Blog posts in IT security

Protect your business from a cyber attack

There are an estimated 4.8 million small and medium-sized enterprises (SMEs) in the UK, many with their own ecommerce websites.

In 2011, 32 million people purchased goods or services online. That gives the UK one of the world's biggest internet-based economies. And it's why keeping your website safe and secure from cyber-attacks has never been more important.

SMEs are easy targets

As a business owner, you’re probably dealing with plenty of critical day-to-day issues. Perhaps worrying about your website’s security is not top of your list of priorities.

You may be wondering why hackers would want to target a small business rather than big brands like Lush and Adidas. The simple answer is that hackers know smaller businesses have fewer resources dedicated to online security, making them easier targets.

For those involved, cyber crime is big business. It costs the global economy $338bn a year which, according to Symantec, is significantly higher than the global narcotics black market.

Since the beginning of 2010, 36% of all targeted cyber-attacks have been directed at SMEs.

With around 44 million attacks a year taking place against home computers, businesses and government systems in the UK, an offline website means a loss of income. For instance, PayPal reportedly lost £3.5m due to a cyber-attack in 2010.

As well as lost revenue, a website security breach can result in losing vital data, your reputation and even your ranking on Google. Ultimately, it could damage your business beyond repair.

Six simple tips to protect your site

Here are six simple but effective tips to  protect your business against cyber attacks:

1. Choose your passwords carefully. Password123 is not a secure password! Make sure passwords have at least eight characters and use a combination of letters and numbers. Here are some ideas for creating strong passwords.
2. Install anti-malware and anti-virus protection for your website in the same way you would your PC. Reviews can help you determine if the product is right for your business.
3. Use SSL to encrypt data. SSL provides a secure connection, protecting data sent between a customer’s web browser and your server. Your hosting provider can help set this up for you. Learn more about SSL.
4. Avoid using wireless networks. If you must use them, make sure you're using the latest encryption standard, WPA2. This offers government-grade security.
5. Keep programs and hardware up to date. This helps block malware that thrives in older equipment and out of date software. If you are using Windows or a Mac you can set up weekly update checks. You should also do this for any software you use to manage your website.
6. Educate employees about the latest online threats. This way they’ll know clicking on bad links or opening dodgy attachments can compromise data. All your staff should be as vigilant at work as they are at home. If in doubt, don’t click it.

So, if website security wasn’t on your priority list, it might be time to add it now.

Guest post by Rahul Mistry, content writer for www.heartinternet.co.uk. You can follow Rahul on Twitter and Google Plus.

Can you spot the phishing website?

You've probably heard of phishing. It's where scammers send you an email that looks like it's from an official organisation, usually your bank.

The email usually contains links to a fake log in page which collects your username, password and other security details. If you enter them, the scammers will subsequently use your credit card, empty your bank account or commit some other crime against you.

Some phishing websites are laughably bad, with terrible grammar, bad spellng and shonky design. But others can be very convincing.

Spot the phishing site

To show you just how convincing phishing sites can be, here are two screenshots for you. One is the genuine sign in screen for the Co-operative Bank's online banking service. The other is a fake sign in screen from a phishing email I received.

You can click the image to see both screens full size. Can you tell which is which?

See actual size >>

So, how did you do? 

Well, the top screenshot is of the genuine sign in screen. The second one is the fake.

If you're familiar with this bank's online interface, you'll probably realise that the site asking for your full name is not genuine. But if you don't use your online banking often or simply aren't paying 100% attention when you click the link, it's easy to see how you could be fooled.

Three principles to avoid phishing

Checking the address of a site like this is usually the most foolproof way to see if it's fake. In this case, it was easy to tell, because the URL clearly wasn't the Co-operative's normal address:

It isn't always as obvious as this through, so here are three foolproof ways to avoid phishing traps:

1. Don't click sensitive links in emails. If an email from a trusted source like your bank asks you to log in to your account, do so by manually typing in the website address rather than clicking a link.
2. Pay attention to security notices. Most phishing emails will be caught by email filters, security software or web filtering tools. If you see a warning about an email, link or website, don't ignore it. (It's amazing how many people do.)
3. Let the sender know your concerns. If you're in any doubt at all about whether an email or website is genuine, get in touch with the organisation it claims to represent. A quick phone call should be enough to confirm your doubts.

And as a final warning, don't ever enter sensitive log in information if you have any concerns at all about the website you're on. Even if it just looks or feels a bit funny, that's reason enough to stop and think before you make a mistake.

