Earlier this year, hundreds of thousands of websites were affected by the heartbleed security flaw.
Heartbleed was a massive headache, but also acted as a reminder that large-scale security breaches can — and do — happen.
It’s not just down to IT staff and security experts to take action. Business owners have a role to play, too.
There are many things you can do to protect your business from online threats. The security section of IT Donut is an excellent place to start.
One of the most important things to think about is anti-virus and security software. These programs scan your computers for viruses, spyware and other malware. They also monitor your network for suspicious activity, and can identify and remove email threats.
Just a single piece of malware can leave your systems wide open, paving the way for hackers to enter and steal your data. Security software is a key countermeasure.
It’s easy to realise that you need security software. But there’s a bewildering choice of options, making it actually quite hard to pick one that meets your needs and budget.
And even when you’ve chosen your security software, just having it isn’t enough. In order for it to be effective, it needs to be:
If you don’t meet these three requirements, your company will be at risk of a malware attack and data breach.
Got all that sorted? Great. The next things you have to worry about are user habits.
Security software is only effective if it’s running on all your computers at all times. Unfortunately, it can sometimes slow computers down, block other software or force you to wait while it performs a scan.
For these reasons, you might find that your employees close the security software on their computers, disable the scanning functions, cancel updates — or change settings in some other way that makes the software less effective.
It’s easy to get overwhelmed by the job of making sure your security software is running properly and checking your employees haven’t interfered with its settings.
And that’s where managed anti-virus and security software comes in.
Managed security software works much the same as other security packages. It helps keep your systems secure and free of malware.
The main difference is that the software is managed by someone else. This is usually done by an IT provider (like your IT support company), but can be done by someone in your business, if you have the expertise in-house.
Whoever manages the security software takes responsibility for ensuring the solution is installed on every system and is always kept up to date.
Usually, software on individual computers and servers will be managed from a central control panel. For instance, changes to settings and updates can be rolled out across all computers automatically.
This is great for many smaller businesses because it means they don’t need to worry about the installation or day-to-day management of security software.
If you adopt managed security software, it can give you the benefit of knowing your systems and data stored are secure, without having to get into the ins and outs of checking every computer and every setting yourself.
(c) Mirus IT, provider of managed security software to smaller companies.
IT security experts talk a lot about avoiding viruses and spyware. In the wake of the GOZeuS malware issue, you can't move for advice on how to avoid phishing.
But although a lot of IT security advice tends to focus on issues like these, there are many less high-tech threats to your business IT.
For instance, according to research from Inhance Technology, over 20% of people are more worried about being mugged for their smart phone or tablet than they were a year ago.
So, in the race to keep your devices free of viruses and your servers locked down from hackers, are you neglecting the more basic precautions?
As a reminder, here are five ways to protect your servers, computers and mobile devices from the low-tech threats that can damage your business:
Have you been caught out by any low-tech security issues? Leave a comment to let us know.
You should never use something like 'password', '123456' or your name as your password. Not for anything. Most people know this, yet plenty of us still do it.
Now artist Lorrie Cranor has come up with an original way to highlight rubbish passwords. She's had them printed on a dress.
Yes, she really has. No, this isn't a joke.
As Lorrie explains over on her blog, she used Wordle to create a word cloud of the most popular passwords revealed by the RockYou hack, then rearranged the resulting words before having them printed onto fabric.
She subsequently made this into a striking dress. The larger the word, the more common the password.
Now we just have to stop using them.
There’s a lot of debate surrounding Bitcoin, and for good reason. This unregulated electronic currency is not backed by a central bank and its value fluctuates wildly.
The Internal Revenue Service (the US equivalent of HMRC) recently decided to treat Bitcoin as property (not a currency). This could have a major impact on the volume of transactions conducted using Bitcoin.
However, while Bitcoin itself is controversial, the encryption technology behind it could be the future of digital security.
Bitcoin uses an accepted security concept called asymmetric key encryption. When you download a Bitcoin wallet — in which you store your Bitcoins — you’re assigned two encryption keys.
There’s a public encryption key, which you give to anyone from whom you want to receive Bitcoin payments.
Then there’s a private key. This is mathematically linked to your public key, and is used to decrypt information encrypted with your public key.
In practice, this means anyone who wants to pay you can encrypt the transaction using your public key. But only you can decrypt it to receive the money, because only you have the private key.
Some email providers use a similar system called Pretty Good Privacy (PGP) encryption to send emails securely.
However, as PGP stores your private encryption key on an email server, hackers (or the government) could potentially intercept and decrypt your messages.
A more secure option is to encrypt emails using a Bitcoin key before you send them through your provider’s servers.
You can apply this same concept to data stored in the cloud. If you encrypt it with a Bitcoin key, your information will stay safe even if someone hacks into your cloud provider.
While these security measures do offer extra protection, the risks of Bitcoin encryption lie in the human element.
If you don't secure your virtual Bitcoin wallet, you can fall victim to theft. Really, keeping your wallet offline and protecting it with a password is the only straightforward way to secure it.
And you should always remember that encryption is a double-edged sword. If you ever lose your password, your data is lost forever.
While some governments have banned or restricted its use as a currency, Bitcoin is gaining support among some businesses. There’s even a Bitcoin cash machine in East London.
The supply of Bitcoins is limited and their volatility means the cost of security can easily surpass the value of what you’re protecting.
