There’s always more you can do to protect your business from security threats. But there’s never quite enough time to do everything.
So, here are eight easy ways to give your company security a bit of a boost.
Unlike in the fashion industry, old tech rarely becomes cool again. You aren’t going to get any new customers because you run Windows 98.
Also, the latest operating systems have better security features, meaning you'll be better protected from web threats.
The same applies if you’re using Mac OS, or some other operating system. Stick with the latest version to be safest.
Internet Explorer is so 2004 and people using it tend to get targeted because hackers know they’re not likely to be very web-savvy.
Constant update notifications from your software can be really annoying, but ignoring them could end up causing you more problems.
Virtual bugs are just like real life ones — they’re constantly evolving to find different ways to infect you. Updates contain new info on how to swat the bugs. Unless you install them, you won't see the benefit.
If your password for something is 'password' then you're in for a bad time of it. Hopefully your passwords aren't this terrible, but it's likely they could be improved.
For maximum security, use a random combination of upper and lowercase letters, numbers and symbols. You can use a service like LastPass to help you remember them.
It sounds technical, but all two-factor authentication means is that logging in requires you to prove your identity in two ways. Usually, you need a password you know and a reference code that’s sent to your mobile phone.
We’ve all had one of those moments when your jaw drops, you stare blankly at the screen and think: ‘I've made a huge mistake.’ It’s at times like these that System Restore can be a lifesaver.
System Restore is a feature in Windows that allows you to roll your computer back to a previous point in time. The idea is that if something goes wrong, you can go back to the last ‘known good’ configuration.
Your computer will probably create restore points on its own, but you can do it yourself when you make major system changes, too.
Ok, here’s the worst case: your computer is so utterly cream-crackered that you need to wipe it and start again.
If you’ve been backing up your data regularly then the process of getting back to normal becomes much less painful.
To be honest, this point alone could make up a whole new tip sheet. But in a nutshell, try to stick to websites you trust.
Sites listed higher up in search results are more likely to be safe because more people have used them.
There are some dark and dingy corners of the internet. Try and avoid them.
Nick Chowdrey is a finance and accounting writer for Crunch, an online accountancy firm for freelancers and small businesses.
If you’re focusing all your IT security efforts on things like anti-virus and firewalls, are you missing the biggest risk of the lot?
And if you’re running your own business, it’s worth listening to the opinions of IT professionals. They know technology, and they can see where the biggest risks lie.
So, what can you do?
Your staff pose a bigger threat these days because the nature of security threats has changed over the last few years. Many organisations — both large and small — have struggled to keep up.
While back in 2008 or 2009 we were all worried about viruses, spyware and Trojans, these days it’s more targeted threats like spear phishing that are most likely to have IT managers worried.
These attacks are on the rise because they’re effective. Even the most tech-savvy of your staff can be tempted into clicking an email when they shouldn’t. And often, the biggest data breaches can be tracked back to a single, unfortunate click.
It’s important to make your staff aware of how phishing scams operate. You can also give them pointers so they know how to spot potential security breaches.
However, you can’t expect your employees to be infallible. People make mistakes, which means it’s vital you have some additional checks and precautions in place.
A good starting point is to make sure you allow access to data on a ‘need to know’ basis. Resources like your customer database, your accounting system and any shared folders often contain lots of sensitive data.
Rather than allowing everyone to have access to all these resources, the default setting should be that people don’t have access. If an employee needs it — and there’s a good case for it — then you can open up access on an individual basis.
This reduces risk because you’re adding extra layers of protection. If a hacker manages to guess the password of an employee, they’ll still face barriers when trying to reach privileged information.
It might cause a little inconvenience when someone needs to request access to a particular resource. But it’s better than giving hackers a free run of the place.
You’ve already seen our exciting IT predictions for 2014. But what of IT security and data protection? Are there any threats your business needs to know about?
Alex Balan, head of product management at internet security firm BullGuard, has come up with these ten predictions.
It’s devious and destructive and it makes hackers money. Ransomware has been around a while, but because it’s effective it’s going to be around for a lot longer.
A good example of ransomware is Cryptolocker. It encrypts your documents and shows a message saying you must pay a ransom to get your computer back. If you don’t pay up then you lose your data — and there’s little anyone can do to help you.
There is a growing body of evidence to show mobile devices being attacked, with online criminals often aiming to steal personal financial details.
This is hardly surprising given the explosive growth in smart phones and tablets. There’s plenty of data on mobile devices to be stolen. Hackers can also make money by setting up their own premium-rate numbers, then dialling them from compromised mobile phones.
Learn more about mobile security software.
The news about the NSA and GCHQ monitoring internet traffic, emails and phone calls was the most important cyber security event in 2013. These revelations have increased awareness of the need for personal security.
Until now, people have generally only taken security precautions reactively, typically after something has happened. But now they’re becoming more proactive. This will create a growth in technologies to help users keep their communications and data private.
We’re likely to see more attacks on old software and systems that are full of security holes. For example, Microsoft XP reaches the end of its life in April, which means no more updates, even if a security problem is found.
