Blog posts tagged security

Security infographic

Is your business ready for the unexpected?

Earlier this year, an underground fire in Holborn caused days of disruption for businesses based in that part of central London. As this event hit the news, it raised an important question for businesses: what plans do you have in place for the unexpected

The incident received widespread coverage and some estimates put the cost of disruption at £50m.

Some businesses were unable to enter their premises for days and employees had to leave their laptops and smart phones behind. Many staff were sent home and power outages hit telephone systems and servers.

When something like this happens, some disruption is inevitable. But if you prepare, you can minimise the problems you face.

Telecoms is key

It’s not just dramatic, newsworthy events that cause disruption. Inclement weather (snow, floods or heat), transport issues and more can all cause problems for your company.

It’s worth your company having a continuity plan in place so you have some idea of what to do if a crisis hits. There are several aspects to think about, but your telecoms form a key element.

If a problem was to affect your organisation, how would your customers get in touch and how would you continue to operate? Some surveys have shown that losing communications can cost a company thousands of pounds a day.

How to prepare for problems

Equinox provides telecoms services to UK businesses. Dave Millet, director there, recommends asking a few key questions:

• If your business uses a traditional phone system, have you investigated whether a call divert feature is available? This allows you to reroute calls during a crisis.
• If you use a voice over IP telephone system, you may be able to sign in to an online control panel to divert calls when your staff are working elsewhere. But do you know how?
• Similarly, some of these systems offer an ‘automatic failover’ feature, which re-routes calls for you in the event of a problem. Have you set this feature up?
• How is your company data backed up and where are the backup copies held? If you were unable to get into your premises, would you know how to access your data?
• Do you have a list of everyone you should call in a crisis? And are copies easily available? You might need to get hold of employees, telecoms providers, IT suppliers and more – all in a hurry.

It can be hard to know how much time and money to spend creating and testing business continuity procedures.

But a good way to start is to estimate the cost of a day’s lost business. If this figure is large, you can justify a greater investment in building resilience into your systems and procedures.

Being prepared means taking action now - not waiting until something happens. Hopefully you will never need to put your plans into practice. However, if you do, it could be the difference between survival and bankruptcy.

More on this topic:

• Could you keep your tech going during a blackout?
• How easy is it to get your data back?
• 29% of people don’t do backups. Are you one of them?

How to defend your business during the four stages of a cyber-attack

Every one and a half seconds, another organisation is hit by a cyber attack. There’s one now. And there. And there.

Are you prepared to defend your business?

Thousands of security breaches

Even a minor security breach can hit your business hard. And if you’re unlucky, it could cost you up to £65,000 to recover.

If you’ve not considered how you might cope in a crisis, your business and your data could be at risk.

The bad news? It’s easy for a hacker to launch a sneak attack. The good? Nearly all attacks are preventable.

To protect your company from a security breach, you need to understand the four stages of a typical attack. Then you can make sure you have the right security protocols in place.

Stage one: the crack in the wall

A major data breach usually begins with something small, like an employee falling for a phishing attack and opening a bad email attachment. The infamous Sony Pictures hack may have begun in this way.

To keep this from happening, make sure your employees have a grounding in basic security. Anything coming in to your company should only be accepted if employees know and trust the source.

If the crack in the wall has already appeared, delete any suspect files, disconnect any affected computers from your network and sweep the computer for any traces the file may have left behind.

Removing some malware can be notoriously tricky, so it’s a good idea to bring in your IT support company. A small amount of money spent now can help limit your future losses.

Stage two: information gathering

Once a hacker has gained access to your systems, they’re likely to start gathering valuable information.

For instance, that bad attachment could have installed keylogging software that can record every keystroke. This can give the hacker access to usernames and passwords, email addresses, credit card details and more.

As a preventative measure, make sure every computer in your business is running up-to-date anti-virus and security software.

If keylogging software is detected, reset all passwords in your business – even if you think they haven’t been compromised.

Stage three: the stolen password

Once a hacker has begun collecting your passwords, they can use them to get much deeper into your systems.

To prevent one stolen password giving the hacker an all-access pass to your data, set up permissions and controls so each person in your business can only access the resources they need.

For instance, there’s probably no need for your sales team to have access to the full company accounts.

