Don’t bury your head in the cyber-sand
Hacking, online security breaches, phishing, cloning – call it what you will, but computer security is a real problem that’s becoming not only more acute, but something that now affects all businesses.
Consider the unfortunate situation that Oxford-based Popham Hairdressing found itself facing in 2013. A small two-salon firm, it suffered at the hands of an overseas cyber-attacker who infected and locked down the firm’s eight computers and demanded a payment of £5,000 per computer. Popham didn’t and couldn’t pay and the attacker made good on his threat. Some data was recovered, but not before much disruption and cost which the firm estimates as being in the region of £8,000. Popham’s mistake was to not only leave their computers on over a weekend, but to also fail to protect the equipment adequately.
Think that this couldn’t happen in dentistry? Think again. Bloomberg ran a report at the end of August which detailed how a dental practice in the US found that Eastern European hackers had remotely loaded software on to its computers that sought out dental X-rays and which them encrypted them. The hackers demanded $500 in Bitcoins to unlock the X-ray files, a sum which increased by $500 for each day the ‘bill’ went unpaid.
At the other end of the spectrum, 2011 saw Sony’s PlayStation network hacked, compromising the personal details of up to 100 million customers. The costs to Sony were around $171m. Those same hackers also targeted NHS systems.
And the problems are only set to increase. A Sky News report in 2013 outlined the results of the government’s Information Security Breaches Survey that showed that 87% – up 10% on the year – of small firms experienced a breach of some kind, while 93% of large firms had been targeted. In some cases, the damage caused by the intrusion cost more than £1m, but for small firms the average cost ranged from £35,000 to £65,000.
Interestingly, 36% of the worst security breaches were caused by inadvertent human error while 57% of small businesses suffered staff-related security breaches.
Joe Ross, writing on the Huffington Post said, ‘Cyber security can be overwhelming and when you have to worry about all other aspects of running your businesses, it is often overlooked. Yet there are many things a small business owner can do to protect their information that don’t take a lot of time, money or manpower.’
The problem is that technology has now evolved to a point where many small businesses now use online (cloud-based) applications to store and share company data. They have employees bringing and storing information on their personal devices. There has been a complete assimilation of social networks into almost everything – employees and customers are sharing more information than ever online and with a worldwide audience. These practices are making small businesses more susceptible to data loss and breach. Just look at the use of Facebook and Twitter to promote businesses; the likes of Dropbox and Skydrive to transmit files around the globe almost instantly; and the ubiquity of smartphones that can surreptitiously take images of sensitive information.
So putting the worrying background to one side, what should practices be doing to protect themselves? The first thing to realise is that technology users can never be totally safe. The best that they can do is minimise the risk of attack. Users should never be so naïve to think that they are invulnerable.
The next step is to understand exactly what is at risk, ie your data and IT equipment. Just think of what you hold and use – employee and patient information, payroll data, banking credentials, pricing and performance information and so on. In terms of equipment think of the computers, web-connected printers, your telephony systems and broadband and data backup systems.
It’s important to realise that the threats are not just external (as in career criminals), they can be competitors or former and current employees. And remember that cyber-attack doesn’t necessarily mean attack by a rogue gang armed with banks of computers; it can boil down to an employee who abuses a computer system for their own benefit.
By way of example, a small family-run publishing house in Sussex suffered a £210,000 loss perpetrated by their bookkeeper with access to the accounts system. But other forms of attack include the blatant theft of equipment – laptops, smartphones and memory sticks, remotely conducted attacks on your systems, and attacks on systems belonging to others linked to you – say cloud storage.
Plan for an attack
Before any steps can be taken to reduce the risks, you need to assess the state of your practice in terms of your present security measures. You need to detail your records, where they’re stored and how they’re protected right now and at the same time, what equipment you use and which companies provide critical services to the firm. Are there alternatives in case of disaster? For example, if your computers were taken hostage by an intruder, how would you work or recover the records?
