User login
Courtesy navigation
Search
Blog posts tagged security
Friday Donut tip: secure remote working
May 04, 2012
Every Friday we bring you a great business IT tip. From nuggets that make repetitive tasks easier to easy ways to banish tech annoyances, we’re here to help.
If there’s something you’d like our help with, send an email to info@itdonut.co.uk or just leave a comment on this post. We’ll try and cover it in a future IT Donut tip.
Safer remote working
As remote working becomes more common, businesses are having to cope with some new security risks. There’s the possibility of laptop theft, of course, and using insecure wireless connections means anyone could be eavesdropping on your data.
And what if your laptop gets rained on, or you leave it in a taxi by accident? You won’t just lose your laptop, but you’ll lose all the data on it too – and that could be a big blow to your business.
To avoid this happening, whenever possible, don’t save important documents and data to your laptop. If your business has a network server, you should have space on there to save everything. If you don’t have a network drive available on your computer, ask your IT supplier to set one up and put a shortcut on your desktop so you can find it easily.
Of course, it’s not always possible to save to a network server. If you’re not in the office, you need to be connected remotely to your company network so you can access your resources. If you’re working without a connection, save files to your laptop and make sure you copy them to the server once you’re back online.
Use the power of the cloud
If your company doesn’t have its own network server, you can achieve a similar effect using cloud storage. Services like Dropbox and Box let you create a special folder on your computer. Anything you save in there automatically gets copied to a server on the internet too. So if you lose your laptop, you don’t lose your data.
Finally, here’s one last tip for laptop workers: if you’re stepping away from your computer, make sure you lock it. In Microsoft Windows, just hold the Windows key and tap L. That’ll make sure nobody can meddle with it while you’re not there.
Shopping list: what you need to back up your data
April 23, 2012
Backing up your data doesn’t have to be that difficult. It doesn’t even have to involve expensive-sounding ‘backup solutions’ or wrestling with 300 individual CDs, each of which contains a small but crucial portion of your company’s data.
Here are some straightforward ways to get started. Obviously, they’re not your only options – so it’s a good idea to chat to your IT supplier to make sure you’re backing up everything you need to.
After all, there’s nothing worse than smugly telling everyone you’re all backed up, then realising you’ve lost your ground-breaking 400-slide PowerPoint presentation.
The cheap and cheerful option for home-based businesses
Sure, it might be cheap and cheerful, but this approach will get the job done for you.
Buy yourself two external hard drives. These can be attached to your PC, allowing you to copy data to and from them. Do this regularly. Daily if you can.
Copy all your important data, including accounting data, word processing and spreadsheet files, plus your email, calendar and contacts.
Some hard drives come with software to make this a bit easier for you. If you use Windows, you can get Microsoft’s free SyncToy software to automatically copy selected folders across to a second hard drive.
Why two hard drives? It covers you against the risk of fire, theft and other physical damage (like dinosaurs attacking your house). Keep one drive on the premises and keep the other one somewhere else – like with a friend or family member you trust. You’ll probably need to back up to that drive less regularly, but doing so weekly will ensure you can get most of your data back.
The other good option is some sort of online backup service. Over time these services usually work out more expensive than buying a couple of hard drives, but they are convenient. Try Dropbox, Mozy or Carbonite.
Something suitable for office-based companies
Ok, so you’re a business with its own premises and maybe a few employees. You’re right to think that you need something a little more advanced. But don’t worry – you still have a number of choices.
Again, online backup can be a really good place to start. But you have to be careful. You want a company you can rely on (because backups are the things you turn to as a last resort). And check the costs carefully. Many online backup services copy non-essential files, pushing up your monthly bill.
The main in-house option is – again – hard drives or tape drives. Tape drives have traditionally been used by companies to back up large amounts of data, but we tend not to recommend them so much these days because hard drives are so cheap.