But perhaps the true value of Bitcoin lies in its potential to educate more people about using encryption to secure information.
In this digital age, information is currency. You should protect yours just as you would protect your money.
The Heartbleed security flaw — discovered in April — affected more than 60% of web servers. As a result, some experts considered it to be the most dangerous security flaw on the web.
However, it’s not the first big security issue in history. And it certainly won’t be the last.
For instance, Apple endured a similar situation earlier this year. Its ‘goto fail’ bug exploited a vulnerability similar to Heartbleed, but Apple handled it well enough that it didn’t achieve the same level of news coverage.
So, what can your business learn from Apple’s goto fail debacle?
Quite simply, flawless software is a myth. Writing computer code is difficult and modern software is complex. The greater the complexity, the greater the risk of security flaws.
Although goto fail was the result of sloppy code in Apple’s operating system, Heartbleed’s vulnerability runs deeper. Either way, these breaches demonstrate that even tech giants with a lot to lose can’t make their software invulnerable.
Once you’ve accepted the risk, be more vigilant about the software you use.
The code behind Apple’s operating system framework is reviewed more often than iTunes updates its terms and conditions. Yet the flaw existed for 18 months before it was revealed. Heartbleed went undetected for two years.
Unless you want your security flaws to be discovered by a rival — or worse — stay vigilant.
Be careful what you download, what you click, and what access you grant applications and websites. You become a target whenever you share private or financial information.
Pay attention to the cloud services you use, the software developers you work with, and everyone else involved in your technology. You should be in control of what they can and can’t see.
Use two-step verification where possible, encrypt data and closely monitor the security of websites you use. Most importantly: question every inconsistency.
Identity thieves are known for using basic consumer data (name and address history) to open financial accounts in another person’s name. It can happen to businesses, too.
Run credit reports and regularly check the registered details of your company to catch misuse of your information.
In 2011, Sony missed a software update. Within a month, customer data was leaked online. It damaged the company’s reputation and cost a lot of time and money to fix.
When Apple corrected its software flaw, it immediately released an update. But you have to actually install it to fix the problem in your business.
Every operating system and most other software can automatically check for updates regularly. Make sure yours does.
Apple admitted its flaw and immediately implemented a fix. Yet when US retailer Target suffered a major breach in 2013, it kept things quiet and attempted to fix the issue behind the scenes.
In the long run, Apple’s vulnerability was a slight inconvenience felt by very few. Target’s affected millions and cost the company more than $1bn.
The internet is like a medieval fortress. You’re only as safe as the walls around you. By running frequent security audits, properly training employees and extensively testing software, you’re building a solid castle to keep data safe.
Daniel Riedel is CEO of New Context.
Don't panic, but you have a week left to protect yourself and your business from an online threat called GoZeuS. That's according to official Government advice, no less.
So, what are GOZeuS and CryptoLocker? And why is the next week a critical period?
You might not realise it, but there are battles happening online at this very moment.
On one side, hackers and online criminals are constantly finding new ways to steal data, pinch money and cause harm. On the other, security companies and government agencies are working to disrupt these criminal activities.
Recently, a group of organisations led by the FBI announced a significant victory. Experts have significantly disrupted the GOZeuS and CryptoLocker malware, which have been stealing people's data and holding their computers to ransom.
GOZeuS is a piece of malicious software that can infect your PC, just like a virus. You can catch it from opening an infected email or visiting a dodgy website. It's estimated that around 15,000 computers in the UK are affected by it.
Once GOZeuS is on your computer, it attempts to hunt out valuable data that it can steal. Names, addresses, bank details, passwords ... the usual stuff.
If it doesn't find enough information to be profitable, GOZeuS may activate CryptoLocker. This devious malware encrypts your computer, locking it down so you can't access any of your own data.
You may then see a message demanding you pay a ransom (typically £300 — £500) in order to regain access. Nice, eh?
Although GOZeuS and CryptoLocker are still out there, the network of infected computers has been significantly weakened. It's currently harder for infected computers to communicate with each other.
This means now is a really good time to strengthen your online security. To draw on a somewhat overused analogy, it's better to fix the roof while the sun's shining rather than waiting for the next storm.
According to official advice, the next week is the best time to make sure your defences are in order.
So, in the next few days, why not set aside an hour to review your security procedures?
Finally, you might receive an email or letter from your internet service provider warning your computer is infected. If so, don't dismiss it. As part of the work to disrupt GOZeuS, official bodies gained access to records on criminal servers and have been able to identify infected computers.
However, to be sure this isn't a fake phishing email, use the links above to go directly to GOZeuS removal tools, rather than clicking any links in the message. And call your ISP for confirmation if you have any concerns.
IT policies give your business shelter
Do you know what your staff are looking at online? Are you confident you're taking proper care of customer data? Is uncontrolled social media use rife in your company?
When you're running a business, sometimes keeping a grip on technology can feel like a losing battle.
Many business owners already suffer from too-much-to-do-too-little-time syndrome. Throw in tech-savvy employees running wild using their own tablets and software, and it's tempting to just let them get on with it.
Tempting, yes. Wise? No.
No matter how much freedom you give your staff, it's important to retain some control over how technology is used in your business. Because when you have control, you can be confident.
You can be confident staff aren't wasting time. You can be confident you comply with data protection laws. And you can be confident you have a proper structure within which your business technology operates.