How well are your staff briefed on security? Are they lax when choosing passwords? Are they aware of how important it is to not discuss sensitive information with third parties? Do you change passwords when staff leave? Are you really as IT literate as you think you are? No matter how good your knowledge might be, there will be someone out there who knows more than you. For this reason, it’s important to have the backup of a good IT support company that you can trust to implement good IT security for your systems. An expense, yes, but put into context of insurance – the premium maybe a pain, but it’ll cost much less than any claim you may make.
Once your thoughts have been codified, comes the practical implementation of a new security plan. Controlling access to your network is the first line of defence. This means turning on the firewalls on your computers and the network devices you employ. At the same time, take care of your wireless networks by enabling the strongest encryption the network allows, engaging Mac address filtering and turning off the SSID broadcasting. In simple terms, the encryption is akin to a lock to your front door; the Mac address can be likened to an approved guest list; and the SSID is the name the device broadcasts to other network devices. Sometimes the default setting will broadcast the product name that helps hackers crack it.
Next you need good anti-virus software on all computers – PCs and to a lesser extent Apple Macs. As one unnamed Oxfordshire NHS surgery recently found, once a virus is loaded to one networked computer, it can quickly propagate around the whole network causing pandemonium. It was, in this instance, believed that one or two members of staff were visiting websites that they really ought not to have been. The lesson? Lock down computers to allow certain acceptable sites and no more. At the same time, ensure that all computers are regularly updated to take account of software patches.
Part of the solution is to also educate employees (and write policies) as to what they can and cannot do with a computer and the best practices of data security (and passwords). Also consider those that can work offsite and the devices they utilise. The National Cyber Security Alliance in the US – www.staysafeonline.org – has materials and information on employee education that may help. The advice on email is to be careful on what is opened and the links that may be offered. The best phishing scams replicate legitimate organisations and seek information that can be used to log on to accounts without the need to hack. At the same time, don’t let web browsers store passwords – enter them each time manually – and also look for ‘https’ in the web browser address of any organisation you are logging into to demonstrate site safety.
Secure the equipment. This means logging all the equipment that you possess, the software (and licences) utilised and most importantly, the passwords for individuals and for administrators. The passwords need to be changed regularly and whenever someone leaves. At the same time, restrict the use of recordable media such as CDs, DVDs, USB memory sticks and external hard drives. This not only makes it that much harder for anyone to take data off the premises but also reduces the risk losing data.
Monitor everything. There’s precious little point in setting up control systems for your IT if you don’t monitor what’s going on. So collect activity logs and make sure that you have the ability to find unauthorised usage. At the most basic of levels, broadband routers can easily be set to automatically report any third party attempts at intrusion. By extension, manage user rights for systems and control access to sensitive equipment and data. Again, at the most basic of levels, ensure that computers don’t have administrator rights that will allow users (or hackers) to easily change system settings or load unauthorised software.
Many businesses don’t fully appreciate that third parties they engage can introduce risk. If, for example, you plan to store information offsite and online – in the cloud – you need to ensure that the third party is both reputable and reliable. Allied to this, if online systems allow employees access to sensitive information, see if the third party offers two-factor authentication.
Only collect and store data that you need. The Data Protection Act 1998 already makes this quite clear, but in simple terms, one way to limit the risk of breach is to simply not collect and store information beyond what is absolutely necessary.
Invest in regular credit report checks looking for unauthorised activity or an unexpected drop in credit rating. These can be signs that your systems have been compromised. The credit references agencies (www.bipa.uk.com) provide various products to alert subscribers of suspicious activity.
Lastly, and most importantly, create a disaster recovery plan and test it. Don’t wait until it’s too late.
What can go wrong?
Clearly the risk of burying your head in the sand is grave. While some firms may be lucky enough to never be the victim of an attack, the consequences of being selected cannot be ignored. Apart from the financial loss and the chaos following an intrusion, the public vilification and loss in client confidence that firms face following an attack must surely be a call to action. In July 2013, Kitchenware Lakeland was forced to publically admit that its passwords system has been hacked and that customer accounts could be at risk. Don’t put yourself in the same situation.
Adam Bernstein is a freelance author who specialises in feature editorials for business to business publications.