Big companies enjoy the protection of dedicated IT departments, but for small businesses cyber security can often be an after-thought. However, this can be an expensive mistake - the Federation of Small Businesses (FSB) recently found that two-thirds of small companies have been the victim of an attack in the past two years.
This need not be the case though. In fact most scams aren’t as sophisticated as you might think and simply rely on user complacency. The best weapon against this is vigilance, and a few simple steps can help you protect your business.
Established techniques used to commit fraud include "phishing" attacks and Trojan viruses.
Phishing uses email to trick you into giving out personal information, such as bank log-in details, or getting you to download malicious software (known as malware).
Trojans are a common type of malware and can be installed on your computer without you knowing. They can be designed to do many things, including steal money from your account.
Phishing works by sending you an email pretending to be from a genuine company, like your bank, often convincingly imitating the company’s branding and tone. Criminals can also spoof email addresses, so an email may look as if it is from someone in your own company.
The email might ask you to click on a link. This will take you to a fake website where you will be asked to input your secret information, where it will be captured. It also might ask you open an attachment, which will then install malware such as a Trojan.
Phishing emails can be very convincing, so check whether you recognise the sender’s address and if tone and language used is normal for them. If the request is urgent, would you expect this from the sender?
Be suspicious of all unsolicited emails, particularly those that ask you to make a payment, open attachments or click hyperlinks. Verify all email requests by telephoning the sender on a number taken from your own records.
This will help prevent Trojans from being installed, but it’s important to keep your computer safe in other ways too.
Install a firewall and antivirus software. We recommend our customers download Trusteer Rapport, which is free. Keep this software up to date, as well as your operating system and your web browser. Block access to websites your staff don’t need for business. Don’t conduct sensitive transactions over public wi-fi networks or while using internet cafes, as these can be insecure.
Finally, make sure your staff follow these rules and are as vigilant as you, as it just takes one mistake to leave you vulnerable.
Copyright © 2016 Marcelino Castrillo, managing director, Business Banking, NatWest.
For more information on cyber security, as well as other issues affecting small businesses, NatWest’s Business Growth Enablers are running education sessions across the UK, free to anyone running or setting up a business. To find an event near you, go to www.eventbrite.co.uk and search NatWest.
HMRC’s latest advice on phishing can be found on the GOV.UK website.
Fraud within the telecommunications industry costs UK-based SMEs about £1billion a year, according to data from Incom.
Telecom fraud covers a number of aspects: using the phone system as a backdoor to your data if the two are linked; using your phone system to make calls, usually to expensive destinations eg international or premium rate numbers; or even someone making calls that look like they are coming from your organisation in order to scam other organisations.
A number of suppliers offer fraud detection and indemnity - some for free, others for a fee. However, before you choose one of these services, it is important to be clear about how much of the fraud is covered.
Ofcom insists that providers should not profit from fraud, so if you're a victim, and you have to make a payment to your telecoms provider, it should be only for the cost of the calls incurred by the supplier, not their normal resale price.
All employees should be made aware of the risks and how to mitigate them:
A new set of potential problems has arisen because of the rise of IP or internet solutions such as SIP and VoIP. Before businesses moved from analogue phones to IP phone networks, it was rare for staff to be able to access anything relating to their phones from the corporate computer network; so why should employees be able to access the phone network now simply because the network's underlying protocol has changed?
Ideally, you should have physically separate data and phone networks, but if this isn't realistic, VLANs can separate traffic. You want to ensure that no data can traverse between the two networks without passing through a network security device. Many providers recommend using a session border controller (SBC) but some companies are reluctant to pay for this extra measure, partly because its significance is not always understood.
Whether you use landlines or IP, it's worth setting up call bars on premium numbers (and even, if appropriate, international numbers) to limit the impact if your systems are compromised. It's also worth taking a more robust approach with the use of passwords.
All SMEs need to be aware of the threat and should talk to their provider about what steps they can take to avoid becoming the victim of a telecoms fraud.
Future Crimes by Marc Goodman is a very scary book. Subtitled, "A journey to the dark side of technology and how to survive it", this is a real eye-opener.
Technology is improving so many aspects of the business world but the truth is that criminals are often the most innovative adopters of technology.
Let's start with a few scary statistics from Goodman's book:
You can see where this is going. It's all about data. Goodman suggests that Google and Facebook are free because they are data collectors and aggregators - and yet neither use the word "customers". They know everything you have done online and increasingly everything else as well.
In the USA, online data that is collected by third parties is not considered private. Which means it can be used by anyone, from the Inland Revenue to the police. Some dating sites for instance, share their data with data brokers. It's all there in the small print.
The point is that all that data is stored and hackers can get access to that data. Any data that is collected will invariably leak.
Everything that is connected can be hacked. And now we are at the beginning of the internet of things. Connecting everything. Which means that nothing can be hidden and everything can be hacked, from your car to your TV. Even the video conference system in your board room can be hacked.
Goodman presents a number of tips on how to help you to protect yourself. They include:
The good news, he says, is that by taking these steps you can avoid 85% of all threats.
If you want a book that makes you think about the unintended consequences of technology, this is one to pick. It also screams business opportunity. Cyber security is a hotspot.
The recent scenes from Cumbria have shown us all just how vulnerable our homes and businesses can be. But for many, the damage was not just to the physical parts of their business, but also their crucial business records too.
Client details, accounts and invoices could be lost when computers are damaged in this way.