Stage four: disaster

Once hackers have access to your company’s servers, your data is at their mercy. They can easily steal sensitive information and even wipe it completely, causing irreparable damage.

To prevent disaster, you can use real-time audit reporting to detect suspicious activity. Your policy should be to disconnect first and ask questions later.

If your data does get wiped, be prepared with off-site backups that are updated regularly. Having your data stolen is terrible, but losing it altogether could kill your business.

Most cyber attacks are easily preventable, and common intrusions usually take several days to complete.

By putting these simple security measures in place and knowing how to prevent hackers from seizing control of your data at every stage in the process, you can sleep more easily at

night.

Copyright © 2015 Kris Lahiri, co-founder and the VP Operations and Chief Security Officer of Egnyte

More on this topic:

• The Hitchhiker’s Guide to Hacking
• Managed security software can keep you safe
• Low-tech ways to protect your business IT

The Hitchhiker's Guide to Hacking

Security company Norton has created a Hitchhiker’s Guide to Hacking web page. And as a confirmed fan of Hitchhiker’s Guide to the Galaxy, I can’t quite decide what to think of this.

On one hand, it’s been put together with real care. The information is detailed and someone has spent significant time on the design.

Unlike many such infographics, it’s not been knocked together in five minutes by someone who has a basic knowledge of Microsoft Paint. (Actually, most of the information is text-based, but the illustrations are nicely done.)

But on the other hand, we’re talking about the Hitchhiker’s Guide to the Galaxy, probably one of the world’s best-loved modern stories. Is it right for Norton to use its instantly recognisable identity as part of a PR campaign?

Maybe it’s best for you to decide for yourself. You can check out the Hitchhiker’s Guide to Hacking here. It’s worth a look, if only for the depth of information it contains.

• The £65,000 security breach
• How managed security software can keep you safe
• Five low-tech ways to protect your business

Now Microsoft says weak passwords can be good

If there’s one piece of IT security advice that’s generally not up for debate, it’s that you need to use strong passwords.

Some of the most common passwords are things like ‘password’ and ‘123456’. Hackers can guess these in minutes, so it’s a really bad idea to use them.

The usual advice is to use passwords that:

• Aren’t dictionary words
• Contain a mix of upper and lower case letters
• Contain numbers and symbols
• Are as long as possible

For instance, a password like ‘YY6^nUCFT/g}k3Cb’ is going to be hard for hackers to guess. You can get advice about choosing strong passwords here.

Don’t use strong passwords?

But now Microsoft researchers have recommended (PDF link) we use and reuse weak passwords on low-risk websites that don’t hold valuable information.

The theory goes something like this: by not having to struggle to remember complicated passwords for every single website, we can focus more of our efforts on creating and memorising strong passwords on the websites that really matter.

Why this is bad advice

On the face of it this sort of makes sense, but it starts falling apart when you try to actually put it into practice. Here’s why:

• It’s hard to know which website accounts are most important. Even some innocuous websites hold sensitive data like your date of birth. It’s not uncommon for hackers to piece together the information they need for identity theft from several different website accounts.
• Memorising strong passwords is too hard anyway. Regardless of what Microsoft says, your average website user doesn’t have the time nor inclination to memorise passwords like ‘YY6^nUCFT/g}k3Cb’ — even if they only need to do so for a few websites. It’s simply asking too much.
• It makes the world of passwords more confusing. The message that strong passwords are important is easy to understand. Being told it’s sometimes ok to use weak passwords dilutes that message — particularly when there’s no solid definition of what constitutes a ‘low risk’ website.

Although Microsoft’s intentions are good, research like this risks causing more problems than it solves.

As other security experts have argued, you’re probably better off using a password manager to create strong passwords and keep track of them all.

Blog by John McGarvey, IT Donut editor

• Are you using one of the world’s worst passwords?
• Five ways to create passwords that are hard to crack
• Can Microsoft Research predict your passwords?

Five low-tech ways to keep your business IT safe

A flooded office in Windsor, Feb 2014. Image: Steve Mann / Shutterstock.com

IT security experts talk a lot about avoiding viruses and spyware. In the wake of the GOZeuS malware issue, you can't move for advice on how to avoid phishing.

But although a lot of IT security advice tends to focus on issues like these, there are many less high-tech threats to your business IT.

For instance, according to research from Inhance Technology, over 20% of people are more worried about being mugged for their smart phone or tablet than they were a year ago.

So, in the race to keep your devices free of viruses and your servers locked down from hackers, are you neglecting the more basic precautions?

As a reminder, here are five ways to protect your servers, computers and mobile devices from the low-tech threats that can damage your business:

1. Label everything. Sticky labels aren't going to deter many criminals. But they might help get items back if they get lost, or if the police recover them. Keep a record of the serial number for every piece of hardware too. Learn more about asset tracking.
2. Don't be obvious. When you issue mobile devices to staff, encourage them to carry them discreetly. For instance, don't give staff laptop bags that scream 'steal me'. Instead, keep laptops inside foam sleeves that can be carried in ordinary bags.
3. Lock things up. Don't leave laptops or other portable equipment lying around in your office. Operate a locked-drawer policy, requiring employees to lock away laptops or any other valuable devices when they go home for the evening.
4. Keep servers off the ground. It's not just businesses on flood plains that should be wary of water. Burst pipes can cause damage anywhere. To minimise risks to servers, keep them off the ground and — ideally — locate them on or above the first floor.
5. Be wary of public places. Make sure employees don't work on confidential documents or have sensitive phone calls in public places. The last thing you want is for a competitor to overhear your plans on the 1846 train home. (Yes, it does happen.)

Have you been caught out by any low-tech security issues? Leave a comment to let us know.

• A guide to simple IT security for smaller businesses
• Free tools to delete files forever
• Meet the information sabatoeurs — aka your employees

Is Bitcoin the answer to your business security woes?

There’s a lot of debate surrounding Bitcoin, and for good reason. This unregulated electronic currency is not backed by a central bank and its value fluctuates wildly.

The Internal Revenue Service (the US equivalent of HMRC) recently decided to treat Bitcoin as property (not a currency). This could have a major impact on the volume of transactions conducted using Bitcoin.

However, while Bitcoin itself is controversial, the encryption technology behind it could be the future of digital security.

How Bitcoin security works

Bitcoin uses an accepted security concept called asymmetric key encryption. When you download a Bitcoin wallet — in which you store your Bitcoins — you’re assigned two encryption keys.

There’s a public encryption key, which you give to anyone from whom you want to receive Bitcoin payments.

Then there’s a private key. This is mathematically linked to your public key, and is used to decrypt information encrypted with your public key.

In practice, this means anyone who wants to pay you can encrypt the transaction using your public key. But only you can decrypt it to receive the money, because only you have the private key.

Bitcoin encryption for email and the cloud

Some email providers use a similar system called Pretty Good Privacy (PGP) encryption to send emails securely.

However, as PGP stores your private encryption key on an email server, hackers (or the government) could potentially intercept and decrypt your messages.

A more secure option is to encrypt emails using a Bitcoin key before you send them through your provider’s servers.

You can apply this same concept to data stored in the cloud. If you encrypt it with a Bitcoin key, your information will stay safe even if someone hacks into your cloud provider.

The risks of Bitcoin encryption

While these security measures do offer extra protection, the risks of Bitcoin encryption lie in the human element.

If you don't secure your virtual Bitcoin wallet, you can fall victim to theft. Really, keeping your wallet offline and protecting it with a password is the only straightforward way to secure it.

And you should always remember that encryption is a double-edged sword. If you ever lose your password, your data is lost forever.

The future of Bitcoin

While some governments have banned or restricted its use as a currency, Bitcoin is gaining support among some businesses. There’s even a Bitcoin cash machine in East London.

The supply of Bitcoins is limited and their volatility means the cost of security can easily surpass the value of what you’re protecting.

But perhaps the true value of Bitcoin lies in its potential to educate more people about using encryption to secure information.

In this digital age, information is currency. You should protect yours just as you would protect your money.

• How to protect your laptop with encryption
• SSL encryption for your website
• Protecting data on USB drives 

Tim Maliyil is the CEO and Data Security Architect for AlertBoot.

GOZeuS and CryptoLocker: why you have a week to protect yourself

Don't panic, but you have a week left to protect yourself and your business from an online threat called GoZeuS. That's according to official Government advice, no less.

So, what are GOZeuS and CryptoLocker? And why is the next week a critical period?

Disrupting the efforts of online criminals

You might not realise it, but there are battles happening online at this very moment.

