Doing business online offers numerous benefits, but also opens up a range of new risks for criminal and fraudulent behaviour. Angus Kidman looks at some of the dangers lurking online and how businesses can protect themselves effectively and affordably.
Problems such as computer viruses, spam emails, identity theft and online fraud get frequent and lurid coverage in the mainstream media, leading many businesses to question whether the effort of getting connected to the internet is worth the trouble. While the risks are real, dealing with the problems can offer benefits beyond the obvious one of peace of mind, as Martin Lack discovered.
Lack is the founder and director of Martin Lack & Associates, a Queensland-based company specialising in events management for the IT sector. While the firm has just five full-time staff, the nature of its business means that it is a highly visible target.
"We're a completely electronic business," Lack says. "Because we have a very high profile on the web, we get a lot of junk mail." As well as being a nuisance, such spam mail is also increasingly used as a means of distributing dangerous code (often known as malware), either by attaching it to the mail or by including links to sites that can silently take over an individual computer.
Drawing partly on knowledge gained from co-ordinating national computer security conferences, ML&A took a multi-tiered approach to dealing with the potential for problems. "We've always had pretty tight anti-virus stuff on our machines, but we knew from our experience that it's better to have several people stopping it rather than one," Lack says. "They're going to pick up a different type of nasty."
Most recently, ML&A implanted MessageLabs' eponymous solution, which filters all incoming email before it is delivered to the company. Messages identified as either spam or containing malware are automatically held back by MessageLabs, rather than being delivered. This minimises the amount of junk mail to be processed by users and also drastically reduces the overall volume of mail sent, as well as providing an additional level of security.
"It's all about managing risk and reducing cost," Lack says. The company can access the held-back mail if it believes that legitimate messages have accidentally been filtered out, though this hasn't surfaced as a problem to date.
Aside from the security improvements, an equally big benefit was the time saved in deleting junk mails from staff machines, a task which Lack used to spend half an hour or more on every single morning. "You don't realise until you do it what impact all that junk mail is having on you," he says.
Ensuring continuity of access is also a major focus for Lack. "We were always very cautious about the things that would cause our business to stop dead. In Brisbane we had big power issues a few years ago, so we put in a generator just in case. But something that isn't necessarily obvious is that if our internet service provider went down, we would have no email for at least 48 hours until we could transfer our domain name to another provider. Because MessageLabs now intercepts all of our mail, that transfer would be much faster if we needed it."
As ML&A's experience demonstrates, protecting a business requires more than just a simple anti-virus solution (though you will need one of those as a basic component of your security system). While computer security threats used to be easily identifiable, the biggest challenge for most businesses today is so-called blended threats, which use a variety of mechanisms (such as email, websites, social engineering, and virus attacks) to distribute themselves. And while historically well-known viruses often tried to draw attention to themselves, modern malware wants to stay invisible.
{mospagebreak}
Most attack code is written by professional cyber criminals, seeking either to take data from companies and onsell it for profit, or to connect machines together and form 'botnets' which can in turn be rented out to send spam mail, or used to distribute still more malware. Under these circumstances, a lack of prominence is crucial.
"People forget how dangerous the internet is today," says Mike Greene, vice president for product strategy at PC Tools. "There are a number of different ways for cyber criminals to exploit businesses."
Of course, this desire to remain invisible and the desire to make money rather than merely gain glory only adds to the challenge of fighting off such problems. While security suites have become more integrated–you're much more likely to install a single suite that protects against viruses and spyware, and a firewall to protect against unauthorised network intrusions, than to buy separate products for each function–they still take time and money to manage.
"Balancing securing IT systems with making them available, and doing that in a cost-effective way, is a big challenge," says John Donovan, managing director for Symantec. "A common thing we hear from smaller businesses is they simply don't have the time."
A useful solution in this context may be to use a managed security service. By outsourcing your ongoing IT security management to a third party for a fixed monthly sum, you can hand off what is becoming an increasingly complex problem to someone with a higher degree of expertise.
That's certainly a better approach than the ostrich-like pretence that nothing will go wrong. SMEs often assume that they are less likely to be the victims of a co-ordinated attack than a larger multinational firm, but such an assumption is largely unwarranted, experts warn. "If you don't have a sensible protection strategy, getting attacked is only a matter of time," says Paul Ducklin, Asia-Pacific head of technology for Sophos.
