Tony Dyhouse explains why small business owners need to take IT security more seriously, and how to protect their technology systems without breaking the bank.
Losing thousands of confidential records at great cost is often seen as something that happens to huge corporations or government departments, but such problems occur just as frequently in small businesses. A recent Symantec survey in the US found 42% of SMEs had lost confidential information, all of whom had direct losses or costs as a result. This can be devastating to small companies, which may not have cash reserves to deal with these problems.
The best defense is protection, but that too can seem like the preserve of big business. Information security professionals are expensive and security software seems to advance quicker than someone trying to run a business can keep up with.
Most security, however, is down to good practice and simple precautions. With basic understanding of the threats and how to avoid them, the risk of serious data breaches can be greatly reduced with very little expense.
What are the threats?
The biggest threat to businesses today is data theft. Companies hold sensitive information such as financial details or personal information about customers, which could be exploited by competitors or criminals. Loss of this data can result in fines of up to £500,000 from the Information Commissioners Office, blackmail, compensation costs running into millions, and irreparable reputational damage.
Data is lost in a variety of ways, and is often down to those trusted with it. Leaving a USB stick or laptop in a public place is still surprisingly common, as is the sale of old hard drives that haven't been securely wiped. Companies have also suffered from former employees with live accounts using client lists to gain a competitive advantage in their new role.
Data is also compromised through deliberate attacks. One of the oldest, yet still most effective, methods is the phishing attack. In its simplest form, criminals email or telephone employees claiming to be a legitimate company. They request passwords or personal details which are used to obtain customer or financial information, or sold on to criminals or competitors.
In a more sophisticated form, the recipient of an email is enticed to click a link to stop an account being closed or something similar. The reasons given are numerous but all designed to get you to click a link which downloads malicious software.
Once a machine is compromised it may become part of a Botnet, a collection of many machines which have been compromised. The malicious code sits hidden on each, looking for useful information such as bank details or passwords, and sending them to criminal networks. The machines can also be instructed remotely to perform operations such as sending out more such emails, growing the botnet. This can result in clients receiving unsolicited and infected emails, apparently from you, damaging the relationship, and in the worst case implicating you in criminal activity.
Other threats include viruses and adware. Viruses are less popular than they used to be as they don't make money for criminals, but they still exist and can be very damaging if they find their way onto the computer. Adware is usually not malicious, but can use vital processing power and mean constant annoying pop-ups. Like botnets, viruses and adware find their way onto computers via suspect sites, files, and emails.
How to stay safe
One of the legacies of early viruses which caused havoc is that people think they will know as soon as their computer is compromised. This is far from the case. Criminals today pride themselves on being able to acquire vast amounts of personal data without users being any the wiser.
Anti-virus software remains a must, but beyond that awareness and vigilance are key. You don't need to be a security expert, but by understanding the basics of these threats you can mitigate them by formulating a security policy and rolling it out to everyone, ensuring staff understand the risks and appreciate the value of data.
A good security policy should include the following:
- Anti-virus software and a firewall installed, switched on and regularly updated.
- Use of the latest web browser, preferably with Active-x and Java script disabled.
- Passwords changed regularly but not rotated. Different passwords used for different accounts, each over eight characters using different cases and characters.
- Advice on what constitutes a suspicious email. This should extend to informing your own customers that you would never request their personal information via email.
- Only absolutely necessary data stored on portable devices, and deleted once it is no longer needed. Where it is of a sensitive or financial nature, it must be encrypted and password protected.
- Old hard drives and data storage devices wiped and safely disposed of. Guidance on how data deletion and device disposal should also be available to staff.
A senior member of staff needs to assess the risk and develop a plan to address security accordingly. This should be communicated to everyone and included as part of staff inductions.
This does not mean every business should become Fort Knox, but businesses need to take a practical and proportionate approach. In most cases common sense will be enough, but where there is a duty to safeguard the data, more serious security measures must be taken.
Small businesses have faced fines and costs because of data loss, and some have even gone under through losing their customers’ trust. Security is not always the first consideration of small businesses, but it is something where a little thought early on can save the business down the line. It is far better to spend a bit of time developing a security policy, than waiting until you suffer a data breach and having to deal with the consequences.