Your IT policies help establish this structure. They describe how technology should be used in your business, so your employees know what is and isn't allowed.
In short: they protect your company and your staff.
Your IT policies don't need to run to hundreds of pages or contain complicated legalese. They just need to cover the essentials and be easily understood by your employees.
In fact, short and sweet beats long and detailed every time. IT policies should be documents your employees can read, understand and put into practice.
To help you create key IT policies for your business, we've created some free templates. Download them today and use them however you like in your company:
You're welcome to just fill in the gaps, or copy the text to use as the basis for your own policies. Just keep in mind that every business is different, so it's best to get all your IT policies double-checked by a lawyer before you put them into place.
A friendly IT supplier might be willing to help too, especially if they already provide IT support for your company.
According to the government, cybercrime costs the UK economy around £27 billion each year.
If your business suffers even a tiny fraction of that loss, it would be devastating. So, how so you make your company less of a target?
By fighting back against cybercrime. That’s how.
Importantly, make sure your security software updates itself. This is the only way to stay safe from emerging threats.
A professional IT security audit is worth every penny. When an expert examines your IT setup, they’ll identify where you’re most vulnerable to attack.
Armed with this crucial information, you can create extra security measures and write a solid security policy.
IT security is not just about software. Any equipment that connects to the outside world (like your router) should be modern and made by a reputable manufacturer.
At the same time, check your premises for weak points. For example, if you keep your backup tapes in a safe, change the combination regularly. Consider installing CCTV too.
Social engineering sounds creepy, but it refers to the way cybercriminals may try and con your people, rather than attacking your computers.
Make sure your employees look out for cold callers and unusual visitors. People who are good at social engineering tend to have the gift of the bag. It’s surprisingly easy to reveal a username or password to them.
Staff should also know how to handle ‘digital cold calls’, like phishing attempts.
With mobile devices still increasing in popularity, it’s never been more important for your website to cater for mobile users.
As Ofcom said nearly three years ago, we are a ‘nation addicted to smartphones’. While sales of traditional PCs are gradually declining, smart phones and tablets are on the up.
If you’ve never done anything about your mobile presence, the time for action is now. There are many factors to consider.
Different devices have varying screen sizes, resolutions and processing power. There’s a choice of platforms, too — like iOS, Android and Windows.
It would be virtually impossible to create a different version of your website tailored to each individual device. However, you can use responsive web design instead.
Responsive web design is a way of making sure your website provides a universally good experience for visitors, regardless of what device they use.
It’s the ‘one size fits all’ approach to web design. When you create a responsive website, the various elements (images, content, navigation and so on) shift and change with the screen size.
You’ll soon understand if you see a responsive website in action. Go and visit Time Magazine on your computer, then resize your web browser window. As the size of the window changes, the content moves around to fit.
This means responsive sites work well on both large monitors and tiny smart phones.
So, responsive web design sounds good. But is there evidence to say it’s worth investing time and money in?
Many companies that have moved to a responsive web design have experienced growth in conversion rates, creating a sales uplift from mobile traffic. We are yet to see the full impact mobile devices will have on online behavior. However, they’re certainly here to stay.
This means it’s vital to consider taking a responsive approach with any new or redesigned websites.
Some businesses have a much higher proportion of mobile visitors than others. But as mobile devices become even more common, you really should think about the responsive web.
Free Wi-Fi seems like one of the great perks of the 21st century. In pubs and cafes in towns and cities across the UK, you can get online for nowt.
In short, each time you connect to a public network, you could be playing a kind of Russian roulette with the data you send over the airwaves.
Cybercriminals and hackers have spotted that we’re hooked on the convenience of free Wi-Fi. What’s more, they know most of us are accustomed to connecting without giving a thought to security. And they’re taking advantage.
A typical attack is for a hacker to set up a rogue network. They give it the same name and password (if applicable) as a legitimate network nearby.
For instance, a criminal might set up ‘John’s Café Wi-Fi’ near to John’s Café. When an unsuspecting punter connects, the attacker can intercept all the data that gets sent and received.
Sensitive files and information sent by email, personal data entered into website forms … it’s all there for them to harvest and use.
This isn’t a particularly clever or novel trick. But it works. Next time you’re connecting to a network in a public place, can you be sure it is what you think it is?
It can be difficult to be 100% sure that you’re safe when you use public Wi-Fi. And so the best way to protect your data is to not send or receive sensitive or private data while using it.
That’s easier said than done. One of the most popular uses for Wi-Fi is catching up on email, which can contain all kinds of data that’s valuable to hackers.
However, it’s definitely a good idea to think twice before entering your online banking details or other sensitive login details.
Being on a secure website (indicated by https:// and a padlock in your web browser) does offer some protection, but hackers can still use a technique called sslstrip to intercept your data if they really want.
The safest option is to connect via a virtual private network (VPN), which creates a secure tunnel through which your data passes. You can purchase VPN access from companies like Hotspot Shield — there’s a good explanation and some reviews of VPNs over on the PC Advisor website.
If you missed the news last week, experts have discovered a flaw in popular encryption software OpenSSL.
This is a big deal because OpenSSL protects hundreds of thousands of websites, including big names like Google, YouTube, Tumblr and Yahoo.
The issue is called Heartbleed. Although OpenSSL is meant to protect data transferred between a website and person using it, Heartbleed may allow hackers to access that data.