So what can you do to protect your business from floods like these, as well as other dangers like fires, viruses and human errors, all of which could wipe your computers clean?
Even with the best physical back-ups in the world, you can guarantee that the day you don't get round to backing up your data will be the day you'll really wish you had. That's where online data back up really comes into its own.
Online back-up using cloud-based systems is the ideal solution for small and medium-sized businesses because it takes your data and stores it safely elsewhere, ready to be restored whenever you need it. The back-up takes place automatically, so no one needs to find time in their busy schedule to do it, you don't need any expensive hardware or external drives, and no one has to remember to take the discs home at the end of the day.
Best of all, because the system only backs up changes, the whole process is quick and efficient and won't use up all your internet bandwidth.
Some customers worry about the security of their data when it is backed up online, but most online services, including BackupVault, for example, encrypt all data before it leaves your business and store it securely.
Cloud-based data back-up services cost from £10 per month - which could be considerably cheaper than what many small firms spend on discs and drives, plus the personnel time to do the physical back ups.
If the worst ever does happen, and you lose your business data, a cloud-based back-up system allows you to retrieve your data in just a few clicks of a mouse.
No-one wants to wake up to find their business has been washed away, so don't risk it. Back up online so your data is safe whatever happens.
Sponsored post: copyright © 2016 BackupVault.
At the end of last week, broadband and telecoms company TalkTalk announced it had been hit by a cyber attack. As a result, there was a chance sensitive customer data had been accessed.
Clearly, the ultimate blame for these incidents lies with the attackers who set out to steal data. They're the real criminals in this scenario.
But at the same time, it's fair to say that some organisations are making it too easy for hackers to steal sensitive data. Although we don't yet have full details of the TalkTalk incident, other newsworthy breaches have involved below-par security measures.
Such is the frequency of these stories that you could be forgiven for shrugging each off as 'yet another cyber attack'. But as new research reveals a lack of trust in business, it would be unwise to ignore the cumulative impact of these incidents.
Digital identity experts Intercede recently released some interesting research. It suggests people don't tend to trust businesses when it comes to protecting their personal information.
The survey questioned around 2,000 people aged 16-35. These people are often referred to as 'millenials', and tend to be comfortable using technology during their everyday lives.
It might therefore come as a surprise that the research found a significant proportion of these people have little trust in business to protect their personal information.
The research asked people to rate their trust in businesses from different sectors. When it comes to data security, 61% of respondents described their level of trust in social media platforms as 'none' or 'a little'. The figure was 38% for retailers and 19% for financial institutions.
Indeed, few people describe their level of trust as 'complete' - just 13% for their employers, and 4% for telecom operators.
The same group of people was asked about how organisations share data. Many respondents said that their personal data should only be shared with companies they have specifically authorised.
Over 74% of people said that it was 'very important' or 'vital' that they should be able to specifically authorise how their location data is shared. 58% said the same for social media content and 57% for data on their purchasing preferences.
"Millennials are hungry for change," reckons Lubna Dajani, a communications technology expert and futurist. "Major data breaches happen every week and millennials, along with the rest of the general public, have found the trust they put in government institutions and businesses to protect their digital identities are being shaken."
"This is by no means an apathetic generation. If business and government leaders don't adopt better protocols now, millennials will soon rise up and demand it."
What are the real digital threats to your business? When you’re thinking about IT security, it can be hard to know where you to focus your time and energy. (Believe everything you read in the news and there are dangers lurking around every corner!) To help companies understand the real risks out there, recruitment firm Modis has created this infographics explaining business security issues. It is a little US-centric, but we still think it contains some helpful information.
What’s Your Business’s Greatest Cyber Threat [Infographic] by the team at Modis
If you pay attention to the headlines, it seems like hackers are hacking more than ever. Large companies like Apple and US giant Home Depot have fallen victim to security breaches of one kind or another.
Information relating to tens of millions of people has been compromised. But, how do hackers hack? What techniques do they use to infiltrate business networks and gather valuable data?
In this ongoing cyber conflict, it’s important to know your enemy. Read on to find out what strategies hackers use when they hack.
Using strong passwords is certainly a smart idea, but in some cases it’s not enough. Although strong passwords are hard for hackers to guess, many will simply try to obtain the password through illegal means.
This usually involves breaching the security measures of a website or company, thereby gaining access to a list of user passwords. This recent password hack is a great example.
You can protect your business by using unique passwords for each individual account and changing them every few months. You should also protect your systems from hacking attempts by using up-to-date security software.
If you ever go to a café, pub or airport, you might be tempted to connect to the free wireless network available there.
Free Wi-Fi is one of modern life’s conveniences. But be careful, because it can also be a prime target for hackers. They can set up fake wireless networks with legitimate-sounding names.
Once you’ve connected, hackers can steal your personal information and any unprotected data that you send over the network.
Be cautious when connecting to public Wi-Fi. Only use networks that require a password to connect and check the network name with the establishment you’re in.
Even then, don’t assume you’re safe. Consider connecting through a VPN to protect all the data you send across the wireless network.
Ah, the old fake email scams. Hackers try all kinds of approaches to snare victims via fake emails.
You can often spot them through telltale inconsistencies or spelling and grammar errors. In any case, never give sensitive information out through emails, especially if you’re unsure of the source. Be wary of phishing attacks through social media too.
Cookies are small pieces of data that websites place on your computer. They’re used to provide certain functions online (like remembering when you’ve logged in to a website, or what’s in your shopping cart).
Some hackers hack using a technique called ‘cookie hijacking’. Basically, they steal the cookies on your computer, then use them to pretend to be you when they visit a website.
Using good security software is a good precaution against cooking hijacking. There’s also a lot websites can – and should – do to make their users less vulnerable.
If you’re particularly worried, you can regularly erase cookies from your computer. However, this may cause your preferences on websites to vanish, so it can be inconvenient.
These four techniques are by no means the only way that hackers hack. But they’re some of the most common and sneaky.
This is a post from Rick Delgado, a freelance writer and tech commentator.
When an employee leaves your businesses, are you letting them walk out with access to valuable company data?
According to the 2014 Intermedia SMB Rogue Access Study, 89% of employees who leave a company retain access to business or cloud applications like Salesforce, PayPal, email and SharePoint.
That’s a scary figure. We’ve written a lot about IT security lately, but statistics like this make us think that this level of coverage is warranted.
When a member of staff leaves your business, you must have a way to revoke their access to all your resources. Failure to do so just invites disaster.
Of those people questioned for the research, 49% had actually signed in to an ex-employer’s account, despite having left the company.
Most of these people probably act out of curiosity, rather than malice. But they still have access to apps that may contain important company data.
A minority will almost certainly be intending to do harm to their former employers. It only takes one person to cause you all sorts of problems.
You could be looking at hefty reputational damage, a loss of competitive advantage — or even a big fine from the Information Commissioner.
“Most small businesses think ‘IT security’ applies only to big businesses battling foreign hackers,” says Michael Gold, president of Intermedia.
“This report should shock smaller businesses into realising that they need to protect their leads databases, financial information and social reputation from human error as well as from malicious activity.”
You can start by putting some proper procedures in place to control and revoke access when employees leave your company. These are some good starter tips:
It can be trickier than you might expect to get a handle on who has access to what in your business. However, once you do so, you can be more confident of retaining control over your most important data.
Last week’s celebrity hacking news showed just how easy it can be for hackers to gain access to sensitive or personal data.
And you don’t need to be a well-known personality to be targeted by hackers. Many hackers target small businesses, because these companies are less likely to have invested in strong security measures.
Someone hacking or compromising your system could be your worst nightmare. But there are some simple ways to prevent it from happening. Here are some steps you can take to make your system safer.
Two-step verification is a good way to add another layer of protection when staff log in to company systems.
Typically, two-step verification requires your staff to sign in with something they know (a password), plus something they have (often a one-time code that’s texted to their mobile phone or shown on a digital key fob, pictured).
Two-step verification provides significant extra protection, especially if your company uses its systems to store and share sensitive documents.
Most people know they need to use strong passwords. But most people still don’t do it.
Make it company policy to use strong passwords. Mixing uppercase letters, lowercase letters, numbers and symbols makes it much harder for someone to gain unauthorised access.
Sharing usernames and passwords is a big no-no. If everyone uses the same details to sign in to your shared workspace, if something goes wrong then you don’t have an audit trail to a specific user.
It also creates potential risk when an employee leaves the business. They probably won’t do anything malicious, but are you willing to take that risk?
Encryption scrambles data so it can’t be read, even if a hacker gets their hands on it.
Windows 7 and Windows 8 both have encryption tools built in. There are plenty of other encryption tools available too —many are free.
Copyright © 2014 Ian Cowley, managing director at Cartridge Save.
You can’t have missed last week’s news that hackers gained access to intimate photos belonging to celebrities, including Jennifer Lawrence (pictured).
The story has raised important questions about what data individuals store in the cloud. Many of those questions have implications for businesses too.
After all, cloud services play a pivotal role in many companies. They’re used for all kinds of tasks, from backing up data and sharing files to enabling remote working and reducing the need for expensive in-house equipment.
The cloud certainly has significant advantages, and it’s here to stay. There’s a strong argument that overall, the security risks of using the cloud are lower than storing data in your own business.
But with cloud technology still developing, could this breach be the spark that forces cloud providers and their users to confront some key questions?
Although full details of the iCloud breach have yet to emerge, it seems likely the celebrities were victims of some kind of brute force or social engineering scam.
This means hackers used techniques to work out log in details, rather than exploiting a technical breach.
With cloud security, much of the focus is on measures systems like firewalls and backups. However, if all that stands between a hacker and your data is an easy-to-guess password (like ‘password’, ‘123456’, or your company name), that’s how criminals are most likely to access your data.
An interesting piece from Wired argues that we’ll all benefit if some of the affected celebrities try to sue Apple over this case.
I won’t go into all the arguments, but one key point is we often start using cloud services without completely understanding what we’re getting into.
For example, Apple’s iCloud terms of service are over 8,000 words long. When you sign up, you agree to them, almost certainly without having read them.
As we use these services to store and share sensitive information, perhaps providers should make more of an effort to really communicate what they do to protect our data, and what we need to do, too.
If you don’t understand what a cloud service is going to do with your data, do further research before signing up. A local IT supplier might be able to help.
Don’t commit everything to begin with, either. Start by moving non-critical data to the cloud. You can shift more of your business across as you gain confidence.
If you’re an A-lister, you can guarantee you’ll get attention when your cloud services get hacked.
But if you’re an ordinary business just trying to get on with work, are you confident you’ll get a response from your provider when something goes wrong?
Services like Apple’s iCloud and Google Apps are designed to be automated. You can sign up and start using them without having to speak to anyone.
Most of the time, they work flawlessly. But if something goes wrong and you can’t figure it out yourself, it can be hard to find someone to help with the problem.
Look for cloud providers that offer comprehensive support and have a good reputation. Search online for reviews and make sure they’re well established.
Often, a local IT supplier can help you find the most appropriate cloud services as well as providing support and help when you need it.
Blog by John McGarvey, editor of the IT Donut.
Security company Norton has created a Hitchhiker’s Guide to Hacking web page. And as a confirmed fan of Hitchhiker’s Guide to the Galaxy, I can’t quite decide what to think of this.
On one hand, it’s been put together with real care. The information is detailed and someone has spent significant time on the design.
Unlike many such infographics, it’s not been knocked together in five minutes by someone who has a basic knowledge of Microsoft Paint. (Actually, most of the information is text-based, but the illustrations are nicely done.)
But on the other hand, we’re talking about the Hitchhiker’s Guide to the Galaxy, probably one of the world’s best-loved modern stories. Is it right for Norton to use its instantly recognisable identity as part of a PR campaign?
Maybe it’s best for you to decide for yourself. You can check out the Hitchhiker’s Guide to Hacking here. It’s worth a look, if only for the depth of information it contains.
Google's busy making changes to its ranking algorithm again. This time, the search giant has decided that websites which use a secure connection as standard should get a boost in search results.
Historically, secure connections have only been used to transfer sensitive information, like credit card details. The secure, encrypted connection is signified by https:// at the beginning of the website address, and a small padlock shown somewhere in your web browser.
There's a good argument for using secure connections more widely. Perhaps most significantly, they're an effective way to prevent 'man in the middle' attacks. These occur when an attacker intercepts data as it travels between a user's computer and a web server.
When a website uses a secure connection, attackers may still be able to intercept the data. But because it's encrypted, they won't be able to understand it.
As well as protecting data from attackers, this change may also represent something of a shift in attitudes around security.
Jason Hart, VP at SafeNet, reckons this change by Google will have a significant impact on how organisations secure their websites:
"Every company wants to rank favourably on Google, so it’s in their best interest to ensure web pages are encrypted."
And although using encryption can hit website performance, these days the affect is negligible. "There are now high speed encryption technologies available that mean cost and speed need no longer be an issue," continues Jason.
"So there really is no excuse for any data to be transmitted or stored in plain text."
If your website doesn't currently use a secure connection, there's no need to panic. At present, the same is true for the majority of websites.
In its blog post summarising the changes, Google also confirmed that, initially, security will have a very small influence on search rankings. However, it may become a more significant factor in time, so it's a good idea to think about how to add a secure connection to your website.
To secure your website, you need an SSL certificate. The SSL stands for secure sockets layer. SSL certificates are available from most web hosting companies, and are sometimes included with web hosting services.
Although you don't need to act now, this latest move by Google definitely means it's worth finding out what it will take to make your website more secure.
The Heartbleed security flaw — discovered in April — affected more than 60% of web servers. As a result, some experts considered it to be the most dangerous security flaw on the web.
However, it’s not the first big security issue in history. And it certainly won’t be the last.
For instance, Apple endured a similar situation earlier this year. Its ‘goto fail’ bug exploited a vulnerability similar to Heartbleed, but Apple handled it well enough that it didn’t achieve the same level of news coverage.
So, what can your business learn from Apple’s goto fail debacle?
Quite simply, flawless software is a myth. Writing computer code is difficult and modern software is complex. The greater the complexity, the greater the risk of security flaws.
Although goto fail was the result of sloppy code in Apple’s operating system, Heartbleed’s vulnerability runs deeper. Either way, these breaches demonstrate that even tech giants with a lot to lose can’t make their software invulnerable.
Once you’ve accepted the risk, be more vigilant about the software you use.
The code behind Apple’s operating system framework is reviewed more often than iTunes updates its terms and conditions. Yet the flaw existed for 18 months before it was revealed. Heartbleed went undetected for two years.
Unless you want your security flaws to be discovered by a rival — or worse — stay vigilant.
Be careful what you download, what you click, and what access you grant applications and websites. You become a target whenever you share private or financial information.
Pay attention to the cloud services you use, the software developers you work with, and everyone else involved in your technology. You should be in control of what they can and can’t see.
Use two-step verification where possible, encrypt data and closely monitor the security of websites you use. Most importantly: question every inconsistency.
Identity thieves are known for using basic consumer data (name and address history) to open financial accounts in another person’s name. It can happen to businesses, too.
Run credit reports and regularly check the registered details of your company to catch misuse of your information.
In 2011, Sony missed a software update. Within a month, customer data was leaked online. It damaged the company’s reputation and cost a lot of time and money to fix.
When Apple corrected its software flaw, it immediately released an update. But you have to actually install it to fix the problem in your business.
Every operating system and most other software can automatically check for updates regularly. Make sure yours does.
Apple admitted its flaw and immediately implemented a fix. Yet when US retailer Target suffered a major breach in 2013, it kept things quiet and attempted to fix the issue behind the scenes.
In the long run, Apple’s vulnerability was a slight inconvenience felt by very few. Target’s affected millions and cost the company more than $1bn.
The internet is like a medieval fortress. You’re only as safe as the walls around you. By running frequent security audits, properly training employees and extensively testing software, you’re building a solid castle to keep data safe.
Daniel Riedel is CEO of New Context.
IT for Donuts is our regular Friday feature where we explain a tech term or answer a question about business IT.
This week, learn about the key differences between laser and inkjet printers.