This popular but creaking operating system is widely used and how many people know Microsoft is turning its back on it? Hackers know, of course. There will be many attempts to find new exploits in XP, which means many people will fall victim to malware.
You may or may not have heard of the ‘internet of things’. It describes the increasing connectedness of everyday objects. We have internet-connected webcams, CCTV systems, televisions, digital video recorders and even baby alarms. These devices may be vulnerable to attack.
It might sound bizarre, but soon we’ll see fridges, toasters and other devices that are hooked up to the internet. Don’t be too surprised when you hear of these things being hijacked by hackers (fancy a hacked toilet, anyone?).
Never in the history of humankind has an industry grown so rapidly and so pervasively as technology. It reaches into every corner of our lives. Film cameras are a thing of the past, physical bank branches are becoming quaint and well-known retailers have disappeared from the High Street.
But what happens when computers crash? Thankfully, more people are aware of the potential for damage, and this is leading to an increase in back-up technologies. Expect the arrival of more backup services this year — especially ones that work over the internet.
Biometric authentication is widely regarded as the most secure form of identity control. Early systems were slow and intrusive, but because today’s computers are faster and cheaper than ever, the interest in biometrics has been renewed.
There are several types of biometric authentication in use, but fingerprint authentication is becoming the most common. We’ll see more computers, mobile devices and accessories with built-in fingerprint readers this year.
Law enforcement agencies have scored some significant ‘deep web’ successes the past year, most notably taking down of the Silk Road web site, which allowed users to buy anything from heroin and cocaine to guns and fake currency could be bought.
Authorities will continue to make inroads into the deep web in 2014 but the odds are that deep websites will respond by making it harder to take down sites or identify the people responsible.
You may not realise it, but when you take your smart phone into the workplace and hook it up to your computer, you’re committing a security faux pas. If your device has malware on, you risk releasing it into the company network.
Hackers love breaking into company networks because they are treasure troves. And because smart phones are so popular, hackers are targeting them in order to access corporate networks. We’ll see an increase in this type of activity in the coming year, so it pays to be aware.
When an internet service provider (ISP) gets hacked it resonates long and loud. In April 2013 UK giant BT dumped Yahoo as its email provider following months of hacking complaints from customers.
Many hackers break into ISP systems just to get free broadband, but at the organised crime end of the spectrum it’s done to launch large-scale spam and malware attacks. Don’t be surprised to see more ISP hacks in the coming year.
This is a guest post from Alex Balan, head of product management at BullGuard.
Here's a nice little tool that can keep you occupied this Friday afternoon and help you understand how hackers go about guessing passwords.
It uses real-world data — including passwords that have been made public by security breaches, and phrases commonly used online — to provide three 'best guesses' each time you enter a letter.
This reflects the kind of technique hackers might use when trying to guess passwords with brute force (basically, trying loads of passwords until they find one that works).
Once you've typed your whole password, you can see how many characters Telepathwords was able to guess. Five or more ticks above your password shows that it's reasonably strong.
Apple's iPhone 5s has one particularly striking new feature. There's a fingerprint reader built into the phone's home button, which means you can unlock the phone and authorise purchases using your fingerprint instead of having to tap in a code or password.
As with many of Apple's apparent innovations, this has been done before. Motorola's ATRIX handset has a fingerprint scanner and that launched in 2011. The only problem was reviews found it to be unreliable.
First impressions of the iPhone's fingerprint scanner, on the other hand, suggest that it works very well. If it proves reliable over time, then the new iPhone could be the first in a wave of products that bring fingerprint recognition to the masses.
At face value, this is A Good Thing. Who hasn't struggled to recall an impossible-to-remember password at some point or other? As we've said before on this very blog, 'passwords are fundamentally broken'.
Before we start using fingerprints for everything from mobile phones to internet banking, some experts reckon it would be an idea to think through the implications in a little more detail. After all, your fingerprint is very different to a password because it can't be changed.
Data protection expert Johannes Caspar put it well in a recent article for German newspaper Der Speigel:
"The biometric features of your body, like your fingerprints, cannot be erased or deleted. They stay with you until the end of your life and stay constant — they cannot be changed. One should thus avoid using biometric ID technologies for non-vital or casual everyday uses like turning on a smartphone."
In short, your fingerprint is a one-shot deal. Once it's compromised, that's it.
As if to back up his point, a hacker club already claims it's managed to fool the iPhone's fingerprint reader by taking a photo of a fingerprint and using it to create a fake finger.
But if that's the case, surely it's silly to rely on fingerprints to provide any sort of meaningful protection at all. Using a fingerprint to authorise a bank transfer? Forget it. Controlling building access via fingerprints alone? Probably a no-go.
Then — of course — there are other fringe concerns about relying on fingerprints. The Daily Mail (who else?) warns iPhone thieves might start lopping off people's fingers. And what do you do if you've hurt a finger (pictured)?
Ultimately, the arguments over the stength of fingerprint-based systems are likely to be trumped by the convenience factor. If using your finger to unlock your phone is easier and faster than tapping in a code then people will use it.
