Story image

The enemy within… and without

01 Jun 2010

The techos call them Man in the Browser attacks. And chances are, you and your business are vulnerable.
The fact is, online criminals are continually trying to outsmart internet users with business internet users ripe for the picking. And guess what? It’s more likely the breach will be an inside job.
A recent study by RSA across Australian and New Zealand SMEs showed that half the respondents spent less than 50% of their IT security budget directed specifically at the insider threat.
Conversely, a Man in the Browser (MitB) attack is from the outside in, where the perpetrator unleashes a Trojan offensive that’s capable of modifying the user’s web transactions as they occur.
The RSA study found that:
•    80% of respondents were more concerned about the theft or otherwise exposure or loss of confidential information;
•    72% were concerned about the misuse of confidential information due to employee negligence;
•    67% said the greater danger was from inside the business and only 10% said external threats were the greater issues;
•    10% of respondents said that none of their IT security budget was allocated specifically to the insider threat;
•    across the board, half the respondents said between 10 and 49% of their IT security budget was so allocated.
The insiders
It can take years of work to build up your intellectual property and only a few minutes for it to be dispatched to places unknown, either by a disgruntled or former staff member or simply through ignorance of the rules. 
Stealing intellectual property can have far-reaching effects on a business; much more so than the odd pencil or pad going home in a satchel. For start-ups, it can cripple the business before it has even got off the ground. The onus is therefore on the business to establish confidentially rules for staff to ensure the intellectual property is not winging its way to unauthorised destinations.
So, what can a business do to ensure security of information?
Employment contracts are a good place to start. Talk to your employment adviser or lawyer about clauses you can add to the contracts to ensure information integrity. You will probably need to specify what information is regarded as confidential and what is not.
You can also talk to an IT expert about what software exists to prevent sensitive data or information being exported from a computer. Encryption software can also ensure that any data that is exported cannot be read or opened by anyone not authorised to do so.
With social networking on the rise, business managers also need to ensure their people know what is allowed and what is not allowed to be posted for public consumption. It’s a bit of a grey area about who owns online contacts on social networking sites gained as part of employment.
If your business is online at Twitter, LinkedIn, Facebook and any similar sites, then you need a social media policy that is clearly understood by all staff.
External threats
While SME managers seem less concerned about external threats, the chances of a breach from outside the organisation are still very real. Cybercriminals are becoming increasingly sophisticated in their operations, and Trojan and malware infections are rising sharply in PC environments. Cybercrooks can even access online banking sessions in real time and they are continually evolving their techniques, so constant vigilance is required.
Pre-programmed Trojans can activate when the user’s browser accesses a specific website such as an online banking portal, track the online session and perform real-time manipulation of information for illegal money transfers, identity theft, or the compromise of valuable business information.
Disturbingly, these parasites know no geographic boundaries, so an SME needs to approach the issue with a multi-layered defence strategy for transaction monitoring, authentication and an action to shut down the attack.
Software does exist to help managers accomplish the tasks. 

Need the perfect flatmate? AI can help
A Kiwi entrepreneur has developed a flatmate-finding service called Mogeo, which is an algorithm that matches people to the perfect flatmates.
GoCardless to double A/NZ team by end of year
With a successful E round of investment and continuing organic growth globally, the debit network platform company aims to expand its local presence.
NZ’s Maori innovators are on the rise
“More iwi investors need to recognise that these sectors will provide the high-value jobs our children need."
Phone ringing? This biohack wants you to bite down and ChewIt
So your phone’s ringing, but instead of swiping right or pushing a Bluetooth button you bite down on a tiny piece of tech that sits in your mouth.
How big data can revolutionise NZ’s hospitals
Miya Precision is being used across 17 wards and the emergency department at Palmerston North Hospital.
Time's up, tax dodgers: Multinational tech firms may soon pay their dues
Multinational tech and digital services firms may no longer have a free tax pass to operate in New Zealand. 
Spark’s new IoT network reaches 98% of New Zealand
Spark is the first company to confirm the nationwide completion of a Cat-M1 network in New Zealand.
WhatsApp users warned to change voicemail PINs
Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes.