Blog posts tagged IT security

Do your ex-employees keep logging in?

When an employee leaves your businesses, are you letting them walk out with access to valuable company data?

According to the 2014 Intermedia SMB Rogue Access Study, 89% of employees who leave a company retain access to business or cloud applications like Salesforce, PayPal, email and SharePoint.

That’s a scary figure. We’ve written a lot about IT security lately, but statistics like this make us think that this level of coverage is warranted.

When a member of staff leaves your business, you must have a way to revoke their access to all your resources. Failure to do so just invites disaster.

Ex-employees are actually signing in

Of those people questioned for the research, 49% had actually signed in to an ex-employer’s account, despite having left the company.

Most of these people probably act out of curiosity, rather than malice. But they still have access to apps that may contain important company data.

A minority will almost certainly be intending to do harm to their former employers. It only takes one person to cause you all sorts of problems.

You could be looking at hefty reputational damage, a loss of competitive advantage — or even a big fine from the Information Commissioner.

Security begins at work

“Most small businesses think ‘IT security’ applies only to big businesses battling foreign hackers,” says Michael Gold, president of Intermedia.

“This report should shock smaller businesses into realising that they need to protect their leads databases, financial information and social reputation from human error as well as from malicious activity.”

You can start by putting some proper procedures in place to control and revoke access when employees leave your company. These are some good starter tips:

• Record who has access to what. You can’t be sure you’ve revoked everything unless you know what each employee can access. If you rely on apps with separate usernames and passwords, it’s particularly important to keep an up-to-date list of who has access to what.
• Don’t share usernames and passwords. Some cloud services charge extra for each user, so it’s tempting to have one generic username and give everyone access. Bad idea: every employee who leaves will know the username and password.
• Have an ‘offboarding’ process. You probably have a standard procedure for when people join your company. But do you have a similar set of steps to follow when someone leaves? If not, it might be an idea to put a checklist together.

It can be trickier than you might expect to get a handle on who has access to what in your business. However, once you do so, you can be more confident of retaining control over your most important data.

• Download our sample data protection policy
• Don’t panic, but 23% of your staff are stealing from you
• The ABC of business IT security

Business questions from the celebrity iCloud hack

Copyright: s_bukley

You can’t have missed last week’s news that hackers gained access to intimate photos belonging to celebrities, including Jennifer Lawrence (pictured).

The story has raised important questions about what data individuals store in the cloud. Many of those questions have implications for businesses too.

After all, cloud services play a pivotal role in many companies. They’re used for all kinds of tasks, from backing up data and sharing files to enabling remote working and reducing the need for expensive in-house equipment.

The cloud certainly has significant advantages, and it’s here to stay. There’s a strong argument that overall, the security risks of using the cloud are lower than storing data in your own business. 

But with cloud technology still developing, could this breach be the spark that forces cloud providers and their users to confront some key questions?

1. What’s your weakest link?

Although full details of the iCloud breach have yet to emerge, it seems likely the celebrities were victims of some kind of brute force or social engineering scam.

This means hackers used techniques to work out log in details, rather than exploiting a technical breach.

With cloud security, much of the focus is on measures systems like firewalls and backups. However, if all that stands between a hacker and your data is an easy-to-guess password (like ‘password’, ‘123456’, or your company name), that’s how criminals are most likely to access your data.

Our advice:

Strong passwords are important, and you should really combine them with two-factor authentication to up the security on your cloud accounts.

The biggest problem with strong passwords is that they’re a nightmare to remember. We recommend using password management software, like 1Password or LastPass.

2. Do you understand your cloud service?

An interesting piece from Wired argues that we’ll all benefit if some of the affected celebrities try to sue Apple over this case.

I won’t go into all the arguments, but one key point is we often start using cloud services without completely understanding what we’re getting into.

For example, Apple’s iCloud terms of service are over 8,000 words long. When you sign up, you agree to them, almost certainly without having read them.

As we use these services to store and share sensitive information, perhaps providers should make more of an effort to really communicate what they do to protect our data, and what we need to do, too.

Our advice:

If you don’t understand what a cloud service is going to do with your data, do further research before signing up. A local IT supplier might be able to help.

Don’t commit everything to begin with, either. Start by moving non-critical data to the cloud. You can shift more of your business across as you gain confidence.

3. Who can you talk to?

If you’re an A-lister, you can guarantee you’ll get attention when your cloud services get hacked.

But if you’re an ordinary business just trying to get on with work, are you confident you’ll get a response from your provider when something goes wrong?

Services like Apple’s iCloud and Google Apps are designed to be automated. You can sign up and start using them without having to speak to anyone.

Most of the time, they work flawlessly. But if something goes wrong and you can’t figure it out yourself, it can be hard to find someone to help with the problem.

Our advice:

Look for cloud providers that offer comprehensive support and have a good reputation. Search online for reviews and make sure they’re well established.

Often, a local IT supplier can help you find the most appropriate cloud services as well as providing support and help when you need it.

Blog by John McGarvey, editor of the IT Donut.

• Q&A: cloud computing security
• Five ways to prepare for the cloud
• Should you host in the cloud or on the premises?

Will wearable tech be big in 2014?

I met a bloke wearing Google Glass a couple of weeks ago. The opportunity for conversation was brief, as I was on the down escalator in a tube station, but I managed to ask how he was finding it.

“It’s switched off at the moment,” was his initial response, “but it’s really useful when it’s turned on.” He then veered off towards his platform, so I didn’t get the chance to ask him to expand on this insightful evaluation of Google’s headline-grabbing smart glasses.

It’s becoming normal

The encounter got me thinking though: a year ago, if I’d seen someone wearing glasses that can understand speech, give directions and record video, I would have been astounded. But 12 months later my reaction was simply mild surprise.

It just goes to show how quickly things change. It made me wonder what wearable technology holds for us in 2014 — and what opportunities this emerging sector will bring for business.

Wearable tech is on the way

Wearable technology is about much more than Google Glass. While these smart glasses have caused controversy and excitement, other wearable tech already available includes:

• Fitbit, a wireless tracking device that measures how active you are and encourages you to do more exercise.
• Jawbone UP, a similar device that tracks how you sleep, exercise and eat.
• Samsung’s Galaxy Gear, a ‘smart watch’ that lets you make phone calls and send texts.

But that’s just the tip of the iceberg. Gadgets proposed or under development include clothing that connects to your Facebook account, a ring that acts as your bus pass and a nappy that monitors the health of your baby.

Wearable tech and your business

Quite simply, we’re going to see a wave of wearable devices hit the market in 2014. Some will succeed. Many won’t.

But it seems obvious that wearable technology will bring advantages and opportunities for businesses. For instance, it’s not hard to see how something like Google Glass could be useful in a warehouse or factory environment.

Some firms will be keen to develop wearable tech themselves. Others will rush to release apps that work with gadgets produced by other companies.

It’s early days, but if you’re interested in learning more about wearable technology then you could do worse than head to the Olympia Conference Centre in London next March. That’s when the UK’s first wearable technology show will take place — and a great chance for you to see what’s coming in this new sector.

• ‘Ok Glass, let’s revitalised the High Street’
• Are we using technology, or is it using us?
• What’s next after tablet computers?

Image of Google Glass via Flickr user Ted Eytan, under Creative Commons.

How to organise your email archive

Companies are creating and keeping more data than ever — and some businesses are getting excited about what they can use all this ‘big data’ for.

Yet the reality for many companies is that the data explosion actually equals data frustration. For all but the most disturbingly-organised individuals, essential documents are hard to locate. Files get saved in the wrong folder — and email is often the most-disorganised data of all.

Organising 12,000 emails a year

If you work in a typical office, there’s a good chance you use Microsoft Outlook to send and receive email. If you receive 50 emails a day, that’s over 12,000 emails hitting your inbox in a year.

If you decide to archive them all (after all, who knows when you might need a particular email in the future?) then finding a specific email soon becomes hard work.

In this sort of situation, the only option is to undertake an email search. And then wait. With email folders — especially the sent folder — extending into the tens or hundreds of thousands of emails, the standard Outlook search process is inadequate.

Outlook search is broken

In addition to being incredibly slow, the way Outlook works makes it difficult to find any email if you can’t remember the entire recipient list — which is hardly helpful.

It’s not uncommon for it to take over 15 minutes to find an email. Sometimes you’ll fail completely and give the whole thing up as a bad job. What a ridiculous waste of what should be highly productive time.

The problem is that even if you have a proper email archive system in place, most of these solutions are about storage, not retrieval.

Yet in a world of exploding data, effective information retrieval is an essential business tool. Most email users would bite your hand off for fast, guaranteed access to email, like a Google-style keyword search that rapidly locates the right information.

Email archive + keyword search

By combining an archive of every email sent and received with keyword search, you get a faster way to locate messages and documents that have been misfiled.

With the right approach, there is no need for big data to constrain your productivity. You can keep all your emails and find the one you’re looking for, when you need it — enabling you to be more productive.

Blog by Andrew Millington of Exclaimer

• Why you need to archive your email
• Coping with increased data storage needs
• Keeping your data safe

Who's been reading your email?

Think your email is safe and private? Think again. Most emails sent over the internet travel in plain, unencrypted form. That means anyone who knows where to look could theoretically intercept and read your most private missives.

So, who could be reading your email?

Google, for a start

Google has revealed that it does scan the emails that pass through its Google Mail service. The tech giant has has stated this in submissions aiming to dismiss a class action lawsuit that accuses it of breaking wiretap laws.

Its position regarding the reading of our emails goes like this:

"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient's ECS (electronic communications service) provider in the course of delivery."

This analogy fails to acknowledge the fact that when an assistant opens their boss’s mail they do so with agreed or implicit prior consent and they are subject to confidentiality agreements.

I have always maintained that writing to someone via email is akin to sending a postcard. The content of the email, just like a postcard, can be read en-route.

Securing your email

Securing your email is easy: you just need to encrypt it. This scrambles every message you send so it can't be understood by people other than the intended recipient.

These days you don't need detailed technical knowledge to use email encryption. Many companies offer email encryption products that handle the technical side of things for you. However, the key is to find one that doesn’t require your recipient to have installed software to decrypt your message and then send you an encrypted reply.

You might also want to find a service run by a UK company and hosted on servers in the EU. This means that UK and EU privacy law will apply — you don't risk getting caught up in the US Patriot Act, which many argue is a good reason to avoid US-based services.

My company offers an email encryption service called Egress Switch.

How to get started

You'll need to decide whether you want a pay as you go encryption service, or something more substantial.

It's also worth looking for a scalable service. You might start out as someone who will use encryption infrequently, for the odd highly-sensitive email. But over time you may decide you want to use encrypted email for all of your business communications.

In the end, though, it’s up to you: if you don’t mind risking Big Brother reading your email then you can do nothing. But if you'd prefer your private messages to stay that way, it's a good idea to adopt email encryption.

• Why you need to archive your email
• Send sensitive information in a self-destructing message
• How to prevent data breaches

Blog provided by Paul Simms of Reflect Digital on behalf of Egress Software Technologies.

The toilets and photocopiers that are out to get you

These days, tech dangers can even lurk in the bathroom

Last week news broke of two unexpected yet chilling security dangers, involving rogue photocopiers and high-tech toilets. (Yes, we are well into silly season - can you tell?)

For starters, it turns out your Japanese-style toilet could be vulnerable to attacks from hackers.

An unexpected shower?

Yes, loos from the Land of the Rising Sun have now reached a point where they they have built-in Bluetooth so they can be controlled by your smart phone.

By downloading the free app, you can control the shower and flush functions of a £4,000 toilet made by Japanese firm Lixil. (You can also keep a 'toilet diary' using the app, but we won't go into that.)

But where there's connectivity, there's potential for hackers - no matter whether we're talking about an expensive toilet or an expensive computer.

Problems arise in this case because all models of the super toilet use the same Bluetooth PIN of 0000. This means anyone within Bluetooth range can download the app, connect to your toilet, tap in the PIN and then play havoc with its functions.

No news on whether anyone has actually suffered a toilet attack yet, but with the story occupying top spot on the BBC's 'most shared' list last week, it's surely only a matter of time.

The photocopier that changes your figures

Hot on the heels of these terror toilets came news of the Xerox machine that's been overstepping its authority.

Now, back in the day, photocopiers copied what you told them to. You might have had the occasional paper jam or toner accident, but by and large you got an accurate copy.

Not any more. A bug in several Xerox models means they may alter numbers on the documents they copy. Computer scientist David Kriesel found that his was changing the figures on building plans and other documents.

The problem has been narrowed down to an issue with the compression software used by the machines, and raises all sorts of questions about who would be liable if you sent out an inaccurate photocopy to a client.

Really. Who ever heard of a photocopier making its own edits?

Too clever for its own good?

While there's certainly an element of humour to both these stories, they carry a serious message too. 

Everything we own is becoming more connected. In time your fridge, your door locks, your car, your light switches and more could all be on the internet.

There will be benefits to this, but there will certainly be risks as well. A hackable toilet is only the thin end of the wedge, and nobody knows quite how thick it's going to be.

What's more, as machines get smarter in how they do things, they seem to get better at screwing things up too.

In a world where even a simple photocopier can make a hash of copying a document, it's dangerous to assume something is right just because the computer says so.

• Simple IT security for smaller businesses
• Keep your mobile devices secure
• The £65,000 security breach

Infographic: the £65,000 security breach

We seem to have covered IT security and data protection on this blog a lot recently. And there's good reason for that: suffering a data breach can cost your business a lot of time and a lot of money.

How much? Well, in the worst case it could cost smaller companies up to £65,000 to recover, according to this infographic based on research from the Department for Business, Innovation and Skills.

Interestingly, it's lost custom and business disruption that make up the majority of that loss. Businesses will tend to spend relatively little on actually responding to an incident, although if you have to bring in external suppliers or consultants to evaluate the damage and set things right then that can add up.

Here's the infographic, so you can see the cost of security breaches for yourself. Click it to view the full version:

Infographic by Via Resource. See full-size version.

• Five myths about hackers (and why they matter to your business)
• Five tactics to prevent data breaches
• Hackers: they're everywhere, every day

Five tactics to prevent data breaches

Are your data protection tactics right?

For businesses of any size, ensuring the accuracy, integrity and security of data is essential.

Under the Data Protection Act (1998), data controllers are required to take 'appropriate technical and organisational measures' to protect personal data from unauthorised or unlawful access or use, as well as preventing accidental or malicious loss or damage.

The principles of the act cover how data is stored, accessed and transferred to protect the subjects of that data, be they your customers, suppliers or employees.

Data breaches can affect anyone

Data breaches can affect businesses of any size and may have serious consequences. For instance, in January 2013, electronics giant Sony was fined £250,000 after millions of PlayStation Network customers’ data was stolen.

The implications of a data breach for smaller firms can be considerable, which is why ensuring protection is in place when handling data is a key priority for any business that uses information technology.

Here are five key data protection measures that can be taken by your business:

1. Define a clear IT policy

Implementing a clear IT policy is one of the most effective ways to ensure the integrity of your data. Use permissions to ensure employees can only access the information that is relevant to them and make sure they use secure passwords.

Passwords should also be changed regularly in order to minimise breaches.

2. Watch contractors and third parties

Negligence by contractors is one of the most common reasons organisations suffer data breaches in the UK.

Establish a written contract which ensures any contractors and other third parties adhere to data protection principles and best practice.

3. Secure email attachments and documents

It's important you understand when it's appropriate to use email to transport data.

Email attachments which include sensitive or confidential data should always be encrypted and password protected. The password for any documents should be communicated verbally (in person or via telephone) to ensure the data can only be accessed by the relevant parties.

4. Invest in antivirus protection

You should invest in appropriate virus protection and security software to maintain the integrity of your IT systems and prevent hacking.

This will not only help protect your data from theft, but also keep your technology safe from corruption and other problems.

Use a firewall to control access to the data you hold and implement secure remote access if you need employees to access data when away from the office.

5. Know how to handle a breach

Even if you take every possible precaution, it's still possible for a security breach to occur.

If this happens to you, make sure you have procedures in place to help you deal with the situation.

You may also wish to take out professional indemnity insurance, which can protect your business from customer disputes arising from loss of their data or documents.

Michael Howard writes on behalf of Markel UK, a specialist online insurer providing cover for professionals, professional practices and consultants.

• Your data protection obligations
• Protect mobile data with laptop encryption
• Protecting data on lost and stolen USB drives

People don't trust businesses with personal data (but hand it over anyway)

One in four consumers don't trust any company to secure their personal information online. That's according to a survey of 1,000 UK consumers conducted by information security and risk management firm Integralis.

Although a quarter of all respondents said they don't trust any organisation to take care of their personal data online, there is some relatively good news in one sector: nearly 65% of people said they do trust banks with this information.

However, businesses operating in other fields need to do more to win the trust of their customers. Only 36% of people trust online retailers with their personal data, 24% trust supermarkets and just 22% trust online payment systems like PayPal.

No trust, no problem

But despite this general lack of confidence, people still use these services in droves. For instance, over half of people surveyed said they do grocery shopping online at least once a week. While people might not trust online retailers with their data, they're still willing to share it.

"Online shopping is unbelievably popular, even though people don't necessarily trust it," confirms Mick Ebsworth, information security consulting practice director at Integralis. "People are worried about the types of information these site sask for."

"Far too often, consumers are prepared to supply core personal details - like mother's maiden name or date of birth - to organisations that don't need that information."

This can put consumers at increased risk of ID theft, should that information fall into the hands of online criminals.

"People need to always think about the information they provide," explains Ebsworth. "Does an organisation need it? Your bank might not be attacked, but your account at another site with lower security might be. So why use the same passwords?"

Don't ask if you don't need it

Although consumers might be making mistakes by supplying personal information to firms that don't need it, the buck really stops with the organisations requesting it. If they want potential customers to trust them more, they need to be more circumspect about requesting information.

Ebsworth has some advice for online businesses: "Firstly, you need to put in place the technical controls to keep personal information secure. You need the right level of encryption and good levels of data storage. Think about who has access to that information - in your organisation, with third parties, and online."

"Secondly, only request information that you really need. Recognise that the consumer has a role to play here, but that you can help them."

Finally, he has a sober reminder for firms that might still be unconcerned about how they handle this data. "Everybody who collects personal information has a duty to take care of it. Although there's nothing in the law to say how you should deal with a data breach, the Information Commissioner's Office can levy big fines if they believe you haven't adhered to good practice."

Does your business need all the information it collects from customers? Do they trust you to take care of it?

• Your data protection obligations
• Don't panic, but 23% of your staff are stealing from you
• Perform an IT security risk assessment

Can you spot the phishing website?

You've probably heard of phishing. It's where scammers send you an email that looks like it's from an official organisation, usually your bank.

The email usually contains links to a fake log in page which collects your username, password and other security details. If you enter them, the scammers will subsequently use your credit card, empty your bank account or commit some other crime against you.

Some phishing websites are laughably bad, with terrible grammar, bad spellng and shonky design. But others can be very convincing.

Spot the phishing site

To show you just how convincing phishing sites can be, here are two screenshots for you. One is the genuine sign in screen for the Co-operative Bank's online banking service. The other is a fake sign in screen from a phishing email I received.

You can click the image to see both screens full size. Can you tell which is which?

See actual size >>

So, how did you do? 

Well, the top screenshot is of the genuine sign in screen. The second one is the fake.

If you're familiar with this bank's online interface, you'll probably realise that the site asking for your full name is not genuine. But if you don't use your online banking often or simply aren't paying 100% attention when you click the link, it's easy to see how you could be fooled.

Three principles to avoid phishing

Checking the address of a site like this is usually the most foolproof way to see if it's fake. In this case, it was easy to tell, because the URL clearly wasn't the Co-operative's normal address:

It isn't always as obvious as this through, so here are three foolproof ways to avoid phishing traps:

1. Don't click sensitive links in emails. If an email from a trusted source like your bank asks you to log in to your account, do so by manually typing in the website address rather than clicking a link.
2. Pay attention to security notices. Most phishing emails will be caught by email filters, security software or web filtering tools. If you see a warning about an email, link or website, don't ignore it. (It's amazing how many people do.)
3. Let the sender know your concerns. If you're in any doubt at all about whether an email or website is genuine, get in touch with the organisation it claims to represent. A quick phone call should be enough to confirm your doubts.

And as a final warning, don't ever enter sensitive log in information if you have any concerns at all about the website you're on. Even if it just looks or feels a bit funny, that's reason enough to stop and think before you make a mistake.