It's unlikely fingerprints will ever be used for authentication in more critical circumstances except when combined with something else. This 'two-factor' authentication usually requires something you have (your fingerprint) and something you know (perhaps a password or PIN).
So, get ready: the fingerprint revolution is on the way.
How much time do you spend thinking about IT security? Unless you have been affected by a security problem, you may have never given it much thought.
Your business probably has a number of people accessing its computer systems who are likely to manage their own passwords.
If they manage their own passwords, that means they are setting their own levels of security for your network. Beryl in accounts only comes in once a week, so she can’t be expected to remember anything complicated, can she? What’s wrong with ‘password’ anyway?
And Steve in the sales team dearly loves his fiancée, so why shouldn’t he have ‘Nicola’ as his password?
Passwords like these are a really bad idea because they’re easy to guess. In fact, ‘password’ is probably the worst you could possibly choose.
Not using effective passwords puts your entire system and company data at risk. Here’s how to come up with strong passwords.
Does every computer in your business have up-to-date security software? And do you assume that this is sufficient to protect them, no matter what they subsequently do online?
If you’ve answered ‘yes’ to both those questions, well done for having the software. But don’t think your job is done.
Staying safe isn’t just about having the right security software in place. The safest users are the ones who are well-informed, so help your staff to understand how your security software works, what spam, viruses and other threats look like … and how to spot a malware-infested website.
Make sure you have an IT security policy that explains what your people need to do to stay safe.
Firewalls act as a filter between your business network and the outside world. They allow safe traffic through, but block questionable connections before they can do harm.
Here’s a quick checklist to help you get your IT security basics right:
It is important your employees have safe, secure tools to go about their work with minimum risk to the business. Over and above that, they should be empowered and informed about security threats so they know how best to respond.
If you’re in any doubt about the security of your business, speak to an IT security specialist (perhaps your regular IT supplier) who can discuss your needs and the potential risks.
Adrian Case is technical director at Akita.
How often do you send confidential business documents via email? Weekly? Daily? Several times a day?
It's hardly surprising that we turn to business email when we need to send a document. It's quick, convenient and universal — pretty much everyone you need to contact has an email address.
But have you considered security? Any sensitive information contained in or attached to your emails will be stored on your company's email server. Often, this isn't scrambled or protected in any way.
If your server was hacked, for example, it would be trivial for online criminals to access this important information.
What's more, unless you take steps to hold on to it, the data on your email server won't stick around for ever. It might get automatically deleted after 30, 60 or 90 days.
If your company ever faces legal action, information about when you sent an email and what it contained can play a significant role in your defence. But only if you still have it, and can prove that it's not been tampered with.
An archiving system can help you address the security issues, while also ensuring you have a complete record of all emails sent and received by your company.
In fact, a proficient and advanced email archival program will keep all your emails and attached data safe, such as PDFs and Word documents.
You can be sued for breach of contract or unfair dismissal years after the event itself, so it may be a good idea to keep your email archive for six years or so. If you choose a good archiving system, that data will be stored in encrypted form and be easily searchable, so you can quickly find what you want.
If you've decided the time is right to store your confidential company data, you can outsource the work to a company that specialises in document archiving.
They will be able to offer a range of options to copy all your data and store it in a secure archive. And — of course — you'll benefit from their specialist knowledge and experience.
Alternatively, it is possible to create your data archive in-house. Doing this requires significant knowledge and effort, because you need to maintain your archive on an ongoing basis.
Whichever option you choose, you need to make sure it does the job it is supposed to do. That way you can avoid data breaches and external tampering, as well as having the necessary data to hand if you need it.
Leilah Osher is a small business consultant who specialises in writing about business storage services and document archiving.
We said PHISHING, not fishing.
In 2013, most of us are now aware of the online threat known as 'phishing', where cyber criminals use various techniques to gain access to your email or social media accounts or, worse, get hold of your bank account or credit card details.
However, you might not realise that phishing has evolved. Criminals now use increasingly sophisticated con tricks and scare tactics to dupe unsuspecting victims into handing over their sensitive data.
These days, phishing emails are less likely to come from fictitious foreign royalty and more likely to come from one of your social media connections or a trusted business contact – at least, that’s who the email will appear to come from
In reality, the sender will be a skilled confidence trickster prepared to spend time and effort slowly reeling you in.
Last year, the German Federal Court ruled that where people had fallen for phishing scams that appeared to originate from their banks, the victims were responsible for the losses, rather than the banks. This ruling may set an international precedent, which means protecting yourself against phishing could become even more important.
Here are my top three tips to avoid being hooked:
A common technique among phishing emails is to try to panic you into a kneejerk reaction.
For example, you may receive an official-looking email telling you that one of your online accounts has been compromised and urging you to update your password via a link provided.
Or you might be told your computer has a virus and that you need to download a new piece of software to repair it.
Don’t bite – these are very likely to be phishing scams.
Most reputable companies will never send emails asking for sensitive information such usernames, passwords, National Insurance numbers, bank or credit card details.
In the digital age, we’ve become accustomed to doing things quickly, often in a couple of clicks. A key to avoiding phishing is to slow things down.