Note: don't click links in dodgy emails like we did. They can be dangerous, even if you don't enter in any sensitive information.

• Staying safe in the changing world of IT
• The bring your own device fear factor
• Can you prove who you are?

How to hack 420,000 internet devices

Here's a stark reminder that internet security perhaps isn't quite as tight as we'd all like.

An anonymous researcher managed to take control of 420,000 insecure internet devices like webcams, network routers and printers.

They were use to effectively create a huge network of internet devices that could be used for dodgy purposes like taking websites down via denial of service attacks. (The researcher didn't go ahead and cause any damage, but the potential was there.)

Standard passwords

What's striking about this research is both the huge number of devices that could be compromised, and the ease with which it could be done. Quite simply, the researcher accessed each device by trying standard usernames and passwords like admin or root.

In a month where a high-profile cyber-attack against South Korea hit the headlines, it's important for your business to remember that sometimes the simplest hacking attempts - like trying default usernames and passwords - can be just as damaging.

Don't neglect the obvious

The anonymous researcher summed up the problem in a post online:

"While everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world."

In short: choose your passwords carefully. And whenever you add a new piece of equipment to your computer network, check if it has sign in credentials and change them if so. If you don't, you could be a part of this problem.

• The ABC of business IT security
• Most small businesses have had a security breach. Have you?
• Emma Watson could bring down your business computers

Image: Rob Kints / Shutterstock.com

The ABC of business IT security

It’s good to refresh your knowledge when it comes to something as crucial as IT and data security. So here’s a slightly tenuous ABC of business IT security. Plus a D and an E for good measure.

A is for anti-virus

Get good anti-virus software and keep it up to date. You usually have to subscribe to software updates, and don’t wait for this to expire before you renew it. Even a few days without adequate protection is asking for trouble.

Spyware - which attempts to extract information from your computer without your knowledge - is another threat. However, most anti-virus packages also include anti-spyware protection too.

You can shop around for the best anti-virus deals. Reputable suppliers include McAfee, Kaspersky and Bitdefender.

B is for backups

Ideally, all the data on your computer system needs to be backed up to external hard drives. This ensures that you won’t lose sensitive information if your computers are corrupted by spyware or viruses.

Inform your staff that they need to back up their data at the end of each day, and regularly remind them to do so. External hard drives don’t cost the earth (you can see a selection here on Amazon), and you’ll be saving yourself a lot of hassle if the worst comes to the worst.

C is for control

When it comes to protecting data from prying eyes, control is the key. If there are files on your company’s shared drive which you don’t want all your staff to view, you should control who can access them.

If you use Microsoft Windows, here’s how to restrict access to a certain folder:

1. Right click the folder and click Properties
2. Click the Security tab
3. Click Edit and then Add
4. Add the usernames of the people you want to access the folder into the box that appears on screen
5. Click Ok

That’s it – you’ve created a list of people who can access that particular file or folder on the shared drive.

D is for data encryption

Encrypting your computer systems makes it harder for hackers and fraudsters to access sensitive business information.

This can be anything from emails and financial figures to documents and databases hat are stored on computers or servers in your business. You can also protect portable storage devices like USB drives, which protects them in the event of loss.

Setting up encryption software can be a little tricky, but this guide to encrypting your laptop is a good place to start. It’s also worth speaking to your IT supplier if you need help.

Encryption is an excellent way to ensure your business transactions are protected from unwanted attention. Even if a fraudster manages to steal a disk containing sensitive information, they should still be unable to read it.

E is for external help

Instead of relying on your own knowledge about maintaining computers, it is a good idea to have an trusted IT supplier you can turn to. They will help troubleshoot any problems with your system, allowing you and your staff to focus on running your business.

Even seemingly minor problems should be flagged up, as they can indicate larger problems with your IT security. It all helps avoid any lingering suspicions that your company has been targeted.

It’s often a good idea to choose a local IT supplier, so you can ask business contacts and friends who they’ve used in the past. Perhaps they could even negotiate you a discounted rate!

Written by online security expert, James Archer, on behalf of online retailer The Safe Shop

• How to find and choose an IT supplier
• Your security plan
• How to prevent IT disasters

Yes, you need to secure your smart phone too

Make sure you keep yours safe. (Image: Flickr user Johan Larsson.)

New smart phones have some strong security measures enabled out of the box. But did you know there are some simple steps you can take to make sure yours is secure?

