bizEDGE New Zealand logo
Story image

The enemy within… and without

01 Jun 2010

The techos call them Man in the Browser attacks. And chances are, you and your business are vulnerable.The fact is, online criminals are continually trying to outsmart internet users with business internet users ripe for the picking. And guess what? It’s more likely the breach will be an inside job.A recent study by RSA across Australian and New Zealand SMEs showed that half the respondents spent less than 50% of their IT security budget directed specifically at the insider threat.Conversely, a Man in the Browser (MitB) attack is from the outside in, where the perpetrator unleashes a Trojan offensive that’s capable of modifying the user’s web transactions as they occur. The RSA study found that:•    80% of respondents were more concerned about the theft or otherwise exposure or loss of confidential information;•    72% were concerned about the misuse of confidential information due to employee negligence;•    67% said the greater danger was from inside the business and only 10% said external threats were the greater issues;•    10% of respondents said that none of their IT security budget was allocated specifically to the insider threat;•    across the board, half the respondents said between 10 and 49% of their IT security budget was so allocated.The insidersIt can take years of work to build up your intellectual property and only a few minutes for it to be dispatched to places unknown, either by a disgruntled or former staff member or simply through ignorance of the rules.  Stealing intellectual property can have far-reaching effects on a business; much more so than the odd pencil or pad going home in a satchel. For start-ups, it can cripple the business before it has even got off the ground. The onus is therefore on the business to establish confidentially rules for staff to ensure the intellectual property is not winging its way to unauthorised destinations.So, what can a business do to ensure security of information?Employment contracts are a good place to start. Talk to your employment adviser or lawyer about clauses you can add to the contracts to ensure information integrity. You will probably need to specify what information is regarded as confidential and what is not.You can also talk to an IT expert about what software exists to prevent sensitive data or information being exported from a computer. Encryption software can also ensure that any data that is exported cannot be read or opened by anyone not authorised to do so.With social networking on the rise, business managers also need to ensure their people know what is allowed and what is not allowed to be posted for public consumption. It’s a bit of a grey area about who owns online contacts on social networking sites gained as part of employment.If your business is online at Twitter, LinkedIn, Facebook and any similar sites, then you need a social media policy that is clearly understood by all staff.External threatsWhile SME managers seem less concerned about external threats, the chances of a breach from outside the organisation are still very real. Cybercriminals are becoming increasingly sophisticated in their operations, and Trojan and malware infections are rising sharply in PC environments. Cybercrooks can even access online banking sessions in real time and they are continually evolving their techniques, so constant vigilance is required.Pre-programmed Trojans can activate when the user’s browser accesses a specific website such as an online banking portal, track the online session and perform real-time manipulation of information for illegal money transfers, identity theft, or the compromise of valuable business information.Disturbingly, these parasites know no geographic boundaries, so an SME needs to approach the issue with a multi-layered defence strategy for transaction monitoring, authentication and an action to shut down the attack.Software does exist to help managers accomplish the tasks.