? If 70 percent of email is unwanted spam advertising, it means 70 percent of your email server’s capacity and 70 percent of the broadband bandwidth is wasted. Wouldn’t it be better to cut off the flow of spam before it reaches your network? That way you keep the bandwidth and server capacity for your business not the criminal’s.
Phishing emails are more dangerous. They are used to trick people into giving away private information on fake (but highly realistic) websites. A common technique is to persuade people that they need to log into their online bank account to sort out a bogus transaction. Criminals use these sites to get bank account numbers, passwords, credit card information and passwords. Another common trick is to get employees to log into a fake company website so that criminals can get user names and passwords to log into your network. The risks of business fraud are obvious. These fake sites are often so realistic in appearance, even some security experts can’t tell them apart from the real thing, let alone the average employee.
However, the worst threat comes from malware. Call them viruses, worms, Trojans or spyware, they all spell bad news. Malware is an unwanted program written by criminals running on a computer in your business, and that’s a never good idea.
What sort of damage could this do? Viruses can give hackers remote access to your data and remote control of your systems. They can also be used to launch criminal attacks on other computers. They can send out thousands of spam email messages. They can infect other computers. Worst of all, they can do all this without any outward sign that something is wrong. Other kinds of viruses display intrusive adverts for pornography and gambling, and even disable security software. If there is a way to make money from your computers, there is a virus that will do it. Viruses spread in email attachments, when people visit certain websites or simply spreading from computer to computer on the network.
‘It can’t happen to me’. Really?
Many businesses, especially those with minimal IT support, tend to put a low priority on protecting themselves. Ironically, this makes them more attractive targets. Consider the accounting firm that was infected by a virus because their anti-virus software wasn’t up to date. It took them days to clean up their computers, and their reputation suffered because their computers turned into ‘zombies’ which send out spam email to all and sundry. The repairs cost thousands, but the damage to reputation is incalculable.
Imagine a manufacturing business where certain employees downloaded pornography in the office. If an employee took the company to an employment tribunal for permitting a degrading and offensive environment it could turn into a serious waste of management time, with substantial financial implications. It can happen. In one recent case, a tribunal found an employer guilty of sex discrimination because employees were looking at pornography in the room where the complainant worked.
Employees behaving badly
There are pressing legal, productivity and reputation issues associated with internet security. All business owners should ask themselves the following questions:
● What if an employee inadvertently defames someone or binds the company to a damaging contract by email?
● What if someone takes you to an employment tribunal claiming a hostile working environment? Damages in discrimination cases can be high.
● Do you want your employees downloading pornography or other inappropriate content on work computers? It’ll probably happen; the majority of visits to pornographic sites occur during office hours.
● How much productivity can you afford to lose to ‘cyber slacking’ or employees browsing non-work-related websites on company time?
● What would happen if an employee sent sensitive information to a competitor or disclosed confidential information to an unauthorised person by email? Would you be able to enforce company policies, or even track the breach?
These are important questions. The problems behind them are not the result of outside attack but reputations still suffer, clients still leave and careers still crash and burn. Companies need to write and enforce acceptable use policies, and they need technology to help them do it
-Mark Sunner is chief security analyst for MessageLabs (www.messagelabs.com.au), leading provider managed security services to businesses, removing security problems before they reach the company network.
How to assess your risks
Security starts with putting a business value on different kinds of risks so that you can allocate resources to reducing them. It makes sense to prioritise: you don’t have an infinite IT budget, and some risks are more threatening than others. Therefore, the first step is not about technology, it is about asking some simple business questions.
1. What are you trying to protect? Typical issues include legal requirements, such as the Privacy Act, and professional obligations such as client confidentiality. Then there are straightforward business issues. Nobody wants to publicise sensitive information like plans, lists of potential customers and so on. You may have specific IT systems such as your email, ecommerce site and accounting records. Don’t forget intangibles such as management time, IT resources, your company’s reputation and morale.
2. What are the risks? There are external risks, such as viruses and hackers. There are legal threats, such as the risk of employee misbehaviour landing your organisation in court, or government tribunal.
3. Who is responsible for IT security? It is not enough to delegate the question to your IT department or supplier. You need to see IT security as a business-wide issue and address it at an owner/director level. If you know what you want to protect and what the risks are, setting priorities, delegating responsibility and allocating budgets all fall in line with what is important to the business. Which manager is going to take the lead? Who is responsible for creating and implementing a plan? What budgets are available and appropriate? One useful approach is to compare your IT security budget with your insurance costs.
4. Where’s the plan? Even if it is a couple of pages, an IT security plan is the first step to protecting your business. It’s better to have a good plan now – and carry it out – than a perfect plan next year. Do you have the right software and technology? Do you have appropriate staff policies and training? What is the budget and timetable?
What to do about it
● Virus and spyware protection. You need to stop viruses and other unwanted programs from getting in the door. With thousands of new virus variants materialising each month, it is critical that your protection is able to keep up with new and previously un-known threats as they emerge.
● Spam filtering. Blocking spam will save employees time and reduce the risk of fraud from phishing emails.
● Firewall. A firewall will stop viruses that spread directly over the internet, and it can also keep hackers away from your network and servers.
● Access control. Make sure your employees only have access to the information they need to do their job. To give an obvious example, don’t let the whole company have access to payroll records.
● Policy enforcement. You need effective policies about employee use of the internet backed up with training that covers policies and practical matters such as the use of strong passwords. Technology can help enforce company policies on appropriate use of the internet, by blocking the downloads of inappropriate images or intercepting attempts to send certain information by email.
● Encryption. Consider encrypting data on laptops and other portable devices to prevent thieves accessing sensitive information if they are stolen. Also, consider email encryption to protect the confidentiality of messages between your business and its partners. By default, email travelling over the internet is not encrypted which means it can be read – like the text on a postcard – as it moves from sender to recipient.
● Physical security. Don’t forget that a stolen server is as much of a risk as a virus-infested one. Locks, alarms, secure server rooms and visitor access control are all essential to your IT security plan.
● Backup. Critical data, including email archives and business databases, need to be regularly backed up with copies stored offsite. Test the restore process regularly too.
● Software updates. Make sure all the computers in your business are kept up to date with manufacturers’ updates. These are published regularly by the major vendors and fix known flaws and vulnerabilities. Virus writers exploit these vulnerabilities to attack people who do not update quickly enough.
People who read this, also liked:
Top 5 tips for protecting SMB Endpoint Devices
Protecting your business from cyber crime