If you receive an email that alarms you for any reason, treat it as highly suspicious and, above all, don’t click any links it contains.
Many phishing emails link to spoof websites that are practically identical to the real sites they are trying to mimic, such as your bank.
Some of these sites will collect your login information and then do nothing (alerting you to a problem) but others will link you back to the genuine site, covering their tracks.
If you receive an email containing a link, hover over it without clicking to reveal the web address that it will take you to.
If it contains long strings of numbers or looks different from the usual web address of the sender (e.g. if ‘Twitter’ is spelled ‘Tvvittler’), it’s dodgy. Note the address, then contact the company involved directly to find out if the email is genuine or not.
However, be aware it's not always easy to spot dubious links. It's always safer to type in the correct website address manually, then sign in yourself.
The rise of social networking has been a gift to cyber criminals. Most social network users willingly share masses of personal information on their public profiles. This often includes the names of spouses and children or family birthdays.
Unfortunately, the same people often use this information as the basis of their passwords. Scammers can also use this information to impersonate a trusted contact via an online message or email.
If you use social media, check your account settings to ensure your personal information can only be viewed by those in your network or, better still, be sensible about the information you post in the first place.
Also, never use the same password on multiple online accounts. Use a strong, unique password for each, protecting against a domino-effect where one account after another is hacked using the same password
Norman Begg works for online security company my1login.
Here's a list that might jolt you out of complacency if you're a bit lax when it comes to choosing and changing passwords.
SplashData, a leading provider of password management solutions, has put together a list of the 2012's worst passwords.
The list was compiled by analysing millions of compromised passwords that were posted online by hackers, and identifying the most common. It contains few surprises, but certainly underlines that we can all be far too slapdash when securing our online accounts.
Here are the top 10 worst passwords of 2012:
See any passwords you recognise? Change them, now. Because if you don't, it'll be child's play for a hacker to get in to your account.
Remember: the strongest passwords are as long as possible and use upper and lower-case letters, numbers and symbols. I like to choose a song lyric, take the first letters and then substitute in symbols and numbers where they're easy to remember.
For instance, the Rolling Stones' classic lines You can't always get what you want / But if you try sometimes you just might find can become:
DDoS stands for distributed denial of service. A DDoS attack sees hackers coordinate a network of computers in order to overload a web server with requests.
The result is that the server can become unavailable - taking down any websites or services that run on it.
An enormous DDoS attack hit the headlines earlier this year, sparked by a row between a spam fighting company and a web hosting firm. But it's not only high-tech firms and big companies that are at risk.
Online criminals are a far cry from what they were - in recent years they've become more sophisticated, more strategic and more debilitating to smaller businesses. In fact, they can leave your company devastated by stealing data and causing downtime.
You can be hit with a DDoS attack for all manner of reasons, including:
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
And if you think your business is too small or insignificant to be worthy of a hacker's attention, here's what security firm Symantec had to say in its Internet Security Threat Report, released earlier this year:
“While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less prepared in their cyber defenses.”
But before you panic, there are weapons you can use to protect your site and online services.
Many web hosts and internet service providers have begun to offer DDoS protection. These services monitor for unusual internet traffic and attempt to fend off DDoS attacks targeted at your site,
If you're not sure how well-protected your website is then it's worth taking some time to investigate further - especially if you rely on your website to bring in business or sell online.
Ask your web hosting firm what defences they have in place, and, if they offer a DDoS protection service, consider adding it to your account. Your web designer or IT supplier may also be able to advise on what would be the right level of protection for your company.
Would being more cyber secure help grow your business or add value for your customers and partners?
If so, you could be in line for £5,000 to spend on working with an external security expert for the first time.
These grants are available in the form of vouchers from the Technology Strategy Board. The aim is to support small companies, entrepreneurs and start-ups that see value in protecting and growing their online business by having effective cyber security.
This isn't 'free money' - the grant is paid to your business only once you show the Technology Strategy Board that you've finished the project in line with your original application and paid the supplier. (They do approve the project and supplier in advance, so as long as you stick to the plan you shouldn't be in for any unwelcome payment issues.)
It sounds like a great opportunity to improve your security if your business fits the criteria. The official website reckons you might be suitable for a voucher if you're looking to:
There's plenty of advice and guidance on the voucher website itself. A good place to start is probably this flyer (PDF link) that explains the voucher scheme and how to determine if you're eligible. The next deadline for applications is 24 July.
Unsurprisingly, UK IT suppliers are also keen to promote the voucher scheme. It was brought to our attention in a press release from security company Espion, which says it's happy to help companies with the application process.
Email email@example.com to find out more.
Even if cyber-security isn't where you need to invest at the moment, it may be worth having a quick look over the categories on the voucher website. Under the scheme, you can also apply for funding in areas like open data, energy and the built environment.
Sepp Blatter had his Twitter hacked this year. (Image: AsianFC on Flickr.)
Social networks. Once you've got your head round them, they can be a good way to find new customers, and a great way to build the profile of your business. Our sister site, Marketing Donut, is packed with social network advice if you need it.