Set a passcode

The simplest thing you can do protect your smart phone is to set a passcode. Once set, you will be required to enter the code to unlock and use your phone. The minor inconvenience of entering this each time will pay major dividends if your phone is ever lost or stolen.

A thief will be unable to access your phone without the passcode.

• With an iPhone, set your passcode by tapping: Settings > General > Passcode Lock
• On an Android phone, tap Settings > Security > Screen Lock
• If you use a Windows Phone, tap Settings -> Lock + wallpaper

Along the same lines, you should also make sure your phone is set to lock automatically when not in use. This means you won't have to remember to lock it yourself each time.

Keep your phone updated

Keeping your smart phone updated with the latest software is just as important as keeping your computer up to date.

Installing the latest updates helps you avoid any security problems that could affect your mobile operating system. For example, a security flaw in previous versions of Apple's iOS (which runs on every iPhone) could allow an attacker to bypass your lock screen.

You can search our website for details of security vulnerabilities affecting your particular model of phone.

Always be careful

All of the rules you've learned about being safe on your desktop computer apply when you're using your smart phone.

Be careful using public wireless connections, and particularly wary when the network doesn't require you to enter a password to connect. These connections are unencrypted, which means people can easily intercept your data.

Double-check the network you're connecting to is the one you think it is. Some attackers may try to steal your data by posing as a legitimate hotspot.

If you work with sensitive data a lot, consider a secure VPN connection for when you use public Wi-Fi. This should protect data even if you've connected to a dodgy network.

• Where to start with mobile security
• How to protect your phone from theft
• The business risks of smart phone apps

Giri Sreenivas is vice president of Mobile at security specialists Rapid7.

Most small businesses have had a security breach. Have you?

If government statistics are accurate, even the smallest companies need to give serious thought to IT security. That's because official figures show 76% of small businesses have reported a cyber-breach in the last year alone.

You can tell the government is alarmed by the statistics, because it has decided to establish a 'Cyber Reserve' force to deal with the security threats posed by online crime. It's uncertain what this means in practice, as the details won't be revealed until next year.

However, it should signal a more co-ordinated approach to combating cyber-crime, with the goverment recruiting experts to fight back against sophisticated hackers and fraudsters.

Although things have moved on considerably since this 2006 report found internet fraud was slipping through policing procedures, it still sometimes seems like online criminals are several steps ahead of the authorities.

Your business is at risk. Really.

Just in case the message hasn't sunk in yet, let's make it absolutely clear: your business could be a target for online criminals.

We recently spoke to security expert Don Smith who explained that smaller companies often find themselves singled out in online attacks because they're seen as soft targets:

“More and more smaller companies are being attacked by cyber criminals, yet many still hold the view that they are too small to be targeted."

"If they have any public profile – if they’ve been in the news, for instance - then they can be a soft target. They also might get targeted if they handle the intellectual property of big clients, for example, a creative agency working on a big account."

“This leaves small organisations vulnerable to a number of risks, including attacks, data loss, service disruptions and reputation damage. Just like larger enterprises, small businesses need visibility into the threats that face their organisation.”

Clearly, that begs the question: what should you do about it? Hopefully, you'll have got the basics right. You'll be protecting your network with a firewall, and each individual computer and server in your business will have its own firewall too.

You should definitely be running security software too (try Norton Internet Security, McAfee All Access or ESET).

But to really get a grip on your IT security, you need to spend a little time on security planning. The first stage is to identify your most valuable data, so you can find ways to protec it.

It's worth reading the full interview with Don to understand a bit more about the security issues your company could face. We also have some really useful information about putting a security plan together and assessing the risks your business faces.

With just a little preparation, you can reduce the chance of your business becoming another IT security statistic.

• Staying safe in the changing world of IT
• Simple IT security for smaller companies
• Five mistakes you could be making with your IT security

(Police lantern image: conner395 on Flickr.)

Could you keep your tech going through a blackout?

These won't run your server for long. (Image: mjtmail (tiggy) on Flickr.)

The UK could run out of energy generating capacity in winter 2015, reckons Ofgem, which says as spare generating capacity drops we could see energy prices rise too.

With the average business electricity bill at £2,600, that's not exactly something to look forward to. However, it could be a drop in the ocean compared to the loss in productivity a single blackout could cause.

No power, no business

Losses mount up very quickly when you can't use your computer, speak to customers over the phone or even see to pack orders and send them out. When there's no power, you can't do business.

Traditionally, businesses have planned for power interruptions by plugging their servers into uninterruptible power supplies (UPS). If you suffer a power cut, a UPS will continue supplying power. Chances are you won't be able to work, but you will be able to shut your server down properly, protecting it from damage and hugely reducing the risk of data loss.