Although the price gap between inkjet and laser printers has narrowed in recent years, inkjet and laser printers still use fundamentally different techniques to put text on the page.
Inkjet printers contain small reservoirs of liquid ink. When you need to print something out, the printer squirts tiny dots of ink onto the page in order to build up an image of whatever’s being printed.
Laser printers don’t use ink. Instead, they use toner, a fine powder. A combination of heat and a static charge makes the toner stick to the paper in the right places, producing text and images.
The most important differences between laser and inkjet printers are speed and capacity. Laser printers can typically print large documents faster and are designed to handle a higher volume of work without breaking down or requiring toner replacement.
Although inkjet technology has improved remarkably in the past few years, laser printers are still preferred by most businesses — and for good reason.
Aside from speed, capacity and reliability issues, there’s one other reason that most companies choose laser printers. The old rule is that inkjet printers are cheap because the ink is expensive. And that still holds true.
Typically, laser printers are cheaper to run, even though they usually cost more to buy upfront. And that means the more you print, the more you save by opting for a laser printer.
That’s not to say that you should never choose an inkjet for your business. Inkjet printers are excellent at printing photos, especially if you use special glossy paper that reduces how much ink soaks into the page.
And if you’re a single-person business that only prints a few pages a month, an inkjet might be more cost-effective for you.
Our tablets and smart phones go with us nearly everywhere — even to places many of us would prefer they didn’t (I’m looking at you, toilet-texters).
But although we treat mobile devices like extra limbs, I don’t know of any arms or legs that contain sensitive information about our identities, banking habits and current location.
Mobile threats range from app-based malware to adware and even ‘chargeware’ that costs you money without you realising it.
And, of course, there’s the age-old problem of leaving your phone in the pub after one too many pints.
Standard mobile security is pretty abysmal. So, what can you do to stay secure?
When you open a new app on your smart phone, it may ask permission access other information or functions, like your contacts or location.
Don’t grant permissions without reading what the app is asking for. Instead, take time to get to know your permissions, then make educated decisions about what permissions you’re willing to grant.
A location-based application — like one that maps your runs — obviously needs to know your location. But does a drawing app?
Always ask yourself whether a permission request ties up with what the app is meant to do.
You can also check out the app’s reviews to decide whether to trust its creator. If they seem technologically adept, that’s a sign your data will be in good hands (or ones that aren’t malicious).
Many smart phones come with restrictions put in place by your mobile service provider. For instance, you might only be able to install apps from an approved app store.
These restrictions can seem limiting, making it tempting to find ways to bypass them. But believe it or not, often those restrictions are in place for a reason.
They may relate to security holes or other vulnerabilities. You could expose these if you hack into your phone.
If you want to experiment, it’s better to do so on an old device. Keep your regular phone — and data — safe.
If you’re not using Wi-Fi and Bluetooth, turn them off.
Keeping Wi-Fi on constantly can mean your phone connects to hotspots as you go, rather than using a secure mobile data connection.
That’s fine when you’re at work and you know the network. But it’s less secure when you’re using ‘Steve’s super-legit hotspot’ while you wait at a bus stop.
This isn’t an imagined threat. Recent research suggests rogue Wi-Fi networks are very much on the increase.
Even if Steve isn’t looking to steal your financial info, you have no way of knowing who else has access to his network.
The same goes for Bluetooth. Either turn it off when you’re not using it, or make sure the default settings don’t let other users connect to your device without permission.
For more information, read this mobile security guide guide from security experts Lookout.
Guest blog from Rosie Scott. Rosie is a content strategist at a digital marketing agency and avid blogger. You can find her at The New Craft Society www.thenewcraftsociety.com> or on twitter @RosieScott22.
According to the government, cybercrime costs the UK economy around £27 billion each year.
If your business suffers even a tiny fraction of that loss, it would be devastating. So, how so you make your company less of a target?
By fighting back against cybercrime. That’s how.
Importantly, make sure your security software updates itself. This is the only way to stay safe from emerging threats.
A professional IT security audit is worth every penny. When an expert examines your IT setup, they’ll identify where you’re most vulnerable to attack.
Armed with this crucial information, you can create extra security measures and write a solid security policy.
IT security is not just about software. Any equipment that connects to the outside world (like your router) should be modern and made by a reputable manufacturer.
At the same time, check your premises for weak points. For example, if you keep your backup tapes in a safe, change the combination regularly. Consider installing CCTV too.
Social engineering sounds creepy, but it refers to the way cybercriminals may try and con your people, rather than attacking your computers.
Make sure your employees look out for cold callers and unusual visitors. People who are good at social engineering tend to have the gift of the bag. It’s surprisingly easy to reveal a username or password to them.
Staff should also know how to handle ‘digital cold calls’, like phishing attempts.
If you missed the news last week, experts have discovered a flaw in popular encryption software OpenSSL.
This is a big deal because OpenSSL protects hundreds of thousands of websites, including big names like Google, YouTube, Tumblr and Yahoo.
The issue is called Heartbleed. Although OpenSSL is meant to protect data transferred between a website and person using it, Heartbleed may allow hackers to access that data.
Heartbleed is a high-profile story because so many websites use OpenSSL. But there's been a lot of confusion over what we should do about it.
Some websites have advised you to change all your passwords. Others have suggested that's counterproductive until every website has been fixed. So, we've investigated what businesses need to be concerned about.
First off, let's get one thing clear: Heartbleed is a real issue. You should definitely spend a few minutes thinking about how it might affect your business.