A good set up is to have seven hard drives. Five of them do your daily backups during the week (Monday – Friday). Use the other two to take regular archives, but make sure at least one is off the premises all the time. Keeping it at your home is the obvious thing to do.
Again, software is available to make this process more straightforward. I usually recommend BackupAssist, because it can back up all your email, calendar and contact folders, and it’s reliable. Which, let’s face it, important
Here’s the most important thing…
From unlikely dinosaur attacks to the more plausible floods, fires, virus attack, hackers, computer crashes and accidental deletion, there are plenty of threats to your company data.
So the most important thing to do after reading this article is to act on it. Otherwise, by the time you realise you really need a backup system, it’ll be too late to do anything about it.
Craig Sharp is managing director of Abussi, an IT company based in Birmingham.
How hackers target your passwords
February 08, 2012
When you enter a gym’s locker room, there are hundreds of lockers. Each has its own combination lock. Without giving it too much thought, you open your locker using the combination only you know, which is the same combination you provided when you signed up at the gym.
Similarly, a password is a shared secret between a user and a service. When the user wants to connect to the service, they identify themselves with their username and prove that identity with the password.
The service checks the password. If it matches, the user is allowed to access the service.
We can think of the service as the locker, the username as the locker’s number and the password as the lock’s combination.
Problems occur, of course, if someone else has your combination. It could be that you use a very popular combination, or someone saw you using the same combination on your bag.
Alternatively, it could be that someone broke into the gym and saw the list of locks and combinations. Let’s take a look at these aspects in the virtual world.
How hackers break your passwords
On the internet, some passwords are more common than others. Hackers use lists of the most common passwords to increase their chance of guessing a user’s password quickly. The hacker tools used to guess these passwords are called crackers. Two types of crackers exist - online and offline:
- Online crackers use trial and error to break into a service, testing different passwords until the right one is found. The speed at which they can test passwords is limited by the speed at which the service accepts and handles requests. In many cases, online crackers can only try a few passwords because most services lock accounts after a certain number of incorrect passwords have been entered.
- Offline crackers are used when passwords are stolen from an online service, but are stored in a digested format. This means the service stores a mathematical transformation of the password rather than the password itself – it’s an extra security precaution. An offline cracker repeatedly chooses different passwords, transforms them to their digested format and compares them to the list. Offline crackers can run incredibly fast, depending on the power of the computer running the cracker.
To reduce the effectiveness of offline crackers, many services add a step to the process called salting. Using a salt, a different digest is created each time, even if the password is the same. So although salted passwords are not completely hack-proof, they’re much harder to guess.
How to secure passwords in your business
So, that’s how passwords get cracked. Now, how do you stop that happening to your business?
On an individual level, always use strong passwords – and don’t use the same password on different websites. Think about what information the password is protecting. You want a really strong one for your online banking, PayPal and other online services you consider sensitive.
Use a really strong password for your email too, as getting access here can allow a hacker to wreak havoc by resetting your passwords on lots of other sites.
In your business, it’s important to realise that you can’t trust your users to choose strong passwords themselves. If you give them the choice, they’ll simply choose weak passwords. In fact, two years ago a database containing 32 million passwords was leaked to the web. Analysis of these passwords showed that 20% of users chose the same passwords from a pool of 5,000 words.
It’s up to you – or your IT administrator - to keep the passwords secure. Here’s how
- Enforce strong password policies. Force passwords to have a minimum length, ban common passwords and require a mix of characters (digits, letters, uppercase, lowercase, etc).
- Make sure passwords are not transmitted in the clear. Passwords are vulnerable to interception if they’re transmitted across networks or the internet. Always use encryption, or use a technique that ensures the password itself never travels through the network.
- Don’t store passwords in plain text. Doing so means that if a hacker breaks into your systems, they can just grab and make off with your passwords. Salt and digest a password before storing to the database.