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
But over here on IT Donut, we like to take a more cautious view and think about the risks involved in these new channels.
Unfortunately, there are security risks attached to most aspects of business IT. And while you can certainly use tools like Twitter successfully without knowing about these concerns, if you do know about them then you're far less likely to come to any harm.
A few weeks ago, for instance, Sepp Blatter was targeted on Twitter, though given the Head of FIFA's tendency to make controversial statements, some might argue it was hard to tell. And lots of businesses have fallen victim to social network hacks, including The Telegraph, McDonalds and Jeep.
It happens to other individuals and companies all the time too, often via phishing attacks that trick people into giving away their credentials. Symantec’s Internet Security Threat Report found the number of phishing sites that spoofed social network sites increased 123% last year.
If you use Twitter - or other social networks - for your business, it's a good idea to get clued up about social network phishing attempts. Here are some tips to keep you safe:
Have you suffered any social media security problems? Leave a comment and let us know.
Do your staff understand the full risks involved if they lose their business smart phone or another mobile device that contains company data?
Quite possibly not, according to new research carried out on behalf of Kaspersky Lab. It found that over three-quarters of people working in European small and medium-sized businesses would wait more than an hour before telling the company about the theft or loss of a business-owned device.
An hour doesn't sound long, but if a company smart phone falls into the wrong hands, 60 minutes is time enough to do a whole lot of damage. Racking up call charges to premium rate or international numbers is the least of your worries. Being slow to report a stolen device could see your valuable company data being siphoned off.
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
Customer and employee contact details, financial information, confidential emails, access to company Twitter and Facebook accounts ... these days a smart phone is as powerful as a computer, only harder to secure and easier to lose. You need to treat it with the same amount of care.
What's more, the research questioned IT managers too. 29% of them reckoned it would take a whole day for employees to tell them about a lost or stolen device.
David Emm, senior security researcher at Kaspersky Lab, has some good advice for companies that want to take better care of their mobile devices.
“The ever-growing abilities of mobile devices make our lives much easier," he confirms. "However, what we don’t always consider is the ease with which such tools can be stolen, leaving a wealth of business critical information in the hands of thieves."
"To a seasoned cybercriminal, it will take only a matter of minutes to bypass the four digit password protection used on most devices, especially smart phones. If your mobile device is lost or stolen, it is critical that the IT department is informed as fast as possible. They can then block access of this device to the corporate network and, in the best case, wipe all of its data.”
Of course, you can't remotely wipe a device unless you've put in place systems to let you do this. If you're a sole trader or run a very small company, it's probably enough to take steps to back up each individual device and install a remote wipe app. Read our advice here.
Larger businesses will want to look into mobile device management (MDM) solutions. MDM software gives you much greater visibility and control of the mobile devices in your business, so you can restrict how they're used, what's stored on them and - crucially - scrub them clean and lock them out of the company network.
Make sure you keep yours safe. (Image: Flickr user Johan Larsson.)
New smart phones have some strong security measures enabled out of the box. But did you know there are some simple steps you can take to make sure yours is secure?
The simplest thing you can do protect your smart phone is to set a passcode. Once set, you will be required to enter the code to unlock and use your phone. The minor inconvenience of entering this each time will pay major dividends if your phone is ever lost or stolen.
A thief will be unable to access your phone without the passcode.
Along the same lines, you should also make sure your phone is set to lock automatically when not in use. This means you won't have to remember to lock it yourself each time.
Keeping your smart phone updated with the latest software is just as important as keeping your computer up to date.
Installing the latest updates helps you avoid any security problems that could affect your mobile operating system. For example, a security flaw in previous versions of Apple's iOS (which runs on every iPhone) could allow an attacker to bypass your lock screen.
You can search our website for details of security vulnerabilities affecting your particular model of phone.
All of the rules you've learned about being safe on your desktop computer apply when you're using your smart phone.
Be careful using public wireless connections, and particularly wary when the network doesn't require you to enter a password to connect. These connections are unencrypted, which means people can easily intercept your data.
Double-check the network you're connecting to is the one you think it is. Some attackers may try to steal your data by posing as a legitimate hotspot.
If you work with sensitive data a lot, consider a secure VPN connection for when you use public Wi-Fi. This should protect data even if you've connected to a dodgy network.
Giri Sreenivas is vice president of Mobile at security specialists Rapid7.
Distributed denial of service attack. DDoS for short. Four letters that are can strike terror into the heart of anyone who's been on the receiving end of one.
DDoS attacks aim to take websites offline by overwhelming them with requests for information. Typically, they involve hundreds or thousands of computers, all coordinated to bombard the site simultaneously.
Often, the owners of these computers don't even know what's going on, because the source of the attack is malware that's infected their machines.
DDoS attacks have hit the news regularly in 2012. Last month, Teresa May and the Home Office were targeted. Back in May, Webfusion - one of the UK's largest web hosts - was on the receiving end of a sustained attack (the firm produced an interesting white paper explaining what happened).
The motives for DDoS attacks vary. Sometimes they're random. Sometimes they're political. But there's often a financial aspect. They can come from your competitors, or they can be blackmail, pure and simple. Pay up, or your website stays offline.