There are two aspects you need to be aware of:
Does your website use a secure connection (where a padlock appears in the browser)? If so, it's vital you check which encryption technology it uses.
If you're not used to getting into the nuts and bolts of your website, speak to your web developer or to the company that supplies your SSL service (usually your web hosting firm).
You can also pop your website address into this Heartbleed checker, which will let you know if your site is affected.
If you get the all-clear, that's great — you don't need to worry. But if your site does have the Heartbleed vulnerability, you should get it fixed — pronto.
This means updating to the latest version of OpenSSL, which doesn't suffer from Heartbleed. Your web hosting company or web developer should be able to do this for you.
In the meantime, consider deactivating the secure parts of your website. Better safe than sorry, after all.
Experts reckon around 500,000 websites are affected by Heartbleed. There's a good chance some of them are services you use regularly.
Changing passwords is the way to go here. But you need to make sure the problem is fixed before you change a password on a particular website. Otherwise, you risk exposing your new password too.
Most major websites will have fixed their systems by now. Again, you can use the Heartbleed checker to make sure.
As a precaution, we'd advise changing all the passwords on sites you use regularly — but only when you're sure those sites are secure.
Remember, it's safest to use a separate password for each website and to make sure all passwords are nice and strong.
There's one last thing to bear in mind. Heartbleed was around for a long time before it was discovered. As a result, nobody's certain if any hackers exploited it before it became common knowledge.
In case your business or personal data has been affected, it's a good idea to check your online banking, email and other services you use regularly. If you notice anything out of the ordinary, do investigate.
We’re barely a quarter of the way through the year, yet many hacking stories have already hit the headlines.
Worryingly, many of them involve large, reputable companies and websites. And if they can’t stay safe from hacking attempts, what does that mean for smaller companies?
Phenomenally successful crowdfunding website Kickstarter was the focus of a successful hacking attempt in February. The attackers didn’t manage to make off with any credit card information, but they did get hold of email addresses, passwords and phone numbers.
"We're incredibly sorry that this happened," chief executive Yancey Strickler commented. "We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways.”
Just a week after the Kickstarter incident, the University of Maryland was targeted. Worryingly, hackers were able to access a whopping 309,079 personal records.
These included information such as dates of birth, university numbers and social security numbers.
The university’s president, Wallace D Loh, confirmed the institution had fallen victim to a sophisticated attack: “I am truly sorry. Computer and data security are a very high priority of our university.”
Having your email address stolen is bad enough. But would you want your passport — complete with embarrassing passport photo — stolen? Just ask whistle-blower Edward Snowden, who had a photo of his passport posted on online by a hacker.
Snowden may not be the only person affected by this attack. The perpetrator claims to have gained access to 60,000+ passports belonging to law enforcement and military officials signed up to the EC-Council’s Certified Hacker scheme.
Valentine’s was as much for hackers as it was for lovers this year. Just before 14 February, 2,240 Tesco customers were the victims of a hack that revealed their phone numbers, email addresses and voucher balances. The unluckiest bunch also had their vouchers stolen.
Following the unexpected hack, Tesco contacted affected customers and issued replacement vouchers where necessary. Every little helps?
In what is almost certainly the most viral hack of the year so far, Naoki Hiroshima lost his Twitter username, @N, estimated to be worth around $50,000.
As only 26 people can have a one-letter Twitter handle, they are highly desirable. Naoki was the subject of an elaborate attack that saw the hacker go via websites such as PayPal and GoDaddy to access personal information.
According to Naoki, the hacker used PayPal to find out the last four digits of his credit card number. They were able to obtain other personal information from GoDaddy, before using these details to hijack the rare Twitter account.
The good news for Naoki is that — after some fuss — he eventually got his username back.
Online backup services can be a really convenient way to take a safe copy of your company data and store it away from your main business location.
This means that if anything goes wrong your data, you still have a backup copy to work from.
Online backup services are generally simple and easy to use:
And that’s pretty much it. You change a file in the office and the backup copy gets updated for you. Delete a file by accident and you can get a copy back within minutes.
With some research showing that 48% of businesses experience data loss each year, online backup can be a really effective way to protect your company.
Businesses have traditionally backed their data up to tapes, hard drives or CDs. So, why use online backup instead of these tried-and-tested methods?
Not all online backup services are equally safe and effective, so it’s important to choose an online backup supplier that:
An online backup service could be a good fit for your business if:
To learn more about backups, read about how to find the right backup methods, and see the five key questions to ask about your backup system.
This is a post from Danny Walker, director at IT Farm.
If you’re focusing all your IT security efforts on things like anti-virus and firewalls, are you missing the biggest risk of the lot?
And if you’re running your own business, it’s worth listening to the opinions of IT professionals. They know technology, and they can see where the biggest risks lie.
So, what can you do?
Your staff pose a bigger threat these days because the nature of security threats has changed over the last few years. Many organisations — both large and small — have struggled to keep up.
While back in 2008 or 2009 we were all worried about viruses, spyware and Trojans, these days it’s more targeted threats like spear phishing that are most likely to have IT managers worried.
These attacks are on the rise because they’re effective. Even the most tech-savvy of your staff can be tempted into clicking an email when they shouldn’t. And often, the biggest data breaches can be tracked back to a single, unfortunate click.
It’s important to make your staff aware of how phishing scams operate. You can also give them pointers so they know how to spot potential security breaches.
However, you can’t expect your employees to be infallible. People make mistakes, which means it’s vital you have some additional checks and precautions in place.
