Security of your information is paramount – without it, you have no business. In our September issue we focused on what to do to protect your data if disaster strikes, and a number of Christchurch businesses will have learned some valuable lessons recently. But earthquakes, fires or floods are only part of the threat landscape. Businesses need to be sure that the important information accessed via their computers is stored safely, and easily accessible to those who are authorised to view and use it. Security can be costly, however, and new developments in computer hardware, software and internet applications mean there are more ways for people with ill intent to get access to your data for their own purposes. In this article we’ll look at these latest threats, and the ways to combat them. But first, consider arguably the biggest single threat to SMEs: the thief in your office.
"They’d never do that to me!”
Ask yourself this question: do I trust my staff? The business environment has changed; staff don’t stay in one job as long as they used to, and the lean economic climate means less security. Loyalty is declining. A recent survey of more than 400 IT administrators in Europe and the USA showed that 35% of IT staff believe that sensitive information has been passed into the hands of competitors. Another survey of chief executives in more than 200 US companies, conducted last year by KPMG, revealed that more than a third of them expect theft and fraud by employees to increase. For smaller businesses, trust alone is not enough when it comes to information security.
Brian Eardley-Wilmot, Managing Director of IT investigation firm Computer Forensics Ltd
(www.datarecovery.co.nz), says the trust that SME owners have in their small workforce brings specific security problems. "One of the main tenets of security is need-to-know, and in many of the SMEs we find that the confidential information that would be useful to other people is really many times available to all users,” he says. "And why not? They trust them.”
But that trust can be betrayed if a disgruntled worker, on their way out the door, decides to hijack some company data for their own use. They may try to sell it to a competitor, or to set up a business of their own. So even if there were no harsh words or hard feelings at departure time, the business owner needs to take steps to ensure the soon-to-be ex-employee doesn’t grab some valuable souvenirs.
Eardley-Wilmot is blunt in his advice when someone leaves under a cloud: don’t let them hang around. Pay them off in lieu of notice, get them off the premises, but even before you’ve done that, shut them out of the computer system.
Of course, the rot can set in before then. Keeping tabs on what your staff are doing with important information isn’t paranoia; it’s common sense. It’s your computer system and you’re entitled to dictate who does what with it. By setting levels of access, particularly to things like financial records, you can track what employees are doing on your network. This is especially important if you think someone is up to no good. "If you think something is going on, most likely it is,” Eardley-Wilmot says.
When it comes to nailing wrongdoers, modern computers are a big help. Anyone accessing files creates a visible trail which forensic investigators can follow. Even those handy little USB memory sticks will leave evidence if someone copies documents to them, so an owner or manager can get a report allowing them to ask some uncomfortable questions. The odds are that someone accessing documents for unauthorised purposes will get caught. What’s more, evidence uncovered by forensic specialists can be produced in a court of law, if it comes to that.
So how does a business owner reduce the likelihood of employees stealing data – apart from treating them well and paying them fairly? It comes down to clear and sensible policies.
Get yourself an AUP
Every business should have an Acceptable Use Policy (also known as an Authenticated User Policy), or AUP. Every employee should read it, and it may even be better to include it in your employment contracts.
An AUP should cover such things as rules for personal use of email, sending of attached documents, use of portable devices such as USB sticks, downloading of applications, use of company computers at home or personal computers at work, exchanging of data with third parties, use of social networks (see below for more on this), and internet use (including web-capable smartphones). Of course, you can filter internet access, but staff should be told you’re doing this, and that you also reserve the right to monitor what they’re doing on your computers.
Educating your staff is also important. They need to know about the risks to the security of your network, so they don’t do foolish things that can let in hackers and malware, even though you’re maintaining a firewall and other software protection. Spoofed emails, purporting to be from a regular contact, are just one way that an unwitting staff member can be tricked into letting through malware. Just a click on an email attachment, or a link to a compromised website, and your network is endangered. So-called ‘phishers’, who seek confidential information that they can exploit for financial purposes, are rife on the internet. They will often target specific staff members by posing as someone they know. Security firms like Symantec and AVG offer regular newsletters on the latest security threats. Subscribe to these, and pass on the information to your staff.
Social networking is booming, and not only for personal use. Businesses are recognising the value of social media pages as a cheap and worthwhile promotional resource. But with them has come a raft of new security threats – many of them due to human folly.
Social networking sites like Facebook and LinkedIn host a vast array of information about companies and the people who work for them. The trouble arises when people start sharing information too freely, without realising how this could impact on their job, and their company’s reputation. Those extreme party snaps a staff member posted may not reflect well on their employer if they’re identified as working for a particular company. "The lines have completely blurred between work life and personal life,” says Steve Martin, Symantec’s SMB Director, Pacific Region.
Company policies on social networking, therefore, must be carefully defined. Staff need to know that there is a difference between ‘business’ and ‘personal’. If they want to use social media for work purposes, they should have a separate network page containing only business-related postings which are shared only with clients and contacts. Using Facebook for personal stuff and a business-oriented network like LinkedIn for work is a good piece of advice to offer staff. If you’re going to use any form of social media on your company’s behalf, assign the task of maintaining it to one or two senior employees. Be sure to warn all staff about the risk of following invitations and links from unknown sources – or even from what appear to be friends and trusted contacts. Cyber criminals have found a goldmine in social media sites for posing as known ‘friends’, to lure the unwary towards malware and identity theft.