And although it's only big name brands that hit the news, online criminals are increasingly turning their attention to smaller companies. Without the resources to deflect attacks, they're softer targets.
As security expert Don Smith told us recently:
"More and more smaller companies are being attacked by cyber criminals, yet many still hold the view that they are too small to be targeted."
If you're not prepared, combating a DDoS attack can be tricky. When your website's overwhelmed by spurious traffic, you may find you're unable to even log in yourself.
In fact, the possibility of a DDoS attack is something you should consider when choosing a web host, because the way they handle them can vary remarkably.
Some hosting companies will simply take your website offline completely so that their other customers aren't affected. Worse, you might get a bill for the extra traffic the attack generated.
Other web hosts will provide far more constructive assistance. Ask if they can give you examples of how they've fended off attacks in the past, and look for security features that come as part of your package, like DDoS protection.
Also make sure they keep their servers and apps up-to-date, because often the latest versions of ecommerce and content management tools are more resistant to DDoS attacks.
Looking for a new web hosting firm?
Here are some firms you might like to consider:
Have you ever suffered a DDoS attack? How did you cope?
How secure is your personal identification number (PIN)? An enlightening study reveals many PINs are predictable and easy to guess. So, is it about time you changed your PIN?
The fascinating study, by Data Genetics, reveals the most commonly used PINs and therefore the ones most likely to be guessed.
It found that the most infrequently used PIN is 8068. Does that make it the safest? Well, perhaps, although now it's been revealed in this study, it might become a lot more popular!
According to the stats, the most common PIN is 1234. Out of the 3.4 million numbers surveyed, it made up 11% - or 374,000. What little imagination some people have!
In fact, the top 20 PINs all fall into the category of 'easy to remember'. For instance:
It seems PINs with lots of repetition or a pattern to them are chosen most frequently. Interestingly, 2580 comes just outside of the top 20 at number 22. This looks like a random number until you realise these are the numbers down the centre of a telephone keypad.
Other easy to remember four-digit PINs come from years of birth. A disproportionate amount of PINs begin with 19. This is bound to change to 20 as the population ages. Day and month of birth also figure quite prominently.
Most devices, credit cards and locks that are protected by a PIN limit the number of times an incorrect number can be entered. So does it matter if you use a common PIN?
Well, let's think about it in more detail. If I'm a bad guy and I get hold of your bank card, I generally get three guesses before the card is locked.
Going from the statistics in the study, if I take the three most common PINs as my starting point, I have a one in five chance of getting yours right. Not bad and probably worth a gamble.
Unless your bank can prove you have been grossly negligent with your PIN (sticking it to your credit card, for instance) the general rule is that you will be reimbursed for any financial loss if your card is stolen and your PIN used to extract money.
So, isn’t it simply a case of using the most convenient, easy to remember PIN and - should it get compromised - waiting for the banks to sort it out?
Well, even assuming you are able to reclaim your money, there's quite a kerfuffle involved in the process. Anyone who's gone through it will know that the inconvenience and lost time is enough to deter you from using a weak PIN.
In addition, you may highlight yourself as an easy target – if you did it once, why not again? Don’t bring unwanted attention on yourself just for the sake of four little numbers.
If government statistics are accurate, even the smallest companies need to give serious thought to IT security. That's because official figures show 76% of small businesses have reported a cyber-breach in the last year alone.
You can tell the government is alarmed by the statistics, because it has decided to establish a 'Cyber Reserve' force to deal with the security threats posed by online crime. It's uncertain what this means in practice, as the details won't be revealed until next year.
However, it should signal a more co-ordinated approach to combating cyber-crime, with the goverment recruiting experts to fight back against sophisticated hackers and fraudsters.
Although things have moved on considerably since this 2006 report found internet fraud was slipping through policing procedures, it still sometimes seems like online criminals are several steps ahead of the authorities.
Just in case the message hasn't sunk in yet, let's make it absolutely clear: your business could be a target for online criminals.
We recently spoke to security expert Don Smith who explained that smaller companies often find themselves singled out in online attacks because they're seen as soft targets:
“More and more smaller companies are being attacked by cyber criminals, yet many still hold the view that they are too small to be targeted."
"If they have any public profile – if they’ve been in the news, for instance - then they can be a soft target. They also might get targeted if they handle the intellectual property of big clients, for example, a creative agency working on a big account."
“This leaves small organisations vulnerable to a number of risks, including attacks, data loss, service disruptions and reputation damage. Just like larger enterprises, small businesses need visibility into the threats that face their organisation.”
Clearly, that begs the question: what should you do about it? Hopefully, you'll have got the basics right. You'll be protecting your network with a firewall, and each individual computer and server in your business will have its own firewall too.
But to really get a grip on your IT security, you need to spend a little time on security planning. The first stage is to identify your most valuable data, so you can find ways to protec it.
It's worth reading the full interview with Don to understand a bit more about the security issues your company could face. We also have some really useful information about putting a security plan together and assessing the risks your business faces.