A good starting point is to make sure you allow access to data on a ‘need to know’ basis. Resources like your customer database, your accounting system and any shared folders often contain lots of sensitive data.
Rather than allowing everyone to have access to all these resources, the default setting should be that people don’t have access. If an employee needs it — and there’s a good case for it — then you can open up access on an individual basis.
This reduces risk because you’re adding extra layers of protection. If a hacker manages to guess the password of an employee, they’ll still face barriers when trying to reach privileged information.
It might cause a little inconvenience when someone needs to request access to a particular resource. But it’s better than giving hackers a free run of the place.
You’ve already seen our exciting IT predictions for 2014. But what of IT security and data protection? Are there any threats your business needs to know about?
Alex Balan, head of product management at internet security firm BullGuard, has come up with these ten predictions.
It’s devious and destructive and it makes hackers money. Ransomware has been around a while, but because it’s effective it’s going to be around for a lot longer.
A good example of ransomware is Cryptolocker. It encrypts your documents and shows a message saying you must pay a ransom to get your computer back. If you don’t pay up then you lose your data — and there’s little anyone can do to help you.
There is a growing body of evidence to show mobile devices being attacked, with online criminals often aiming to steal personal financial details.
This is hardly surprising given the explosive growth in smart phones and tablets. There’s plenty of data on mobile devices to be stolen. Hackers can also make money by setting up their own premium-rate numbers, then dialling them from compromised mobile phones.
Learn more about mobile security software.
The news about the NSA and GCHQ monitoring internet traffic, emails and phone calls was the most important cyber security event in 2013. These revelations have increased awareness of the need for personal security.
Until now, people have generally only taken security precautions reactively, typically after something has happened. But now they’re becoming more proactive. This will create a growth in technologies to help users keep their communications and data private.
We’re likely to see more attacks on old software and systems that are full of security holes. For example, Microsoft XP reaches the end of its life in April, which means no more updates, even if a security problem is found.
This popular but creaking operating system is widely used and how many people know Microsoft is turning its back on it? Hackers know, of course. There will be many attempts to find new exploits in XP, which means many people will fall victim to malware.
You may or may not have heard of the ‘internet of things’. It describes the increasing connectedness of everyday objects. We have internet-connected webcams, CCTV systems, televisions, digital video recorders and even baby alarms. These devices may be vulnerable to attack.
It might sound bizarre, but soon we’ll see fridges, toasters and other devices that are hooked up to the internet. Don’t be too surprised when you hear of these things being hijacked by hackers (fancy a hacked toilet, anyone?).
Never in the history of humankind has an industry grown so rapidly and so pervasively as technology. It reaches into every corner of our lives. Film cameras are a thing of the past, physical bank branches are becoming quaint and well-known retailers have disappeared from the High Street.
But what happens when computers crash? Thankfully, more people are aware of the potential for damage, and this is leading to an increase in back-up technologies. Expect the arrival of more backup services this year — especially ones that work over the internet.
Biometric authentication is widely regarded as the most secure form of identity control. Early systems were slow and intrusive, but because today’s computers are faster and cheaper than ever, the interest in biometrics has been renewed.
There are several types of biometric authentication in use, but fingerprint authentication is becoming the most common. We’ll see more computers, mobile devices and accessories with built-in fingerprint readers this year.
Law enforcement agencies have scored some significant ‘deep web’ successes the past year, most notably taking down of the Silk Road web site, which allowed users to buy anything from heroin and cocaine to guns and fake currency could be bought.
Authorities will continue to make inroads into the deep web in 2014 but the odds are that deep websites will respond by making it harder to take down sites or identify the people responsible.
You may not realise it, but when you take your smart phone into the workplace and hook it up to your computer, you’re committing a security faux pas. If your device has malware on, you risk releasing it into the company network.
Hackers love breaking into company networks because they are treasure troves. And because smart phones are so popular, hackers are targeting them in order to access corporate networks. We’ll see an increase in this type of activity in the coming year, so it pays to be aware.
When an internet service provider (ISP) gets hacked it resonates long and loud. In April 2013 UK giant BT dumped Yahoo as its email provider following months of hacking complaints from customers.
Many hackers break into ISP systems just to get free broadband, but at the organised crime end of the spectrum it’s done to launch large-scale spam and malware attacks. Don’t be surprised to see more ISP hacks in the coming year.
This is a guest post from Alex Balan, head of product management at BullGuard.
Every day, it seems there’s a new online scam ready to catch up the unwary. Recently it was cyber-criminals posing as a dating agency on LinkedIn in order to harvest data from unsuspecting users of the professonal networking site.
This was a so-called ‘spear phishing’ attack, where online criminals target specific people rather than sending out messages at random. Top corporations and media outlets are increasingly becoming victims of these scams — but that doesn’t mean smaller companies aren’t at risk too.
Spear phishing is an example of social engineering, which sees online scammers manipulate people into sharing sensitive information about themselves or others.
It’s easy to fall victim and there’s no shame in it. These criminals are good at what they do, using flattery, confidence tricks and deception to get the information they want.
Social networks and email are two of the most common routes through which scammers will try and contact you or people in your business. To help you stay safe, here are five ways to avoid falling victim to a spear phishing attack:
The bottom line is that vigilance is key to staying safe from a spear phishing attack.
It may seem like an inconvenience to do extra research when you receive a message you’re unsure about, but in the end it’s worth the time to know who you’re dealing with.
This post is from Espion, a firm specialising in IT security.