If your website is compromised, so is your business. Infecting legitimate websites with concealed malware is a favourite ploy of cyber criminals, and word gets around fast if your site is infected. You could end up ‘blacklisted’ by search engines. Businesses need to ensure that their website is not hosting malicious code. This is especially important if your site contains advertising supplied by a third party. By allowing this, you’re surrendering a degree of control over your site, so you need to be confident in the integrity of third-party advertisers. If you’re exchanging any sensitive information through your website, such as names and addresses, you need critical systems protection. Breaching the Privacy Act can be both embarrassing and expensive. If you’re accepting payments via credit card, you have to meet even stricter requirements.
Every little clever feature or application you add to your website poses an extra security risk, so don’t stint on web development costs. Saving a few hundred dollars when getting an extra function or application added, could rebound badly if it makes your site insecure. And if you set up a special micro-site for a campaign or promotion, be sure that’s secure too – especially if it links to or from your main site. If you have any doubts about your site’s security, consider getting an expert to do a ‘penetration test’, to determine whether there are any breaches.
Slowly but surely, businesses are discarding their reservations about using cloud-based computing. The idea of having all your data stored in a remote server accessed online is becoming ever more attractive from a cost-saving point of view, eliminating the need to maintain a local server and back up data yourself. All of these tasks can be done by service providers for a flat monthly fee. Security used to be a leading concern – wondering whether the service provider was looking after the stored data properly and whether it could be easily retrieved. But now, cloud providers are selling their services as being more secure than locally-based computing.
"Small organisations get better security out of the cloud than they can doing it themselves,” says Mike Snowden, CEO of cloud provider OneNet (www.onenet.co.nz). "Not only is it very expensive to get security right, it’s very expensive to maintain it, and most organisations aren’t in the security business.”
The beauty of cloud services, Snowden says, is that security is built in, and the service providers either employ experts to test and maintain it, or outsource it to security specialists. "If you don’t get good security you’re out of business, if you’re a cloud provider.” Not only that, but the larger the provider, the more economical services they can provide to smaller businesses. It’s all to do with economies of scale: the service provider needs a large infrastructure for a large number of customers. Therefore, the small business can find space under that big umbrella, at an affordable cost. OneNet is also sponsoring the New Zealand chapter of the Cloud Security Alliance (www.cloudsecurityalliance.org), a non-profit organisation that recently introduced a certification of cloud security.
However, there are still some potential drawbacks to cloud services. For a start, there’s no single ‘cloud’ as such – there are many of them, run by different operators. No single operator offers all the IT solutions a business may require.
It’s likely you’ll have your data stored with one cloud provider while getting your email from another, eg: Gmail. Managing your operations with multiple cloud providers can be an anxious affair unless you’re certain that they are as professional and diligent with your business information as you would be yourself. If your cloud service provider suffers an outage, it could affect dozens or even hundreds of businesses apart from yours, and could therefore take longer to resolve. "So you hope that cloud service provider has the right infrastructure in place to ensure that a disaster doesn’t occur, and that service can keep going,” says Symantec’s Steve Martin. You also need to be confident in the stability of your own internet connection.
Another concern that Martin raises is the portability of data stored in the cloud, ie: whether you can get it back quickly and easily, should you decide to change providers. If your data is stored somewhere offshore, getting it back via an internet connection could take days. Mike Snowden concedes this is a valid concern, and says anyone entering into an agreement with a cloud service provider needs certain guarantees written into the contract. "You should have an engagement agreement and you should have a clear understanding about what the penalties are, what the objectives are, and what the responsibilities are,” he says. A good provider should be able to guarantee recovery time.
Using cloud-based email can pose some legal challenges. Today, the bulk of most businesses’ intellectual property and unstructured data (data that is not in a database or a minor business application) sits on their email server. In some cases, business records need to be kept for up to seven years, depending on industry and legislative requirements. If you’ve got large volumes of email, you’ll be paying a cloud provider more to store it, and you face the previously mentioned problems of getting it back. To address this, some security providers are now offering archiving solutions that let you archive older emails back to a local server.
Legal jurisdiction needs to be considered when signing a cloud agreement. If your agreement is with a North American provider, it’s only enforceable in North American courts, and the cost of such action is prohibitive for all but the largest organisations. Always seek an agreement that is enforceable under New Zealand law. It’s also smart to get a guaranteed data access clause, should the cloud provider go out of business. Of course, if you’re really concerned you can always do a local backup of your data, but that rather defeats the point of being in the cloud.
Try to avoid DIY
Managed security is better, whether supplied by specialists or in the cloud. A managed service can not only keep your firewall sturdy; it can advise on security policy, best security measures for individual devices (including portable storage and mobiles), and ensure your data is backed up regularly. Before shopping for a service, determine your security requirements in business, not technical terms: what is important, and what protection does it need? don’t forget what we told you in our disaster recovery story: keep your backups at another location. If you’re exchanging confidential data regularly with clients or colleagues, consider encryption. This scrambles the information in communications (such as emails) so if it’s intercepted, it’s unreadable. This can be done through a virtual private network (VPN) or as a one-off through specialist websites.
The message all businesses need to absorb is that modern technology has a dark side: it offers more chances to make a dishonest profit, and the threat may not be from a hacking enterprise run by foreign mafia; it could be sitting at the desk opposite you.
"More and more people are becoming aware of what they are able to do, and unfortunately more and more companies are not taking the procedures to counter it,” says Brian Eardley-Wilmot. "Education is critical, as we’ve seen awful things that have gone on, driven by naivety more than anything else.”