Heartbleed is a high-profile story because so many websites use OpenSSL. But there's been a lot of confusion over what we should do about it.
Some websites have advised you to change all your passwords. Others have suggested that's counterproductive until every website has been fixed. So, we've investigated what businesses need to be concerned about.
First off, let's get one thing clear: Heartbleed is a real issue. You should definitely spend a few minutes thinking about how it might affect your business.
There are two aspects you need to be aware of:
Does your website use a secure connection (where a padlock appears in the browser)? If so, it's vital you check which encryption technology it uses.
If you're not used to getting into the nuts and bolts of your website, speak to your web developer or to the company that supplies your SSL service (usually your web hosting firm).
You can also pop your website address into this Heartbleed checker, which will let you know if your site is affected.
If you get the all-clear, that's great — you don't need to worry. But if your site does have the Heartbleed vulnerability, you should get it fixed — pronto.
This means updating to the latest version of OpenSSL, which doesn't suffer from Heartbleed. Your web hosting company or web developer should be able to do this for you.
In the meantime, consider deactivating the secure parts of your website. Better safe than sorry, after all.
Experts reckon around 500,000 websites are affected by Heartbleed. There's a good chance some of them are services you use regularly.
Changing passwords is the way to go here. But you need to make sure the problem is fixed before you change a password on a particular website. Otherwise, you risk exposing your new password too.
Most major websites will have fixed their systems by now. Again, you can use the Heartbleed checker to make sure.
As a precaution, we'd advise changing all the passwords on sites you use regularly — but only when you're sure those sites are secure.
Remember, it's safest to use a separate password for each website and to make sure all passwords are nice and strong.
There's one last thing to bear in mind. Heartbleed was around for a long time before it was discovered. As a result, nobody's certain if any hackers exploited it before it became common knowledge.
In case your business or personal data has been affected, it's a good idea to check your online banking, email and other services you use regularly. If you notice anything out of the ordinary, do investigate.
Even if you take every precaution imaginable, it’s still possible for your business to fall victim to a security breach. And while nobody wants to be that victim, it’s worth giving some thought to how you’d manage your reputation in the wake of a cyber-attack.
We reveal the five steps every business should take to minimise damage and rebuild their reputation.
When US retail giant Target suffered a huge data breach last year, one of the biggest criticisms levelled at the company is that it didn’t do a good job of acting quickly and communicating well with customers.
Don’t make that mistake. Once you’ve taken the necessary precautions to secure your systems, share information with your customers, employees and partners.
Being as honest as possible when communicating the crisis will ultimately reassure customers that you are doing everything you can to resolve the issue and protect their details.
Hiding the truth from loyal customers will only damage your credibility in the long run. When tech firm Buffer was hacked, the company remained open and communicative throughout.
Do your best to provide first class support to any customers affected by the issue. They probably aren’t IT experts, so you’ll need to assist and reassure them if you want them to remain with your business.
Be on hand to respond to customer queries and you’ll retain your reputation and customer relationships long after the breach.
Think about who you’re talking to when you communicate what’s happened. Tailor your message to address the concerns of each group.
For instance, while customers will be concerned about whether their data has been compromised, investors and partners will require specific information on how your company’s reputation, value and long-term prospects could be affected.
You’ll be surprised at how far an apology goes. While many businesses will be quick to blame a third party for their security weaknesses, more switched on companies understand that customers don’t want to hear excuses.
Take ownership of your problems and be clear and compassionate about what went wrong, how you plan to fix things and why you can be certain this won’t happen again.
This post was written by Brittany Thorley, who regularly advises businesses about web security.
We’re barely a quarter of the way through the year, yet many hacking stories have already hit the headlines.
Worryingly, many of them involve large, reputable companies and websites. And if they can’t stay safe from hacking attempts, what does that mean for smaller companies?
Phenomenally successful crowdfunding website Kickstarter was the focus of a successful hacking attempt in February. The attackers didn’t manage to make off with any credit card information, but they did get hold of email addresses, passwords and phone numbers.
"We're incredibly sorry that this happened," chief executive Yancey Strickler commented. "We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways.”
Just a week after the Kickstarter incident, the University of Maryland was targeted. Worryingly, hackers were able to access a whopping 309,079 personal records.
These included information such as dates of birth, university numbers and social security numbers.
The university’s president, Wallace D Loh, confirmed the institution had fallen victim to a sophisticated attack: “I am truly sorry. Computer and data security are a very high priority of our university.”
Having your email address stolen is bad enough. But would you want your passport — complete with embarrassing passport photo — stolen? Just ask whistle-blower Edward Snowden, who had a photo of his passport posted on online by a hacker.
Snowden may not be the only person affected by this attack. The perpetrator claims to have gained access to 60,000+ passports belonging to law enforcement and military officials signed up to the EC-Council’s Certified Hacker scheme.
Valentine’s was as much for hackers as it was for lovers this year. Just before 14 February, 2,240 Tesco customers were the victims of a hack that revealed their phone numbers, email addresses and voucher balances. The unluckiest bunch also had their vouchers stolen.
Following the unexpected hack, Tesco contacted affected customers and issued replacement vouchers where necessary. Every little helps?
In what is almost certainly the most viral hack of the year so far, Naoki Hiroshima lost his Twitter username, @N, estimated to be worth around $50,000.