On one side, hackers and online criminals are constantly finding new ways to steal data, pinch money and cause harm. On the other, security companies and government agencies are working to disrupt these criminal activities.

Recently, a group of organisations led by the FBI announced a significant victory. Experts have significantly disrupted the GOZeuS and CryptoLocker malware, which have been stealing people's data and holding their computers to ransom.

GOZeuS and CryptoLocker explained

GOZeuS is a piece of malicious software that can infect your PC, just like a virus. You can catch it from opening an infected email or visiting a dodgy website. It's estimated that around 15,000 computers in the UK are affected by it.

Once GOZeuS is on your computer, it attempts to hunt out valuable data that it can steal. Names, addresses, bank details, passwords ... the usual stuff. 

If it doesn't find enough information to be profitable, GOZeuS may activate CryptoLocker. This devious malware encrypts your computer, locking it down so you can't access any of your own data.

You may then see a message demanding you pay a ransom (typically £300 — £500) in order to regain access. Nice, eh?

Why do the next seven days matter?

Although GOZeuS and CryptoLocker are still out there, the network of infected computers has been significantly weakened. It's currently harder for infected computers to communicate with each other.

This means now is a really good time to strengthen your online security. To draw on a somewhat overused analogy, it's better to fix the roof while the sun's shining rather than waiting for the next storm.

According to official advice, the next week is the best time to make sure your defences are in order.

So, in the next few days, why not set aside an hour to review your security procedures?

• Scan your computer for GOZeuS. Free tools to do this are available from Symantec, F-Secure and other providers.
• Check your security software. Is it running on all computers and servers? Is it up to date?
• Do a full scan of your computer, too. Run a one-off deep scan using your current security software.
• Make sure your software is up-to-date. Visit Windows Update and turn on automatic updates.

Finally, you might receive an email or letter from your internet service provider warning your computer is infected. If so, don't dismiss it. As part of the work to disrupt GOZeuS, official bodies gained access to records on criminal servers and have been able to identify infected computers.

However, to be sure this isn't a fake phishing email, use the links above to go directly to GOZeuS removal tools, rather than clicking any links in the message. And call your ISP for confirmation if you have any concerns.

You can get more advice about GOZeuS on the Get Safe Online website.

• What is a botnet?
• How to choose security software
• How we coped when our business was hacked

Four ways to fight back against cybercrime

According to the government, cybercrime costs the UK economy around £27 billion each year.

If your business suffers even a tiny fraction of that loss, it would be devastating. So, how so you make your company less of a target?

By fighting back against cybercrime. That’s how.

1. Use security software and keep it updated

Use decent security software on all your company computers and servers. If you’re in any doubt about what you need, ask your IT supplier.

Importantly, make sure your security software updates itself. This is the only way to stay safe from emerging threats.

Learn more about choosing security software >>

Do an IT security audit

A professional IT security audit is worth every penny. When an expert examines your IT setup, they’ll identify where you’re most vulnerable to attack.

Armed with this crucial information, you can create extra security measures and write a solid security policy.

Check hardware and physical security

IT security is not just about software. Any equipment that connects to the outside world (like your router) should be modern and made by a reputable manufacturer.

At the same time, check your premises for weak points. For example, if you keep your backup tapes in a safe, change the combination regularly. Consider installing CCTV too. 

Beware of social engineering

Social engineering sounds creepy, but it refers to the way cybercriminals may try and con your people, rather than attacking your computers.

Make sure your employees look out for cold callers and unusual visitors. People who are good at social engineering tend to have the gift of the bag. It’s surprisingly easy to reveal a username or password to them.

Staff should also know how to handle ‘digital cold calls’, like phishing attempts.

Whatever you do, don’t neglect your people. One of the most effective precautions you can take is to make sure your staff know how to handle data safely and spot criminal behaviour.

• How to choose security and anti-virus software
• Case study: how we coped when our business was hacked
• Five common IT security mistakes

Ryan Farmer is a marketing manager at Acumin. Follow them on Twitter: @acumin.

Watch out for that free Wi-Fi

Free Wi-Fi seems like one of the great perks of the 21^st century. In pubs and cafes in towns and cities across the UK, you can get online for nowt.

But now Europol — the EU’s law enforcement agency — is warning that using free Wi-Fi could be much riskier than we’ve realised.