With just a little preparation, you can reduce the chance of your business becoming another IT security statistic.
(Police lantern image: conner395 on Flickr.)
Image: creating a self-destructing message
Sending sensitive information through email: most of us know it's a bad idea, yet we've all done it at some time or another. Whether it's providing the password to access a protected file or confirming your mother's maiden name, email often seems like the easiest option.
Yet email is inherently insecure. Not only can emails be intercepted as they travel through cyberspace, but if the recipient isn't strict about deleting messages, your information could sit in their inbox for months or years. If their account ever gets hacked, your data is in the hands of the bad guys. Email hacking happens a lot, so it is a real risk.
So, for this Donut tip of the week, we wanted to show you a handy online tool that lets you send sensitive information in a form that self-destructs once it's been read. Sort of like Mission: Impossible, only with fewer pyrotechnics.
To get started, hop on over to Oneshar.es. Then it's really easy to create your one-time message:
That's it! The link uses SSL encryption, which means the message itself is protected from interception when the link is viewed.
Obviously, anyone with access to your link can click it to see the message - but as messages self-destruct once viewed, you don't have to worry about who sees the link once your recipient has used it. Certainly, Oneshar.es deals with the problem of having important information sitting in inboxes.
Now there's no excuse for putting your password in an email ever again.
Smart phone applications could pose a significant threat to your company’s IT system in terms of security, availability or mobile data costs if left unchecked.
In a worst-case scenario, valuable and sensitive data could be at risk if you allow employees to download and install apps at will to their personal and work devices.
While smart phone settings can vary from device to device, all potentially leave a company open to abuse. Every time you install an app, it's important to check what resources and data the app is requesting permission to use.
At some point, everyone has skipped through lengthy terms and conditions to save time. It's these terms and conditions which often explain what data the app will use and how it will use it - so not reading them could mean unwittingly giving an app control over sensitive data, or even the phone itself.
Although an app may appear to be a harmless game or a useful productivity tool, there is nothing to stop it from including code to send a text message, make a phone call or even read data stored on the phone and upload it to an external server.
To minimise these risks, your business and its employees should consider some simple steps:
How sure can you be that a company promoting an app has not included hidden features or a developer has not included some malicious code? Software vendors with a track record of delivering solutions to businesses generally have the development disciplines in place to protect you from these risks, so beware the unproven startup or one man band developer.
Smart phone apps are extremely attractive, but it’s important not to forget that under the veneer of simplicity, IT is extremely complex. Your systems can be manipulated by people who understand that complexity, if they are left unchecked.
Paul Ridden is Managing Director of Skillweb, a privately owned, UK based business that provides technology solutions designed to help organisations manage their mobile workforces and track the movement of their goods.
If you want to find a way to immediately annoy potential customers and drive visitors away from your website, look no further than the humble CAPTCHA.
We've written about these squint-worthy, hard-to-interpret messed-up bits of text before, but today I stumbled upon one that goes beyond a joke.
It popped up this morning on the Ticketmaster website. I had a fair stab at the image on the right side, but I still have no idea what's going on with the left image. Any ideas at all?
I'm convinced the days of the CAPTCHA are numbered. They're designed to guard against targeted hacking attempts and automated 'bots' that fill in online forms automatically.
But really, unless you're running some sort of super high security website, they cause far more problems than they solve.
When you've taken time to create a nice clear website that makes it really easy for people to buy from you or send you a message, then making them fill in a CAPTCHA is like asking them to complete a fiendish puzzle before they can go any further.
Imagine what would happen if the local corner shop asked you to solve a Rubik's Cube before letting you buy a pint of milk. Wouldn't get much custom, would they?
When you use CAPTCHAs on your website, you risk having the same effect.
While the world's attention is diverted by a story involving a member of the Royal Family and partial nudity, don't let your guard down. Although the Duchess of Cambridge may be in the headlines today, there's a far more urgent threat to your IT systems out there: Emma Watson.
Security firm McAfee reckons the Harry Potter star is 2012's most dangerous celebrity. And it's not because she's particularly adept at hacking into Windows XP or an expert at guessing passwords (although who knows what damage a few well-placed spells could wreak?).
No, according to McAfee's research, anyone searching online using terms like 'Emma Watson and nude pictures' runs a high risk of landing on a dangerous website that's infected with malware. As the firm explains:
"McAfee research found that searching for the latest Emma Watson pictures and downloads yields more than a 12.6% chance of landing on a website that has tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware."
Now, you might justifiably argue that anyone searching for things like that deserves everything they get from the web's seedy underbelly. But if they're doing it on work time, using your company computers, you should be worried.
Sure, you can discipline the employee responsible, but if your server's infected with a virus or a trojan has stolen your customer list then you'll have bigger problems to worry about than whether your staff member actually found what they were looking for.
Your company policies should - of course - make it clear that this sort of thing is not allowed, but that's not much use either once your computers are infected. And that's why every single PC in your company should have security software installed and up-to-date.
Packages like McAfee's own All Access software (£74.99) will guard against viruses, trojans and spyware, and show a warning screen when you try to visit a dodgy website. Alternatives include AVG Internet Security (£97.99) or Kaspersky's Small Office Security package (possibly best value of the lot because it covers five computers for £159.99).