As only 26 people can have a one-letter Twitter handle, they are highly desirable. Naoki was the subject of an elaborate attack that saw the hacker go via websites such as PayPal and GoDaddy to access personal information.
According to Naoki, the hacker used PayPal to find out the last four digits of his credit card number. They were able to obtain other personal information from GoDaddy, before using these details to hijack the rare Twitter account.
The good news for Naoki is that — after some fuss — he eventually got his username back.
Online backup services can be a really convenient way to take a safe copy of your company data and store it away from your main business location.
This means that if anything goes wrong your data, you still have a backup copy to work from.
Online backup services are generally simple and easy to use:
And that’s pretty much it. You change a file in the office and the backup copy gets updated for you. Delete a file by accident and you can get a copy back within minutes.
With some research showing that 48% of businesses experience data loss each year, online backup can be a really effective way to protect your company.
Businesses have traditionally backed their data up to tapes, hard drives or CDs. So, why use online backup instead of these tried-and-tested methods?
Not all online backup services are equally safe and effective, so it’s important to choose an online backup supplier that:
An online backup service could be a good fit for your business if:
To learn more about backups, read about how to find the right backup methods, and see the five key questions to ask about your backup system.
This is a post from Danny Walker, director at IT Farm.
There’s always more you can do to protect your business from security threats. But there’s never quite enough time to do everything.
So, here are eight easy ways to give your company security a bit of a boost.
Unlike in the fashion industry, old tech rarely becomes cool again. You aren’t going to get any new customers because you run Windows 98.
Also, the latest operating systems have better security features, meaning you'll be better protected from web threats.
The same applies if you’re using Mac OS, or some other operating system. Stick with the latest version to be safest.
Internet Explorer is so 2004 and people using it tend to get targeted because hackers know they’re not likely to be very web-savvy.
Constant update notifications from your software can be really annoying, but ignoring them could end up causing you more problems.
Virtual bugs are just like real life ones — they’re constantly evolving to find different ways to infect you. Updates contain new info on how to swat the bugs. Unless you install them, you won't see the benefit.
If your password for something is 'password' then you're in for a bad time of it. Hopefully your passwords aren't this terrible, but it's likely they could be improved.
For maximum security, use a random combination of upper and lowercase letters, numbers and symbols. You can use a service like LastPass to help you remember them.
It sounds technical, but all two-factor authentication means is that logging in requires you to prove your identity in two ways. Usually, you need a password you know and a reference code that’s sent to your mobile phone.
We’ve all had one of those moments when your jaw drops, you stare blankly at the screen and think: ‘I've made a huge mistake.’ It’s at times like these that System Restore can be a lifesaver.
System Restore is a feature in Windows that allows you to roll your computer back to a previous point in time. The idea is that if something goes wrong, you can go back to the last ‘known good’ configuration.
Your computer will probably create restore points on its own, but you can do it yourself when you make major system changes, too.
Ok, here’s the worst case: your computer is so utterly cream-crackered that you need to wipe it and start again.
If you’ve been backing up your data regularly then the process of getting back to normal becomes much less painful.
To be honest, this point alone could make up a whole new tip sheet. But in a nutshell, try to stick to websites you trust.
Sites listed higher up in search results are more likely to be safe because more people have used them.
There are some dark and dingy corners of the internet. Try and avoid them.
Nick Chowdrey is a finance and accounting writer for Crunch, an online accountancy firm for freelancers and small businesses.
If you’re focusing all your IT security efforts on things like anti-virus and firewalls, are you missing the biggest risk of the lot?
And if you’re running your own business, it’s worth listening to the opinions of IT professionals. They know technology, and they can see where the biggest risks lie.
So, what can you do?
Your staff pose a bigger threat these days because the nature of security threats has changed over the last few years. Many organisations — both large and small — have struggled to keep up.
While back in 2008 or 2009 we were all worried about viruses, spyware and Trojans, these days it’s more targeted threats like spear phishing that are most likely to have IT managers worried.
These attacks are on the rise because they’re effective. Even the most tech-savvy of your staff can be tempted into clicking an email when they shouldn’t. And often, the biggest data breaches can be tracked back to a single, unfortunate click.
It’s important to make your staff aware of how phishing scams operate. You can also give them pointers so they know how to spot potential security breaches.
However, you can’t expect your employees to be infallible. People make mistakes, which means it’s vital you have some additional checks and precautions in place.
A good starting point is to make sure you allow access to data on a ‘need to know’ basis. Resources like your customer database, your accounting system and any shared folders often contain lots of sensitive data.
Rather than allowing everyone to have access to all these resources, the default setting should be that people don’t have access. If an employee needs it — and there’s a good case for it — then you can open up access on an individual basis.
This reduces risk because you’re adding extra layers of protection. If a hacker manages to guess the password of an employee, they’ll still face barriers when trying to reach privileged information.
It might cause a little inconvenience when someone needs to request access to a particular resource. But it’s better than giving hackers a free run of the place.
You’ve already seen our exciting IT predictions for 2014. But what of IT security and data protection? Are there any threats your business needs to know about?
Alex Balan, head of product management at internet security firm BullGuard, has come up with these ten predictions.
It’s devious and destructive and it makes hackers money. Ransomware has been around a while, but because it’s effective it’s going to be around for a lot longer.
