Online business offers numerous benefits, but also opens up a range of online fraud risks. Here are some of the dangers of online business and the security measures to protect your business effectively and affordably.
Problems such as computer viruses, spam emails, identity theft and online fraud get frequent and lurid coverage in the mainstream media, leading many businesses to question whether the effort of doing business online is worth the trouble. While the risks are real, dealing with the problems can offer benefits beyond the obvious one of peace of mind, as Martin Lack discovered.
Lack is the founder and director of Martin Lack & Associates, a Queensland-based company specialising in events management for the IT sector. While the firm has just five full-time staff, the nature of its business means that it is a highly visible target.
“We’re a completely electronic business,” Lack said. “Because we have a very high profile on the web, we get a lot of junk mail.” As well as being a nuisance, such spam mail is also increasingly used as a means of distributing dangerous code (often known as malware), either by attaching it to the mail or by including links to sites which can silently take over an individual PC.
Drawing partly on knowledge gained from co-ordinating national computer security conferences, ML&A took a multi-tiered approach to dealing with the potential for problems. “We’ve always had pretty tight anti-virus stuff on our machines, but we knew from our experience that it’s better to have several people stopping it rather than one,” Lack said. “They’re going to pick up a different type of nasty.”
Most recently, ML&A implanted MessageLabs’ eponymous solution, which filters all incoming email before it is delivered to the company. Messages which are identified as either spam or containing malware are automatically held back by MessageLabs, rather than being delivered. This minimises the amount of junk mail to be processed by users and also drastically reduces the overall volume of mail sent, as well as providing an additional level of security.
“It’s all about managing risk and reducing cost,” Lack said. The company can access the held-back mail if it believes that legitimate messages have accidentally been filtered out, though this hasn’t surfaced as a problem to date.
Aside from the security improvements, an equally big benefit was the time saved in deleting junk mails from staff machines, a task which Lack used to spend half an hour or more on every single morning. “You don’t realise until you do it what impact all that junk mail is having on you,” he said.
Ensuring continuity of access is also a major focus for Lack. “We were always very cautious about the things that would cause our business to stop dead. In Brisbane we had big power issues a few years ago, so we put in a generator just in case. But something that isn’t necessarily obvious is that if our Internet service provider went down, we would have no email for at least 48 hours until we could transfer our domain name to another provider. Because MessageLabs now intercepts all of our mail, that transfer would be much faster if we needed it.”
As ML&A’s experience demonstrates, protecting a business requires more than just a simple anti-virus solution (though you will need one of those as a basic component of your security system). While computer security threats used to be easily identifiable, the biggest challenge for most businesses today is so-called blended threats, which use a variety of mechanisms (such as email, Web sites, social engineering and virus attacks) to distribute themselves. And while historically well-known viruses often tried to draw attention to themselves, modern malware wants to stay invisible.
Most attack code is written by professional cyber-criminals, seeking either to take data from companies and onsell it for profit or to connect machines together and utilise it to form ‘botnets’ which can in turn be rented out to send spam mail, or used to distribute still more malware. Under these circumstances, a lack of prominence is crucial.
“What folks forget is how dangerous the Internet is today,” said Mike Greene, vice president for product strategy at PC Tools. “There’s a number of different ways for cyber-criminals to exploit businesses.”
Of course, this desire to remain invisible and the desire to make money rather than merely gain glory only adds to the challenge of fighting off such problems. While security suites have become more integrated — you’re much more likely to install a single suite that protects against viruses and spyware and a firewall to protect against unauthorised network intrusions than to buy separate products for each function — they still take time and money to manage.
“Balancing securing IT systems with making them available, and doing that in a cost-effective way, is a big challenge,” said John Donovan, managing director for Symantec. “A common thing we hear from smaller businesses is they simply don’t have the time.”
One useful solution in this context may be to use a managed security service. By effectively outsourcing your ongoing IT security management to a third party for a fixed monthly sum, you can hand off what is becoming an increasingly complex problem to someone with a higher degree of expertise.
That’s certainly a better approach than the ostrich-like stratagem of pretending nothing will go wrong. SMEs often assume that they are less likely to be the victims of a co-ordinated attack than a larger multinational firm, but such an assumption is largely unwarranted, experts warn. “if you don’t have a sensible protection strategy, getting attacked is only a matter of time,” said Paul Ducklin, Asia-Pacific head of technology for Sophos.
“There’s no reason you can’t have an attack against smaller companies,” said Greene. “It’s not that hard to figure out a way to exploit that relationship.”
“People need to realise it’s a money making business, and nobody’s immune. Criminals go for the weak link in the armour.”
In larger businesses, it makes sense to have both network-level protection (examining incoming data before it hits individual machines) and a separate desktop-level system. “The desktop is really the last line of defence,” Greene said. “If you go to the local coffee shop or the airport, you can’t rely on the stuff on the server.”
Protection shouldn’t be limited to machines in your own premises either. Ducklin points out that company web servers are now often hacked to provide links to sites which download malware. Those links are invisible to the naked eye, and the malicious software itself resides somewhere else, but the potential for reputational damage Running an on-access scanner on your web server (or more likely ensuring your provider does so), which checks pages as they load for possible illicit content, can help obviate such threats.
Online threats evolve rapidly, so even with a good protection strategy, you might still fall victim to an attack which results in lost information or compromised data. The most critical element in recovering from such a setback is having good backups of your existing systems, and the knowledge of how to restore them quickly — something many businesses struggle with.
“Australian SMEs fall down in their ability to actually have backup and recovery processes in place to recover from some sort of attack,” Donovan said. Surveys suggest that many businesses run backups less than once a day, making them particularly vulnerable. “Whether it’s a cyber-style attack or a physical attack, the ability to recover is somewhat compromised without backups,” Donovan said. “Also, in a lot of cases, they’re not modifying their policies as they grow.”
Having a good recovery strategy and regularly updated software will offer solid protection for most current scenarios. “Keep your computers patched and up to date,” Greene advises. “Deploy those solutions and let the armies of researchers deal with the problem.”
Legal Data Protection Responsibilities
Legal responsibilities for protecting data vary widely depending on the size and nature of your company. Smaller businesses generally aren’t subject to the provisions of the Privacy Act, but companies in specific sectors (such as finance or medicine) may fall under more specific regulations.
Regardless of the legal specifics, however, companies have an ethical and a practical obligation to ensure that business and customer data doesn’t fall into the wrong hands.
“When you’re operating as a business, you have an obligation to protect your customers’ data as well,” said PC Tools’ Mike Greene. “You have a legal and a moral obligation to make sure that’s protected as best as you can.”
“Most companies will collect data and it’s everyone’s expectation that you’re going to keep that data safe and private. The last thing someone wants to hear is that there’s nothing in place. You need to do your due diligence and do the right thing.”