- Detect and block brute force attacks. Put obstacles in the way to stop online crackers trying lots of different passwords for user accounts. Use CAPTCHAs and restrict the number of times people can retry their passwords.
- Force people to change passwords regularly. Many businesses require users to change passwords every couple of months, or when they suspect an account has been compromised.
- Allow and encourage passphrases instead of passwords. That means using sentences instead of passwords. Although that may be longer, they’re easier to remember. And because they’re longer, they’re more difficult to break.
Implementing many of these precautions will require help from your IT staff or IT supplier. But if you’re going to maintain the security of your systems and website, it’s vital you think carefully about enforcing a strong password policy.
Noa Bar-Yosef is Senior Security Strategist at Imperva.
Information is the lifeblood of business, so why don't small companies protect it?
February 02, 2012
Information is the lifeblood of a business. Without it, everything else you need to make a business tick - like sales, customers or profit – stalls permanently. So making that information easily accessible is vital.
As it’s so important, you’d expect the information to be easily available to the people who need it, and protected from those who don’t. However, the reality is different: at last year’s IP Expo, 60% of people surveyed by my company City Lifeline said they had lost access to their company’s IT system following an unexpected incident. Oops.
In 40% of these cases systems were down for six hours or more, bringing the business to a halt for an entire working day. Just think of all the things your business uses IT for in just one day. Imagine not being able to access your email, check customer documents or view essential data.
Losing access to your data hurts your pocket too. Symantec’s 2011 SMB Disaster Preparedness Survey found that losing access to data and electronic communication systems costs small companies an average of £7,500 a day in lost business and productivity.
Prepare for the very worst
Unplanned downtime can stem from something as innocent as a workman cutting through a power cable or as sinister as a malicious cyber attack. Whatever the cause, they all have one thing in common: the element of surprise.
The best business owners not only prepare for the things that are going to happen, but also for things that could happen. “I didn’t know it was going to happen,” is not much of an excuse when faced with an angry customer or an office full of staff who can’t get their work done.
If your business’s information is adequately backed-up, the chances are good that your IT systems will be working by the end of the day. But if not, the consequences can be disastrous. In a worst case scenario the lost data can never be recovered, and neither can the business.
Some research suggests up to 70% of small businesses that lose data in a major incident are forced to shut within a year. Yet the Symantec report mentioned above also shows that less than half of smaller businesses bother to back up data every week. A mere 23% take daily backups.
Risks are part of business, but...
Taking the odd risk is part and parcel of being in business, but risking the safety of your information is equivalent to cutting off your oxygen supply. Huge corporations often have the money, expertise and resources to escape from a tricky IT gaffe. Quite often, smaller businesses do not.
This vulnerability makes investing in off-site data backup vital. It only takes a one-off incident to disable access to your IT systems. And it only takes one major incident to cripple your business forever.
If you lack the time and resources to create a backup strategy from scratch, it may be worth working with an IT supplier which can store your data securely in a different location. Some suppliers operate or have space in colocation data centres, highly secure buildings specifically designed to keep your information safe. (The company I work for, City Lifeline, offers colocation services.)
Do your business justice by investing in your information in the same way you would invest in a new computer or member of staff. Your information is key to your company’s viability, so return the favour and look after it just as well.
- Continuity planning and backup options
- Find the right backup methods
- Five mistakes you may be making with your IT security
Roger Keenan is MD of City Lifeline.
Why you need a security policy
July 21, 2011
Not a secure way to store passwords. (Image: Nina Matthews Photography on Flickr.)
News just in. Your computer system has been broken into! Yes, your impregnable firewall, amazing anti-virus and 99.9% secure password have all been breached. How could this be? Step forward your company employees.
Recent studies have compounded old research highlighting the astounding ignorance and negligence of employees when it comes to security. Read on to see three ways your employees can undo all your investment in security, and to find out where you may be at risk.
Strangers in the office
A Computer Weekly survey reported that only 4% of employees would challenge a stranger walking into their office and sitting down at a computer. What's more, only 3% would actually ask them for identification.