A good example of ransomware is Cryptolocker. It encrypts your documents and shows a message saying you must pay a ransom to get your computer back. If you don’t pay up then you lose your data — and there’s little anyone can do to help you.
There is a growing body of evidence to show mobile devices being attacked, with online criminals often aiming to steal personal financial details.
This is hardly surprising given the explosive growth in smart phones and tablets. There’s plenty of data on mobile devices to be stolen. Hackers can also make money by setting up their own premium-rate numbers, then dialling them from compromised mobile phones.
Learn more about mobile security software.
The news about the NSA and GCHQ monitoring internet traffic, emails and phone calls was the most important cyber security event in 2013. These revelations have increased awareness of the need for personal security.
Until now, people have generally only taken security precautions reactively, typically after something has happened. But now they’re becoming more proactive. This will create a growth in technologies to help users keep their communications and data private.
We’re likely to see more attacks on old software and systems that are full of security holes. For example, Microsoft XP reaches the end of its life in April, which means no more updates, even if a security problem is found.
This popular but creaking operating system is widely used and how many people know Microsoft is turning its back on it? Hackers know, of course. There will be many attempts to find new exploits in XP, which means many people will fall victim to malware.
You may or may not have heard of the ‘internet of things’. It describes the increasing connectedness of everyday objects. We have internet-connected webcams, CCTV systems, televisions, digital video recorders and even baby alarms. These devices may be vulnerable to attack.
It might sound bizarre, but soon we’ll see fridges, toasters and other devices that are hooked up to the internet. Don’t be too surprised when you hear of these things being hijacked by hackers (fancy a hacked toilet, anyone?).
Never in the history of humankind has an industry grown so rapidly and so pervasively as technology. It reaches into every corner of our lives. Film cameras are a thing of the past, physical bank branches are becoming quaint and well-known retailers have disappeared from the High Street.
But what happens when computers crash? Thankfully, more people are aware of the potential for damage, and this is leading to an increase in back-up technologies. Expect the arrival of more backup services this year — especially ones that work over the internet.
Biometric authentication is widely regarded as the most secure form of identity control. Early systems were slow and intrusive, but because today’s computers are faster and cheaper than ever, the interest in biometrics has been renewed.
There are several types of biometric authentication in use, but fingerprint authentication is becoming the most common. We’ll see more computers, mobile devices and accessories with built-in fingerprint readers this year.
Law enforcement agencies have scored some significant ‘deep web’ successes the past year, most notably taking down of the Silk Road web site, which allowed users to buy anything from heroin and cocaine to guns and fake currency could be bought.
Authorities will continue to make inroads into the deep web in 2014 but the odds are that deep websites will respond by making it harder to take down sites or identify the people responsible.
You may not realise it, but when you take your smart phone into the workplace and hook it up to your computer, you’re committing a security faux pas. If your device has malware on, you risk releasing it into the company network.
Hackers love breaking into company networks because they are treasure troves. And because smart phones are so popular, hackers are targeting them in order to access corporate networks. We’ll see an increase in this type of activity in the coming year, so it pays to be aware.
When an internet service provider (ISP) gets hacked it resonates long and loud. In April 2013 UK giant BT dumped Yahoo as its email provider following months of hacking complaints from customers.
Many hackers break into ISP systems just to get free broadband, but at the organised crime end of the spectrum it’s done to launch large-scale spam and malware attacks. Don’t be surprised to see more ISP hacks in the coming year.
This is a guest post from Alex Balan, head of product management at BullGuard.
Here's a nice little tool that can keep you occupied this Friday afternoon and help you understand how hackers go about guessing passwords.
It uses real-world data — including passwords that have been made public by security breaches, and phrases commonly used online — to provide three 'best guesses' each time you enter a letter.
This reflects the kind of technique hackers might use when trying to guess passwords with brute force (basically, trying loads of passwords until they find one that works).
Once you've typed your whole password, you can see how many characters Telepathwords was able to guess. Five or more ticks above your password shows that it's reasonably strong.
Apple's iPhone 5s has one particularly striking new feature. There's a fingerprint reader built into the phone's home button, which means you can unlock the phone and authorise purchases using your fingerprint instead of having to tap in a code or password.
As with many of Apple's apparent innovations, this has been done before. Motorola's ATRIX handset has a fingerprint scanner and that launched in 2011. The only problem was reviews found it to be unreliable.
First impressions of the iPhone's fingerprint scanner, on the other hand, suggest that it works very well. If it proves reliable over time, then the new iPhone could be the first in a wave of products that bring fingerprint recognition to the masses.
At face value, this is A Good Thing. Who hasn't struggled to recall an impossible-to-remember password at some point or other? As we've said before on this very blog, 'passwords are fundamentally broken'.
Before we start using fingerprints for everything from mobile phones to internet banking, some experts reckon it would be an idea to think through the implications in a little more detail. After all, your fingerprint is very different to a password because it can't be changed.
Data protection expert Johannes Caspar put it well in a recent article for German newspaper Der Speigel:
"The biometric features of your body, like your fingerprints, cannot be erased or deleted. They stay with you until the end of your life and stay constant — they cannot be changed. One should thus avoid using biometric ID technologies for non-vital or casual everyday uses like turning on a smartphone."
In short, your fingerprint is a one-shot deal. Once it's compromised, that's it.
