Story image

The enemy within… and without

01 Jun 10

The techos call them Man in the Browser attacks. And chances are, you and your business are vulnerable.
The fact is, online criminals are continually trying to outsmart internet users with business internet users ripe for the picking. And guess what? It’s more likely the breach will be an inside job.
A recent study by RSA across Australian and New Zealand SMEs showed that half the respondents spent less than 50% of their IT security budget directed specifically at the insider threat.
Conversely, a Man in the Browser (MitB) attack is from the outside in, where the perpetrator unleashes a Trojan offensive that’s capable of modifying the user’s web transactions as they occur.
The RSA study found that:
•    80% of respondents were more concerned about the theft or otherwise exposure or loss of confidential information;
•    72% were concerned about the misuse of confidential information due to employee negligence;
•    67% said the greater danger was from inside the business and only 10% said external threats were the greater issues;
•    10% of respondents said that none of their IT security budget was allocated specifically to the insider threat;
•    across the board, half the respondents said between 10 and 49% of their IT security budget was so allocated.
The insiders
It can take years of work to build up your intellectual property and only a few minutes for it to be dispatched to places unknown, either by a disgruntled or former staff member or simply through ignorance of the rules. 
Stealing intellectual property can have far-reaching effects on a business; much more so than the odd pencil or pad going home in a satchel. For start-ups, it can cripple the business before it has even got off the ground. The onus is therefore on the business to establish confidentially rules for staff to ensure the intellectual property is not winging its way to unauthorised destinations.
So, what can a business do to ensure security of information?
Employment contracts are a good place to start. Talk to your employment adviser or lawyer about clauses you can add to the contracts to ensure information integrity. You will probably need to specify what information is regarded as confidential and what is not.
You can also talk to an IT expert about what software exists to prevent sensitive data or information being exported from a computer. Encryption software can also ensure that any data that is exported cannot be read or opened by anyone not authorised to do so.
With social networking on the rise, business managers also need to ensure their people know what is allowed and what is not allowed to be posted for public consumption. It’s a bit of a grey area about who owns online contacts on social networking sites gained as part of employment.
If your business is online at Twitter, LinkedIn, Facebook and any similar sites, then you need a social media policy that is clearly understood by all staff.
External threats
While SME managers seem less concerned about external threats, the chances of a breach from outside the organisation are still very real. Cybercriminals are becoming increasingly sophisticated in their operations, and Trojan and malware infections are rising sharply in PC environments. Cybercrooks can even access online banking sessions in real time and they are continually evolving their techniques, so constant vigilance is required.
Pre-programmed Trojans can activate when the user’s browser accesses a specific website such as an online banking portal, track the online session and perform real-time manipulation of information for illegal money transfers, identity theft, or the compromise of valuable business information.
Disturbingly, these parasites know no geographic boundaries, so an SME needs to approach the issue with a multi-layered defence strategy for transaction monitoring, authentication and an action to shut down the attack.
Software does exist to help managers accomplish the tasks. 

Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Preparing for e-invoicing requirements
The New Zealand and Australian governments are working on a joint approach to create trans-Tasman standards to e-invoicing that’ll make it easier for businesses in both countries work with each other and across the globe
5c more per share: Trade Me bidding war heats up
Another bidder has entered the bidding arena as the potential sale of Trade Me kicks up a notch.
Hootsuite's five social trends marketers should take note of
These trends should keep marketers, customer experience leaders, social media professionals and executives awake at night.
Company-X celebrates ranking on Deloitte's Fast 500 Asia Pacific
Hamilton-based software firm Company-X has landed a spot on Deloitte Technology’s Fast 500 Asia Pacific 2018 ranking - for the second year in a row.
Entrepreneur reactivates business engagement in AU Super funds
10 million workers leave it up to employers to choose their Super fund for them – and the majority of employers are just as passive and unengaged at putting that fund to work.
Tether: The Kiwi startup fighting back against cold, damp homes
“Mould and mildew are the new asbestos. But unlike asbestos, detecting the presence – or conditions that encourage growth – of mould and mildew is nearly impossible."
Capitalising on exponential IT
"Exponential IT must be a way of life, not just an endpoint."