While packages like these won't entirely guard against employee mistakes, stupidity or bad luck, they do provide a strong line of defence for your company. Even if you're not in the habit of searching for nude pictures of Harry Potter actors.
Image of Emma Watson: Flickr user david_shankbone under Creative Commons.
Hardly a week goes by without one company or another being hacked and user passwords being made public on the internet. Do we have any hope of keeping our passwords safe?
Actually we do have some hope, but we all have to play our part and choose strong passwords.
Hopefully, the websites we have online accounts with are doing their utmost to protect our personal information, and in particular our passwords. But even if they are, that’s not the end of the story as simple passwords can be cracked quite easily by hackers.
We need to do our bit by making sure we have strong passwords that are hard to crack. Here are five ways.
All you need to do is mix these up a bit to come up with a good password. For example:
Top tip: make sure you mix it up. The password Olympics1066 is not as strong as the others.
Lyric: She was more like a beauty queen from a movie scene
Name: Michael Jackson
Number: 1983 (Song released in this year)
Choose the first letter from the phrase and mix the initials and number in. For example:
Top tip: once you decide how you want to mix it up, stick with it. If the mixing it up part could confuse you then you could write down a memory jogger – read on to find out how.
Phrase: Just like that
Name: Tommy Cooper
Number: 1921 (his birth year)
You get the idea!
We all need help remembering things so why not write down something to help jog your memory? It is very unlikely that someone will be able to decipher a decent memory jogger, because you can write things down in a way that makes perfect sense to you but is useless to anyone else.
Lets take the Tommy Cooper example. You could have ‘Tommy’ written down in your address book, followed by a memory jogger, like this:
In this case the memory jogger stands for initial-date-phrase-date-initial
Using this would give a password of:
Remember, that really need to change your passwords every so often, because you can never be quite certain if your password is in the wrong hands.
The biggest problem most of us face is that we have so many online accounts that we forget what they are. Give yourself a fighting chance and keep a list somewhere. As you join new shopping sites, social sites and other sites, add them to the list. If you want to change a password, you will at least know where to look!
Who poses the biggest threat to your company data? You've probably thought about external security threats, but have you stopped to consider the damage your employees could do?
Information risk management specialist Ascentor reckons nearly 15.9m people are ready to damage their employer's business, and says over two million already have. These statistics and more are summarised in this infographic, and you can see the full version over on the Ascentor website.
Not even emptying your computer's recycle bin guarantees your files are gone for good.
Although you can't see or open them on your desktop, the information is still there on your computer's hard drive, which makes it relatively easy to recover if you know what you're doing.
Obviously, that's good if you delete something by accident. But it's very bad if you're trying to delete sensitive information, like financial details or personal information. If your computer falls into the wrong hands, so could your data.
Thankfully, it's easy enough to scrub data off your hard disk for good. Here are three options for you to consider:
Of course, if you can't be bothered with all that and you don't need to keep your computer in working order, there's an option that's much more fun. Unplug your computer, rip out the hard drive and drill some holes in it. Satisfying.
Smart phones are portable and valuable, making them prime targets for theft. Some reports suggest that 20,000 mobile phones are lost or stolen in the UK every day. And with the Olympics expected to attract extra opportunistic thieves, now's not a bad time to give your smart phone security the once-over.
Quite apart from the cost of replacing a phone (Apple's top-of-the-range iPhone costs £700!), you need to think about the value of the data stored on it too. All those contact details, emails, files, photos ... could you afford to lose them? That's why this Friday, we have three crucial security tips every smart phone owner should follow:
Most smart phones come with software to copy data to your computer, creating a backup of everything on your phone in case it gets lost or stolen. iPhone users will be familiar with iTunes. Android handsets usually come with something similar, like Samsung's Kies software.
Be careful though - if you keep your phone and laptop in a bag which gets stolen, you could lose your backup too. Perhaps it's better to back the data up online. Again, most smart phones offer this option: Apple has iCloud, and MyBackup Pro is a good option for Android phones. If you use a BlackBerry, check out the BlackBerry Protect app.
Keylock is the first line of defence when a thief gets their hands on your phone. It prevents them from accessing any of the phone's functions without entering a PIN code or drawing a certain pattern on the screen.
Every smart phone offers a keylock and you should definitely use it. Many handsets also have an auto-erase option, which wipes everything from the phone if an incorrect PIN is entered too many times.
Mobile apps can help you fight back against mobile phone thieves. GPS functions can pinpoint where a stolen phone is. And - as news stories show - the police are becoming increasingly switched on about how to use these tools to recover stolen property.
The best-known is Apple's Find my iPhone. But other platforms are catered for too. Windows Phone handsets have tracking functions built in. Android users can try Plan B, and BlackBerry Protect includes tracking functions too.
Some tracking tools let you remotely wipe the phone too, but the key is to install one now. Because once your phone's gone, it's too late to do anything about it!
Previous Friday tips:
Image: Flickr user JAK SIE MASZ.