I'd hope those figures would be higher in smaller businesses, where it's more common for everyone to know everyone else who works there. But it still demonstrates why you need a system of identification of authority - like ID cards - in the office.
Passwords are key
Password security is another key aspect. Aside from the oft-discussed need to use upper and lower case letters, numbers and other random symbols in passwords, it’s how your employees remember logins that can fall short.
A common approach is to write passwords on post-it notes, then stick them under phones or keyboards. Worse, some people stick them in plain view. This gives any intruder a reasonable chance of gaining access with no tools or knowledge of your systems.
One reason passwords are such an issue is that people don't see them as being particularly valuable. One survey found 90% of commuters were happy to exchange their passwords for a free pen!
Sure, some passwords may have been fakes to get a free pen. But the statistics still show a lack of understanding about the damage even a low level user’s password can do in the wrong hands.
Approve all hardware and software
A Valentine's Day study provided random workers with CDs, claiming they contained a promotion to win a romantic holiday. In reality, the CDs sent people to a website promoting security.
The point of the exercise was that the people behind the CD were able to run unauthorised software on computers situated within a company's IT system. According to the study, 75% of people ran their CD.
And a more recent study by the US Department of Homeland Security involved leaving unmarked pen drives and CDs in company car parks, then letting curiosity do the work.
Again, no malicious code was run, but the potential for wrongdoing was there. CDs and pen drives were inserted by 60% of people. If the CD or pen drive had a logo on it, that figure rose to 90%. Scary stuff.
Get your security policy right
I hope these stories have opened your eyes to how even the simplest, most innocent notions can compromise your company’s security. Have you been hit by negligent employees? Do you think you’re at risk? Leave a comment below to let us know.
John Sollars is MD of Stinkyink.com
2011: the year of the data breach?
April 08, 2011
Are you taking care of data properly? (Image: Flickr user dawnzy58 under Creative Commons.)
If the first months of 2011 are anything to go by, this could be the year of the data breach. It almost seems like companies are falling over each other to give away information about their customers.
Here are three high-profile data breaches that have hit the headlines in the last month alone.
While you read about them, think about how many smaller incidents may go unreported or even undetected. Then stop to consider if your business does enough to safeguard its customer data.
1. The Epsilon effect
Epsilon runs huge email marketing operations for clients like Citibank and Marks & Spencer, yet still managed to have millions of customer email addresses stolen when someone got into the company's systems without authorisation.
What we can learn: the information stolen during this breach belonged to Epsilon's clients, many of whom have since warned customers that they may receive more spam as a result.
So, if your business shares data for marketing purposes or joint ventures, make sure you only work with partners you trust, and ask searching questions to find out how they protect the data. Get a strong contract in place that - if possible - places financial liability for data breaches on their shoulders.
2. Don't Play with your data
Hugely-successful Jersey-based online retailer Play.com suffered embarrassment last month when users reported receiving junk email to addresses they'd only ever used on the site. It soon emerged that a company responsible for some of Play.com's marketing communications had suffered a breach.
What we can learn: spotted the pattern yet? Just as with the Epsilon breach, although Play.com customers were affected, the leak actually occurred at another company.
However, Play.com's subsequent customer communications are an exercise in good damage limitation. They apologised quickly, explained what went wrong and described the possible consequences for customers.
3. Losing data the old-fashioned way
York City Council adequately demonstrated that you can lose data without turning to high-tech hackers. All you have to do is print it out and then send it to the wrong place. The council was criticised this week for accidentally posting personal information to a third-party.
What we can learn: hard copies can cause problems too, especially when left lying around. If you have to print out sensitive information, grab it from the printer quickly, then keep it somewhere it can't get mixed up with other paperwork. Once you're done with it, shred it.
Small business technology advice, tools and resources | IT Donut
Copyright © 2010-2012
