A typical comment I hear is: “Who would be interested in hacking us? We’re not a big multinational.”
The world of “hacking” has changed: once upon a time, there was a peception – perhaps correct – that “hacking” was the preserve of tech savvy youngsters out for a thrill and to prove they could get past security. Today, the reality is that the greatest threat to your network is from (mostly) automated systems trying to steal information from you because its valuable: your credit card details and that of your clients, your internet banking details, your database of email addresses.
What changed? Automation, fast programming techniques and very cheap devices that have given wide spread access to the Internet for millions of people worldwide. Today, just about every corner store will let you pay by credit card – with an Internet connected POS system, and most homes in Australia have an Internet connection. The Australian Bureau of Statistics, reports there were 10.9 million Internet subscribers (not counting mobile phones) by June 2011 – growing by nearly 15% per year.
That’s a lot of Internet traffic and a goldmine for fraud. Why? They are all potential clients for viruses, trojans, phishing scams. Statistics consistently site massive numbers of infected PCs around the world: Here is one from ZDNet reporting 48% of scanned PCs infected with malware. Taken alone, I as an individual am not a significant target, and probably nobody is particularly interested in my data. But as one victim in a group of one million, I’m a worthwhile addition because my credit card details are saleable, and my computer can be used as part of a network seeking to gather data from other victims.
If you connect to the Internet, you need to be aware of the risks and take basic precautions. And just as you take out insurance against property loss or damage, you equally need insurance for your network. Not because you are a high profile target, but just because you are exposed.
Take Steps to Protect Yourself
Security does not have to be expensive: most breaches could be avoided by taking some simple, low cost precautions. Here is a summary of the top five threats:
1. Poor security including default passwords or no passwords being used.
This one incredibly is the most common cause of security breaches for businesses. The scenerio goes like this:
– The business has a router which has never had the default password changed on it.
– The server on the LAN has an easily guessed password and a default administrator account.
– The POS system has never been updated for security fixes.
This system is a prime target: it doesn’t need the personal attention of a “hacker”, automated systems are constantly sniffing for connected systems with default password – this one would be found within days – probably within minutes. The automated system hacks in, easily gains access to the unpatched POS system and steals the list of credit card details from it. Nobody even notices until the bank works out the pattern of fraudulent credit card transactions points back to this business as the common factor.
In a similar scenario, a large retailer lost millions of customers credit card details because their wireless network at head office had default or no security.
2. Malware – malicious code.
There are still a lot of viruses out there whose sole purpose is to disrupt and damage systems. However there are far more of the trojan variety of malware where the sole purpose is to make money. Typical operations include:
– Inspect your computer and watch what you do to collect personal data from your system.
– Take over your Internet banking session to steal from you while you are logged on.
– Fool you into providing details by pretending to be a legitimate site.
– Use your computer to send out spam or trojans to people on your address list, or as part of a relay.
To make sure this doesn’t happen to you, install and use anti-virus programs, anti-spyware programs, and firewalls on all computers in your business. Moreover, ensure that all computer software is up-to-date and contains the most recent patches (i.e., operating system, anti-virus, anti-spyware, anti-adware, firewall and office automation software).
3. Lost, stolen, or otherwise compromised mobile devices.
Still the most common security breach, last year millions of laptops were stolen – the majority from offices – and nearly all were never recovered. The Australian Institute of Company Directors lost one containing personal details of thousands of their high profile members (encrypted). A South Australian local government councillor lost one with personal details of a bunch of constituents (not encrypted). The FBI, NSW Police, NSW Health Dept…. What can you do?
– Encrypt data.
– Use tracking software that can help find the laptop and/or wipe it.
– Don’t make it easy for a thief to steal your laptop – never leave laptops unattended or easy to steal. This includes at conferences, hotels, in the office or in transit.
We use an agent on all our client’s laptops that allows us to track it and remotely wipe it wherever it is in the world. This applies also to mobile phones. If you think ahead and have the systems, procedures and software in place before the device is stolen, you can save yourself a lot of worry – its insurance: you hope you never have to use it, but make sure its in place just in case.
4. Social engineering – including “phishing” scams
One of our clients got a call from “Microsoft” saying the user’s PC was logged as being infected with a virus. He believed the caller and went to the site he was directed to, downloaded and installed a “cleaning tool”. Of course it wasn’t a cleaning tool, it was a scam to get a piece of malware installed and it resulted in the client having to have his PC completely reinstalled. Most scams don’t have this personal touch, but they are ubiquitous:
– Links that apparently come from Facebook friends.
– Links to seemingly harmless updates for utilities such as Adobe Flash.
– Prompts to go to your “bank” site to update your account details.
– Ads on trusted sites that have been hacked and are now links to malware install programs – click it and you are done for.
5. Inside job: a former or disgruntled employee.
The insider has the best opportunity to do damage to systems and data. An employee at a web design company leaves to work for a competitor. Before he leave he takes a copy of the former employer’s contact database, sets of design and other IP. The new company gets a bonus. How do you stop this? Divide and conquer is the best catch cry. Many companies we audit have all the corporate data accessible to all the employees: its easier and quicker to get stuff done if everyone can access everything. But its a goldmine for anyone with fraud in mind. Giving everyone administrator access might save time on initial setup but it almost always leads to problems later.
– Limit access so that no one employee can get everything. This means setting up your network properly.
– Separate duties: this concept is well understood in accounting practice – the same person shouldn’t make payments and raise invoices. The same concept applies to other critical business functions. Divide tasks so that its not easy for one person to make changes without someone else’s input.
– Don’t take the easy way out with authentication: passwords should be complex so they can’t be guessed, and they should be changed regularly.
We offer a range of audit and consultation services to help you align your IT to your business needs. Right now we are offering a free 1 hour consultation. Call us to book a time.