Here’s some good news for you: more businesses are taking IT and security risks seriously.
Security is no longer a topic that’s relegated to IT departments or individual staff members. A survey of UK organisations by risk management specialists NTT Com Security found that 56% of respondents discuss security and risk either routinely or frequently at board level.
However, as businesses become more aware of potential security risks, it seems a fear factor may be kicking in. The same survey found that concerns over information security and risk have stopped a project or business idea progressing in nearly half (49%) of organisations surveyed.
So, how do you monitor and manage the risks your company faces, without becoming paralysed? After all, if you paid attention to every online horror story then you’d probably shut up shop and find a nice, non-internet business to run, instead.
There’s a strong argument to say that companies with the best handle on their security are the ones that see it as an opportunity.
Being proactive, identifying and managing risks and taking steps early can actually give you an advantage in the market. For instance, clients and customers like it when they know they can trust you to keep them safe.
But proactive security isn’t something many businesses do well. Only 1 in 5 organisations surveyed said they base their security spending on risks they’ve actually assessed.
The rest, presumably, take a range of basic security precautions and then react to other problems as they occur.
Neal Lillywhite, SVP Northern Europe at NTT, says that although businesses are aware they should take a proactive approach to managing risks, most don’t yet put this into practice:
“While the majority see a benefit to having a proactive approach when assessing the risk of information assets, the fact that still only a fifth base their spending on assessed risk shows there is plenty of room for improvement.”
If your business is one of the 4 in 5 that doesn’t do a good job of assessing the risks it faces, it’s probably time to start. And as there’s no time like the present, why not find out how to perform an IT security risk assessment right now?
Anti-virus software has been one of the standard weapons against online threats for the past two decades. But as the nature of online dangers changes, anti-virus software is starting to look past its sell-by date.
Nowadays, it’s not worries over traditional viruses that keep IT professionals awake at night. Their number one concern is more likely to be the targeted attack. Online criminals will stealthily approach your business, gaining access to critical systems, leaving virtually no trace.
Professional online criminals are often behind these new threats. From stealing valuable intellectual property to coordinated attacks on bank accounts, the online attack model of today is a world away from the loud-mouthed internet vandals who used to dominate the headlines.
Today’s attacks are carried out by groups, rather than individuals, are designed to steal valuable data — and often leave no trace.
What’s more, online attackers are patient. An analysis of what’s known as advanced persistent threat (APT) incidents by Mandiant revealed the average period over which attackers controlled a victim's network was one year.
That’s a long time for online criminals to have access to your data without you realising.
Additionally, many of these breaches are inside jobs, where authorised users (often company employees) load malware or password-capturing software onto company systems.
In all honesty, anti-virus software has always had its weaknesses. It has to be updated daily and cannot effectively prevent against new threats until they have been identified and an antidote created.
This model was flawed when most viruses were noisy and high-profile. But today, threats are silent and stealthy. With fewer organisations affected, there are fewer opportunities for the virus to be identified and neutralised.
If anti-virus software isn’t enough, then what are the options?
First off, organisations need to address any complacency that exists and start implementing security processes that are key to effective defence.
Getting the basic principles of security right is a good place to start. Creating a security checklist is relatively straightforward with help from an IT professional or supplier. Doing so gives you a clear list of recommendations and will help you identify any weaknesses in your business.
However, you also need an infallible way to detect malware if it does manage to bypass security defences.
File integrity monitoring (FIM) is an excellent way to do this. It radically reduces the risk of security breaches by warning when a change has been made to underlying, core file systems.
Flagging changes in this way makes it harder for threats to take hold because you get immediately notified if changes happen that could indicate a stealth attack.
File integrity management works best when combined with strong change management processes. This means your business needs to keep tight control on who is allowed to make changes to core software and when they may do so.
It’s not a silver bullet that will make your business impervious to online threats. But as a core plank of your security strategy, file integrity management can effectively protect your data and dramatically reduce the risks your business faces.
This is a guest post from Mark Kedgley, CTO at New Net Technologies,
If you own a smart phone, you’re carrying a powerful computer around in your pocket. And, like all computers, it’s a potential target for malware, online criminals and hackers.
Never given your smart phone security more than a passing thought? You’re not alone. Technology analysis firm Juniper Research has found more than 80% of company and personal smart phones will remain unprotected at the end of 2013.
The report — Mobile security: BYOD, mCommerce, consumer and enterprise —found that security risks are on the rise due to an explosion of mobile malware over the last two years.
Cyber criminals are switching focus, targeting PCs less and mobile platforms more. These findings support Trend Micro data showing that that there are already more than a million different pieces of malware and high-risk apps for Android devices alone.
It’s not all doom and gloom though. The report identified that although adoption rates remain low, awareness that mobile security products exist is growing. So, if more of us know that there are tools to protect our smart phones, why aren’t we using them?
Well, perhaps the risks are less obvious than on our desktop computers. After all, have you, or anyone you know, been affected by malware on your smart phone? The dangers are growing, but aren’t yet high-profile enough to encourage mass adoption.
The report claims that the low level of adoption of security software can be attributed to a number of factors, including the relatively low awareness about attacks on mobile devices and a widespread perception that the price of security products is excessive.
However, with BYOD (bring your own device) — where employees use their own mobile devices for work — becoming more common, it’s important that your business starts thinking about mobile security.
Using mobile security software may be a start, but really you need to step back, taking a broader look at how you use mobile devices and where the risks lie. Then you can create a mobile security plan to keep your data, your employees and your business safe.