"There's no reason you can't have an attack against smaller companies," says Greene. "It's not that hard to figure out a way to exploit that relationship. People need to realise it's a moneymaking business, and nobody's immune. Criminals go for the weak link in the armour."
In larger businesses, it makes sense to have both network-level protection (examining incoming data before it hits individual machines) and a separate desktop-level system. "The desktop is really the last line of defence," Greene says. Protection shouldn't be limited to machines in your own premises either. Ducklin points out that company web servers are now often hacked to provide links to sites that download malware. Those links are invisible to the naked eye, and the malicious software itself resides somewhere else, but the potential for reputational damage is serious. Running an on-access scanner on your web server (or more likely ensuring your provider does so), which checks pages as they load for possible illicit content, can help obviate such threats.
Online threats evolve rapidly, so even with a good protection strategy you might still fall victim to an attack which results in lost information or compromised data. The most critical element in recovering from such a setback is having good backups of your existing systems, and the knowledge of how to restore them quickly–something many businesses struggle with.
"Australian SMEs fall down in their ability to actually have backup and recovery processes in place to recover from some sort of attack," Donovan says. Surveys suggest that many businesses run backups less than once a day, making them particularly vulnerable. "Whether it's a cyber-style attack or a physical attack, the ability to recover is somewhat compromised without backups. Also, in a lot of cases, they're not modifying their policies as they grow."
{mospagebreak}
Having a good recovery strategy and regularly updated software will offer solid protection for most current scenarios. "Keep your computers patched and up-to-date," Greene advises. "Deploy those solutions and let the armies of researchers deal with the problem
."
Do The Right Thing
Legal responsibilities for protecting data vary widely depending on the size and nature of your company. Smaller businesses generally aren't subject to the provisions of the Privacy Act, but companies in specific sectors (such as finance or medicine) may fall under more specific regulations.
Regardless of the legal specifics, however, companies have an ethical and a practical obligation to ensure that business and customer data doesn't fall into the wrong hands.
"When you're operating as a business, you have an obligation to protect your customers' data as well," says PC Tools' Mike Greene. "You have a legal and a moral obligation to make sure that's protected as best as you can.
"Most companies will collect data and it's everyone's expectation that you're going to keep that data safe and private. The last thing someone wants to hear is that there's nothing in place. You need to do your due diligence and do the right thing."
Top Ten Tips
As appealing as it is to just ‘buy’ security, even the very best security suites cannot cover all eventualities. Here’s a quick and easy 10-step guide that, in conjunction with good security software, should keep you business safe from criminals and accidents.
1. Education. The vast majority of successful attacks are not the result of some elite hack slipping past your computer’s firewall. They’re successful because someone was duped into doing something they shouldn’t have. Perhaps they received an email promising a fun game or a picture of a naked celebrity—if only they click on this link or open this file…
To avoid drama, remember these three quick and easy rules: never open an executable file (those with .exe, .vbs or .bat extensions, for example) received in an email, even from people you know; never respond to or act on requests in an email that would require you to give up confidential information; never install new software on a work system (or a personal system that you connect to the office network) without approval.
2. Use good passwords. People hate them, but non-dictionary character strings that include both numbers and letters make the best passwords.
3. Turn on wireless security. Many wireless access points and routers are, unfortunately, shipped with wireless networking turned on, but with security turned off. Check your router manual, and turn on WPA or WPA2 security.
4. Create user accounts (with passwords). Every major operating system has the capacity to assign different users varying levels of authority over the system.
5. Remove unused software. Unused software and services should be uninstalled or disabled on company computer systems. Also, when an employee leaves the company, their accounts should be deleted.
6. Format. If you’re going to throw a computer out, make sure to format its hard drive first.
7. Patch. All office computers—and any PCs that attach to the office network—should be kept fully up to date.
8. Create backups. Important documents should be backed up regularly.
9. Encrypt. Important files should be encrypted, especially if they’re taken offsite on a notebook, mobile or USB thumb drive.
10. Have insurance. Insurance against financial hardships associated with data loss and theft is available, but it’s worth reading any insurance policy in detail.
*Source McAfee, an edited excerpt from its Total Protection Handbook.