Note: don't click links in dodgy emails like we did. They can be dangerous, even if you don't enter in any sensitive information.

• Staying safe in the changing world of IT
• The bring your own device fear factor
• Can you prove who you are?

How to hack 420,000 internet devices

Here's a stark reminder that internet security perhaps isn't quite as tight as we'd all like.

An anonymous researcher managed to take control of 420,000 insecure internet devices like webcams, network routers and printers.

They were use to effectively create a huge network of internet devices that could be used for dodgy purposes like taking websites down via denial of service attacks. (The researcher didn't go ahead and cause any damage, but the potential was there.)

Standard passwords

What's striking about this research is both the huge number of devices that could be compromised, and the ease with which it could be done. Quite simply, the researcher accessed each device by trying standard usernames and passwords like admin or root.

In a month where a high-profile cyber-attack against South Korea hit the headlines, it's important for your business to remember that sometimes the simplest hacking attempts - like trying default usernames and passwords - can be just as damaging.

Don't neglect the obvious

The anonymous researcher summed up the problem in a post online:

"While everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world."

In short: choose your passwords carefully. And whenever you add a new piece of equipment to your computer network, check if it has sign in credentials and change them if so. If you don't, you could be a part of this problem.

• The ABC of business IT security
• Most small businesses have had a security breach. Have you?
• Emma Watson could bring down your business computers

Image: Rob Kints / Shutterstock.com

The ABC of business IT security

It’s good to refresh your knowledge when it comes to something as crucial as IT and data security. So here’s a slightly tenuous ABC of business IT security. Plus a D and an E for good measure.

A is for anti-virus

Get good anti-virus software and keep it up to date. You usually have to subscribe to software updates, and don’t wait for this to expire before you renew it. Even a few days without adequate protection is asking for trouble.

Spyware - which attempts to extract information from your computer without your knowledge - is another threat. However, most anti-virus packages also include anti-spyware protection too.

You can shop around for the best anti-virus deals. Reputable suppliers include McAfee, Kaspersky and Bitdefender.

B is for backups

Ideally, all the data on your computer system needs to be backed up to external hard drives. This ensures that you won’t lose sensitive information if your computers are corrupted by spyware or viruses.

Inform your staff that they need to back up their data at the end of each day, and regularly remind them to do so. External hard drives don’t cost the earth (you can see a selection here on Amazon), and you’ll be saving yourself a lot of hassle if the worst comes to the worst.

C is for control

When it comes to protecting data from prying eyes, control is the key. If there are files on your company’s shared drive which you don’t want all your staff to view, you should control who can access them.

If you use Microsoft Windows, here’s how to restrict access to a certain folder:

1. Right click the folder and click Properties
2. Click the Security tab
3. Click Edit and then Add
4. Add the usernames of the people you want to access the folder into the box that appears on screen
5. Click Ok

That’s it – you’ve created a list of people who can access that particular file or folder on the shared drive.

D is for data encryption

Encrypting your computer systems makes it harder for hackers and fraudsters to access sensitive business information.

This can be anything from emails and financial figures to documents and databases hat are stored on computers or servers in your business. You can also protect portable storage devices like USB drives, which protects them in the event of loss.

Setting up encryption software can be a little tricky, but this guide to encrypting your laptop is a good place to start. It’s also worth speaking to your IT supplier if you need help.

Encryption is an excellent way to ensure your business transactions are protected from unwanted attention. Even if a fraudster manages to steal a disk containing sensitive information, they should still be unable to read it.

E is for external help

Instead of relying on your own knowledge about maintaining computers, it is a good idea to have an trusted IT supplier you can turn to. They will help troubleshoot any problems with your system, allowing you and your staff to focus on running your business.

Even seemingly minor problems should be flagged up, as they can indicate larger problems with your IT security. It all helps avoid any lingering suspicions that your company has been targeted.

It’s often a good idea to choose a local IT supplier, so you can ask business contacts and friends who they’ve used in the past. Perhaps they could even negotiate you a discounted rate!

Written by online security expert, James Archer, on behalf of online retailer The Safe Shop

• How to find and choose an IT supplier
• Your security plan
• How to prevent IT disasters