The upside to the climate change challenge issue for business is all about innovation

home > articles > Are you at risk?

Are you at risk?

Small to medium businesses can sometimes feel that they are too insignificant to attract the attention of online criminals. However, Simon Sharwood explains the opposite is true.

 

"The first email I ever received from a bank asking for my password was obviously a fake," says Steve Martin, APAC Mid- Market Manager for software company Symantec. "It came from a bank in the USA and I knew I had no account there.

"But the emails I receive today are more convincing. It looks like they come from Australian banks – even my bank!"

The convincing nature of these emails, which look just like local internet banking sites and request an update to your password, are a real threat because the emails are not from your bank. Instead, they are from thieves that use the internet to make money in a scheme called "phishing".

Entering your details into a phishing email site gives criminals everything they need to access and to empty your bank account.

That intent to relieve you of your hard earned cash is important because it shows how computer security has changed from a task you undertake to stop hackers showing off, to a deadly serious effort you must perform in order to prevent criminal enterprises stealing money and property.

How serious are your security flaws?

Phishing is one of those criminal efforts and is often coordinated using "bot-nets," networks of computers controlled by criminals who have infiltrated them with software that sends spam, tries to crack your security systems or discover internet banking passwords.

Security companies estimate there are more than five million PCs controlled by bot-nets, which represents sufficient criminal controlled computing power to disrupt almost any online service. This does not mean, however, that all is well, because while intercepting data streams on the internet remains hard, infiltrating your computers to access information while it is "at rest" remains a task that can be achieved in dozens of ways.

The most likely source of attack lies in the operating systems and applications you use to run your business. That's because software development remains an imprecise discipline and even the mightiest vendors like Microsoft, HP and IBM release software containing dozens of vulnerabilities that regularly make it possible for criminals to control your computers and access your data.

The consequences of that access are not pretty, with financial losses the most obvious downside risk. Losing proprietary information that represents competitive advantage is also more than possible. Compliance issues are also pertinent: The Privacy Act makes it an offence to expose the details of your customers to unauthorised parties and there are no exceptions for accidental exposure. The public ridicule that often follows these breaches is another consequence to contemplate.

Actions to minimise risk to your business

To protect yourself against the threats outlined above and the inevitability of holey software, you must take security seriously. Otherwise your system could be infiltrated by spyware or malware, which is computer software that gathers user information through the user's internet connection without his or her knowledge, or which contains viruses that cause your computer to behave abnormally.

Software that repels viruses, spyware and other forms of malware is a must and should be installed at the "gateway" between your business and the internet, on all your PCs and servers. "Firewalls" are specialised hardware that repel unauthorised attempts to breach your networks and are a more than sensible acquisition.

You must also develop a regime to track and implement the frequent updates to security software and hardware issued by vendors to ensure you remain secure in the face of the latest threats.

Another useful precaution is to take passwords seriously. Many pieces of computer equipment have password-protected functions that administrators use to control their various functions. But fewer than 50% of small businesses take the time to reset those passwords to something other than the default ‘0000' or ‘1234' installed in the machines when they leave the factory.

Fewer still use ‘strong' passwords that blend letters, numbers and punctuation, a simple and important precaution that makes it harder for hackers to hurt you because it reduces the chances they can cycle through the dictionary to guess your password and makes it all but certain you will eventually be compromised.

Creating stronger passwords is not hard. Imagine you own a dog called ‘Stephanie' and want to use that as a password because it is easy to remember. Take advantage of the fact that ‘E' resembles ‘3' and ‘A' resembles ‘4' to create the password ‘St3ph4ni3' and you will be much more secure!

Another way to boost security is by discussing the information above with your staff – only if they have an inkling of the issues your business faces can they modify their own behaviour to increase your overall safety.

Is your back up system adequate?

Another important thing to do is to expand your own definition of computer security beyond just repelling the bad guys so that it also includes protection of your data through backup and archiving.

Backup is something that is obviously important, but many businesses often make the mistake of performing backups without checking that they have worked. Many also store their backup media in the office, which becomes problematic when fire or other physical disasters strike as the backup can be destroyed along with the original!

Archiving is another security issue, because few small businesses know where their important data is stored. This becomes a problem during events like tax audits or legal disputes, where lost files or emails can result in situations getting out of hand as you cannot prove the existence of transactions or understand the promises you have made to clients.

Leaving yourself in a position where this can happen is just as relevant to the overall security of your business as the bars on the windows or the security software you run, making archiving an important issue.

Archiving is also an important issue when you consider how to find the help you need to secure your business. Most IT services organisations claim some security expertise. Few, however, consider your business needs and instead focus on the tools they understand (or which have the highest profit margin and maintain revenue potential).

Archiving is also an important issue when you consider how to find the help you need to secure your business.

Any discussion with service providers about security must therefore focus on the things you need to protect the most and how they can help you to do so. Only by discussing security in the context of your business can you hope to be truly secure. But once you invest the time and energy in understanding the threat landscape and how it affects your business, chances are you will enjoy the benefits of the internet with few of the downsides posed by its criminal element.

Simon Sharwood is technology editor for My Business magazine and contributes regularly on IT-related issues in The Sydney Morning Herald and The Age.