If you have a server on your premises, you really should use a UPS. It's that simple. They start from around £100, but you'll need to spend a bit more to get a decent model like the APC Smart-UPS.

There are lots of UPS models available from companies like PC World Business, eBuyer and Servers Direct.

But if you want to actually carry on working, you need significantly more juice than a typical UPS will supply. Step forward industrial battery specialist UK Powertech, which has launched a 'compact energy storage device' for smaller businesses and homes.

Called the BlackCurrent, it charges off the mains when the supply is good, then supplies electricity back to your equipment when required. You should be able to continue running computers, servers and critical gear for an hour or two.

The BlackCurrent does come at a price. It starts at £850, and you'll certainly have to spend more if you want to keep your computers and servers going for long.

Is it worth it? That really depends on your company's approach to risk, and how much damage a power outage could cause your business. But if predictions of power cut doom and gloom are in any way accurate, maybe it's worth considering.

• Continuity planning and backup options
• Writing your disaster recovery plan
• How to increase laptop battery life

Emma Watson could bring down your company computers

While the world's attention is diverted by a story involving a member of the Royal Family and partial nudity, don't let your guard down. Although the Duchess of Cambridge may be in the headlines today, there's a far more urgent threat to your IT systems out there: Emma Watson.

Security firm McAfee reckons the Harry Potter star is 2012's most dangerous celebrity. And it's not because she's particularly adept at hacking into Windows XP or an expert at guessing passwords (although who knows what damage a few well-placed spells could wreak?).

No, according to McAfee's research, anyone searching online using terms like 'Emma Watson and nude pictures' runs a high risk of landing on a dangerous website that's infected with malware. As the firm explains:

"McAfee research found that searching for the latest Emma Watson pictures and downloads yields more than a 12.6% chance of landing on a website that has tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware."

Now, you might justifiably argue that anyone searching for things like that deserves everything they get from the web's seedy underbelly. But if they're doing it on work time, using your company computers, you should be worried.

Sure, you can discipline the employee responsible, but if your server's infected with a virus or a trojan has stolen your customer list then you'll have bigger problems to worry about than whether your staff member actually found what they were looking for.

Your company policies should - of course - make it clear that this sort of thing is not allowed, but that's not much use either once your computers are infected. And that's why every single PC in your company should have security software installed and up-to-date.

Packages like McAfee's own All Access software (£74.99) will guard against viruses, trojans and spyware, and show a warning screen when you try to visit a dodgy website. Alternatives include AVG Internet Security (£97.99) or Kaspersky's Small Office Security package (possibly best value of the lot because it covers five computers for £159.99).

While packages like these won't entirely guard against employee mistakes, stupidity or bad luck, they do provide a strong line of defence for your company. Even if you're not in the habit of searching for nude pictures of Harry Potter actors.

Image of Emma Watson: Flickr user david_shankbone under Creative Commons.

• Your security plan
• Meet your employees, the information saboteurs
• How hackers target your passwords

Meet the information saboteurs, aka your employees

Who poses the biggest threat to your company data? You've probably thought about external security threats, but have you stopped to consider the damage your employees could do?

Information risk management specialist Ascentor reckons nearly 15.9m people are ready to damage their employer's business, and says over two million already have. These statistics and more are summarised in this infographic, and you can see the full version over on the Ascentor website.

See the full version of this infographic >>

• Simple IT security for smaller businesses
• Your security plan
• Five key website security checks

Friday Donut tip: protecting your phone from theft

Smart phones are portable and valuable, making them prime targets for theft. Some reports suggest that 20,000 mobile phones are lost or stolen in the UK every day. And with the Olympics expected to attract extra opportunistic thieves, now's not a bad time to give your smart phone security the once-over.

Quite apart from the cost of replacing a phone (Apple's top-of-the-range iPhone costs £700!), you need to think about the value of the data stored on it too. All those contact details, emails, files, photos ... could you afford to lose them? That's why this Friday, we have three crucial security tips every smart phone owner should follow:

1. Regularly back up your phone

Most smart phones come with software to copy data to your computer, creating a backup of everything on your phone in case it gets lost or stolen. iPhone users will be familiar with iTunes. Android handsets usually come with something similar, like Samsung's Kies software.