As if to back up his point, a hacker club already claims it's managed to fool the iPhone's fingerprint reader by taking a photo of a fingerprint and using it to create a fake finger.
But if that's the case, surely it's silly to rely on fingerprints to provide any sort of meaningful protection at all. Using a fingerprint to authorise a bank transfer? Forget it. Controlling building access via fingerprints alone? Probably a no-go.
Then — of course — there are other fringe concerns about relying on fingerprints. The Daily Mail (who else?) warns iPhone thieves might start lopping off people's fingers. And what do you do if you've hurt a finger (pictured)?
Ultimately, the arguments over the stength of fingerprint-based systems are likely to be trumped by the convenience factor. If using your finger to unlock your phone is easier and faster than tapping in a code then people will use it.
It's unlikely fingerprints will ever be used for authentication in more critical circumstances except when combined with something else. This 'two-factor' authentication usually requires something you have (your fingerprint) and something you know (perhaps a password or PIN).
So, get ready: the fingerprint revolution is on the way.
How much time do you spend thinking about IT security? Unless you have been affected by a security problem, you may have never given it much thought.
Your business probably has a number of people accessing its computer systems who are likely to manage their own passwords.
If they manage their own passwords, that means they are setting their own levels of security for your network. Beryl in accounts only comes in once a week, so she can’t be expected to remember anything complicated, can she? What’s wrong with ‘password’ anyway?
And Steve in the sales team dearly loves his fiancée, so why shouldn’t he have ‘Nicola’ as his password?
Passwords like these are a really bad idea because they’re easy to guess. In fact, ‘password’ is probably the worst you could possibly choose.
Not using effective passwords puts your entire system and company data at risk. Here’s how to come up with strong passwords.
Does every computer in your business have up-to-date security software? And do you assume that this is sufficient to protect them, no matter what they subsequently do online?
If you’ve answered ‘yes’ to both those questions, well done for having the software. But don’t think your job is done.
Staying safe isn’t just about having the right security software in place. The safest users are the ones who are well-informed, so help your staff to understand how your security software works, what spam, viruses and other threats look like … and how to spot a malware-infested website.
Make sure you have an IT security policy that explains what your people need to do to stay safe.
Firewalls act as a filter between your business network and the outside world. They allow safe traffic through, but block questionable connections before they can do harm.
Here’s a quick checklist to help you get your IT security basics right:
It is important your employees have safe, secure tools to go about their work with minimum risk to the business. Over and above that, they should be empowered and informed about security threats so they know how best to respond.
If you’re in any doubt about the security of your business, speak to an IT security specialist (perhaps your regular IT supplier) who can discuss your needs and the potential risks.
Adrian Case is technical director at Akita.
How often do you send confidential business documents via email? Weekly? Daily? Several times a day?
It's hardly surprising that we turn to business email when we need to send a document. It's quick, convenient and universal — pretty much everyone you need to contact has an email address.
But have you considered security? Any sensitive information contained in or attached to your emails will be stored on your company's email server. Often, this isn't scrambled or protected in any way.
If your server was hacked, for example, it would be trivial for online criminals to access this important information.
What's more, unless you take steps to hold on to it, the data on your email server won't stick around for ever. It might get automatically deleted after 30, 60 or 90 days.
If your company ever faces legal action, information about when you sent an email and what it contained can play a significant role in your defence. But only if you still have it, and can prove that it's not been tampered with.
An archiving system can help you address the security issues, while also ensuring you have a complete record of all emails sent and received by your company.
In fact, a proficient and advanced email archival program will keep all your emails and attached data safe, such as PDFs and Word documents.
You can be sued for breach of contract or unfair dismissal years after the event itself, so it may be a good idea to keep your email archive for six years or so. If you choose a good archiving system, that data will be stored in encrypted form and be easily searchable, so you can quickly find what you want.
If you've decided the time is right to store your confidential company data, you can outsource the work to a company that specialises in document archiving.
They will be able to offer a range of options to copy all your data and store it in a secure archive. And — of course — you'll benefit from their specialist knowledge and experience.
Alternatively, it is possible to create your data archive in-house. Doing this requires significant knowledge and effort, because you need to maintain your archive on an ongoing basis.
Whichever option you choose, you need to make sure it does the job it is supposed to do. That way you can avoid data breaches and external tampering, as well as having the necessary data to hand if you need it.
Leilah Osher is a small business consultant who specialises in writing about business storage services and document archiving.
We said PHISHING, not fishing.
In 2013, most of us are now aware of the online threat known as 'phishing', where cyber criminals use various techniques to gain access to your email or social media accounts or, worse, get hold of your bank account or credit card details.
However, you might not realise that phishing has evolved. Criminals now use increasingly sophisticated con tricks and scare tactics to dupe unsuspecting victims into handing over their sensitive data.
These days, phishing emails are less likely to come from fictitious foreign royalty and more likely to come from one of your social media connections or a trusted business contact – at least, that’s who the email will appear to come from
In reality, the sender will be a skilled confidence trickster prepared to spend time and effort slowly reeling you in.
Last year, the German Federal Court ruled that where people had fallen for phishing scams that appeared to originate from their banks, the victims were responsible for the losses, rather than the banks. This ruling may set an international precedent, which means protecting yourself against phishing could become even more important.
Here are my top three tips to avoid being hooked:
A common technique among phishing emails is to try to panic you into a kneejerk reaction.
For example, you may receive an official-looking email telling you that one of your online accounts has been compromised and urging you to update your password via a link provided.
Or you might be told your computer has a virus and that you need to download a new piece of software to repair it.
Don’t bite – these are very likely to be phishing scams.
Most reputable companies will never send emails asking for sensitive information such usernames, passwords, National Insurance numbers, bank or credit card details.
In the digital age, we’ve become accustomed to doing things quickly, often in a couple of clicks. A key to avoiding phishing is to slow things down.
If you receive an email that alarms you for any reason, treat it as highly suspicious and, above all, don’t click any links it contains.
Many phishing emails link to spoof websites that are practically identical to the real sites they are trying to mimic, such as your bank.
Some of these sites will collect your login information and then do nothing (alerting you to a problem) but others will link you back to the genuine site, covering their tracks.
If you receive an email containing a link, hover over it without clicking to reveal the web address that it will take you to.
If it contains long strings of numbers or looks different from the usual web address of the sender (e.g. if ‘Twitter’ is spelled ‘Tvvittler’), it’s dodgy. Note the address, then contact the company involved directly to find out if the email is genuine or not.
However, be aware it's not always easy to spot dubious links. It's always safer to type in the correct website address manually, then sign in yourself.
The rise of social networking has been a gift to cyber criminals. Most social network users willingly share masses of personal information on their public profiles. This often includes the names of spouses and children or family birthdays.
Unfortunately, the same people often use this information as the basis of their passwords. Scammers can also use this information to impersonate a trusted contact via an online message or email.
If you use social media, check your account settings to ensure your personal information can only be viewed by those in your network or, better still, be sensible about the information you post in the first place.
Also, never use the same password on multiple online accounts. Use a strong, unique password for each, protecting against a domino-effect where one account after another is hacked using the same password
Norman Begg works for online security company my1login.
Here's a list that might jolt you out of complacency if you're a bit lax when it comes to choosing and changing passwords.
SplashData, a leading provider of password management solutions, has put together a list of the 2012's worst passwords.
The list was compiled by analysing millions of compromised passwords that were posted online by hackers, and identifying the most common. It contains few surprises, but certainly underlines that we can all be far too slapdash when securing our online accounts.
Here are the top 10 worst passwords of 2012:
See any passwords you recognise? Change them, now. Because if you don't, it'll be child's play for a hacker to get in to your account.
Remember: the strongest passwords are as long as possible and use upper and lower-case letters, numbers and symbols. I like to choose a song lyric, take the first letters and then substitute in symbols and numbers where they're easy to remember.
For instance, the Rolling Stones' classic lines You can't always get what you want / But if you try sometimes you just might find can become:
DDoS stands for distributed denial of service. A DDoS attack sees hackers coordinate a network of computers in order to overload a web server with requests.
The result is that the server can become unavailable - taking down any websites or services that run on it.
An enormous DDoS attack hit the headlines earlier this year, sparked by a row between a spam fighting company and a web hosting firm. But it's not only high-tech firms and big companies that are at risk.
Online criminals are a far cry from what they were - in recent years they've become more sophisticated, more strategic and more debilitating to smaller businesses. In fact, they can leave your company devastated by stealing data and causing downtime.
You can be hit with a DDoS attack for all manner of reasons, including:
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
And if you think your business is too small or insignificant to be worthy of a hacker's attention, here's what security firm Symantec had to say in its Internet Security Threat Report, released earlier this year:
“While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less prepared in their cyber defenses.”
But before you panic, there are weapons you can use to protect your site and online services.
Many web hosts and internet service providers have begun to offer DDoS protection. These services monitor for unusual internet traffic and attempt to fend off DDoS attacks targeted at your site,
If you're not sure how well-protected your website is then it's worth taking some time to investigate further - especially if you rely on your website to bring in business or sell online.
Ask your web hosting firm what defences they have in place, and, if they offer a DDoS protection service, consider adding it to your account. Your web designer or IT supplier may also be able to advise on what would be the right level of protection for your company.
Would being more cyber secure help grow your business or add value for your customers and partners?
If so, you could be in line for £5,000 to spend on working with an external security expert for the first time.
These grants are available in the form of vouchers from the Technology Strategy Board. The aim is to support small companies, entrepreneurs and start-ups that see value in protecting and growing their online business by having effective cyber security.
This isn't 'free money' - the grant is paid to your business only once you show the Technology Strategy Board that you've finished the project in line with your original application and paid the supplier. (They do approve the project and supplier in advance, so as long as you stick to the plan you shouldn't be in for any unwelcome payment issues.)
It sounds like a great opportunity to improve your security if your business fits the criteria. The official website reckons you might be suitable for a voucher if you're looking to:
There's plenty of advice and guidance on the voucher website itself. A good place to start is probably this flyer (PDF link) that explains the voucher scheme and how to determine if you're eligible. The next deadline for applications is 24 July.
Unsurprisingly, UK IT suppliers are also keen to promote the voucher scheme. It was brought to our attention in a press release from security company Espion, which says it's happy to help companies with the application process.
Email email@example.com to find out more.
Even if cyber-security isn't where you need to invest at the moment, it may be worth having a quick look over the categories on the voucher website. Under the scheme, you can also apply for funding in areas like open data, energy and the built environment.