Be careful though - if you keep your phone and laptop in a bag which gets stolen, you could lose your backup too. Perhaps it's better to back the data up online. Again, most smart phones offer this option: Apple has iCloud, and MyBackup Pro is a good option for Android phones. If you use a BlackBerry, check out the BlackBerry Protect app.

2. Use keylock with auto-erase

Keylock is the first line of defence when a thief gets their hands on your phone. It prevents them from accessing any of the phone's functions without entering a PIN code or drawing a certain pattern on the screen.

Every smart phone offers a keylock and you should definitely use it. Many handsets also have an auto-erase option, which wipes everything from the phone if an incorrect PIN is entered too many times.

3. Track your phone from afar

Mobile apps can help you fight back against mobile phone thieves. GPS functions can pinpoint where a stolen phone is. And - as news stories show - the police are becoming increasingly switched on about how to use these tools to recover stolen property.

The best-known is Apple's Find my iPhone. But other platforms are catered for too. Windows Phone handsets have tracking functions built in. Android users can try Plan B, and BlackBerry Protect includes tracking functions too.

Some tracking tools let you remotely wipe the phone too, but the key is to install one now. Because once your phone's gone, it's too late to do anything about it!

Previous Friday tips:

• Be careful what you share
• Faster ways to select text in Microsoft Word
• Generate unique passwords for any website

Image: Flickr user JAK SIE MASZ.

Friday Donut tip: generate unique, memorable passwords for any website

Passwords and website security breaches seem to be in the news constantly. Yet people still insist that passwords are generally a nuisance, and would rather have simple ones or use the same one for every website.

But that's risky. Having just one of those passwords revealed could potentially allow an attacker to access many of your other online accounts.

One really simple way to ensure you have a unique password is to use the name of the website in the password itself.

Come up with a password (or better yet, a passphrase) that you will remember. For example:

Ilikepineapples

That will be the base for your other passwords. For your Google account, you would use the password:

IlikepineapplesGoog

For your YouTube account you would use:

IlikepineapplesYout

Easy! You can obviously make the passwords as complex as you like, using numbers, symbols and both upper and lowercase letters.

NB: I would recommend including numbers, symbols and capitals in your password. I didn't here for simplicity.

Previous Friday Donut tips:

• How to change text capitalisation
• Easier ways to stay focused while you work
• Useful keyboard shortcuts

Friday Donut tip: securing LinkedIn passwords

This week, online services LinkedIn, eHarmony and Last.fm all suffered security breaches which saw users' passwords fall into the hands of hackers. It's not the first time something like this has happened and it won't be the last: previous victims have included Gawker and Twitter.

I've mentioned before that I think passwords are broken. But they're here to stay, at least for the foreseeable future. So for this Friday's Donut tip, we explain what you should do if you have an account with one of the affected services.

Secure your account

To begin with, be wary of any emails you receive warning that your password has been leaked. They might be genuine, but there are lots of phishing attempts going round too, so you're better off just deleting them.

The next step is easy: PANIC!

Actually, I'm just joking. You definitely don't need to panic. It's counterproductive and unnecessary, because it's actually pretty easy to secure your accounts:

1. Go to the website of the service you use (LinkedIn, eHarmony or Last.fm)
2. Log in using your normal username and password
3. Use the change password option to make your password something completely new
   (Don't just change a single letter or number of your old password - use something totally different. At this stage it's a good idea to make sure your password is nice and strong. I've put some tips below)

That's it, unless - like most people - you use the same or a similar password for other things. You see, scammers aren't stupid, and they know that if you use that password for your LinkedIn account, perhaps you also use it - or something similar - for more important services, like your email.

This means you also need to change any identical or similar passwords that you use on other services. You should really have a different password for each one.

Creating strong passwords

You've probably seen the usual advice about creating strong passwords. Use upper and lowercase letters, numbers and symbols, don't use words you'd find in the dictionary, and so on. But these passwords can be devilishly hard to remember.

I like the song lyrics trick: take a memorable line from a song, pull out the first letters of each word, then wrap it in a number that you can remember.

For instance, a Rolling Stones fan might choose the first line from Sympathy for the Devil: 'Please allow me to introduce myself'. And he might be able to remember 1960, because that's the year he was born.

Shortened, it becomes 19Pamtim60. Not bad.

Alternatively, you can use a tool like LastPass to generate and remember super-strong passwords for you. John Sollars talked more about keeping passwords safe in a recent post over on Startup Donut.

Previous Friday Donut tips:

• Increase laptop battery life
• Delay sending emails in Outlook
• Three keyboard shortcuts I use a hundred times a day