In short, each time you connect to a public network, you could be playing a kind of Russian roulette with the data you send over the airwaves.

The rogue Wi-Fi network problem

Cybercriminals and hackers have spotted that we’re hooked on the convenience of free Wi-Fi. What’s more, they know most of us are accustomed to connecting without giving a thought to security. And they’re taking advantage.

A typical attack is for a hacker to set up a rogue network. They give it the same name and password (if applicable) as a legitimate network nearby.

For instance, a criminal might set up ‘John’s Café Wi-Fi’ near to John’s Café. When an unsuspecting punter connects, the attacker can intercept all the data that gets sent and received.

Sensitive files and information sent by email, personal data entered into website forms … it’s all there for them to harvest and use.

This isn’t a particularly clever or novel trick. But it works. Next time you’re connecting to a network in a public place, can you be sure it is what you think it is?

How to stay safe from Wi-Fi attacks

It can be difficult to be 100% sure that you’re safe when you use public Wi-Fi. And so the best way to protect your data is to not send or receive sensitive or private data while using it.

That’s easier said than done. One of the most popular uses for Wi-Fi is catching up on email, which can contain all kinds of data that’s valuable to hackers.

However, it’s definitely a good idea to think twice before entering your online banking details or other sensitive login details.

Being on a secure website (indicated by https:// and a padlock in your web browser) does offer some protection, but hackers can still use a technique called sslstrip to intercept your data if they really want.

The safest option is to connect via a virtual private network (VPN), which creates a secure tunnel through which your data passes. You can purchase VPN access from companies like Hotspot Shield — there’s a good explanation and some reviews of VPNs over on the PC Advisor website.

• Save your business from a major security threat
• Yes, you need to secure your smart phone, too
• Why every business needs a wireless network

Five steps to repair your reputation after a security breach

Even if you take every precaution imaginable, it’s still possible for your business to fall victim to a security breach. And while nobody wants to be that victim, it’s worth giving some thought to how you’d manage your reputation in the wake of a cyber-attack.

We reveal the five steps every business should take to minimise damage and rebuild their reputation.

1. Take control and act fast

When US retail giant Target suffered a huge data breach last year, one of the biggest criticisms levelled at the company is that it didn’t do a good job of acting quickly and communicating well with customers.

Don’t make that mistake. Once you’ve taken the necessary precautions to secure your systems, share information with your customers, employees and partners.

2. Be open and honest

Being as honest as possible when communicating the crisis will ultimately reassure customers that you are doing everything you can to resolve the issue and protect their details.

Hiding the truth from loyal customers will only damage your credibility in the long run. When tech firm Buffer was hacked, the company remained open and communicative throughout.

3. Provide helpful customer support

Do your best to provide first class support to any customers affected by the issue. They probably aren’t IT experts, so you’ll need to assist and reassure them if you want them to remain with your business.

Be on hand to respond to customer queries and you’ll retain your reputation and customer relationships long after the breach.

4. Remember - one size doesn’t fit all

Think about who you’re talking to when you communicate what’s happened. Tailor your message to address the concerns of each group.

For instance, while customers will be concerned about whether their data has been compromised, investors and partners will require specific information on how your company’s reputation, value and long-term prospects could be affected.

5. Don’t be afraid to apologise

You’ll be surprised at how far an apology goes. While many businesses will be quick to blame a third party for their security weaknesses, more switched on companies understand that customers don’t want to hear excuses.

Take ownership of your problems and be clear and compassionate about what went wrong, how you plan to fix things and why you can be certain this won’t happen again.

• Three things you can learn from NatWest’s IT woes
• How to write a disaster recovery plan
• How we coped when our business was hacked

This post was written by Brittany Thorley, who regularly advises businesses about web security.

Your five-minute guide to online backup

Online backup services can be a really convenient way to take a safe copy of your company data and store it away from your main business location.

This means that if anything goes wrong your data, you still have a backup copy to work from.

How does online business backup work?

Online backup services are generally simple and easy to use:

• Your important data is uploaded to the backup provider’s servers, over the internet.
• These servers are usually located in a data centre, keeping your files available and safe.
• Software on your computer or server automatically keeps track of changing data, backing it up automatically.

And that’s pretty much it. You change a file in the office and the backup copy gets updated for you. Delete a file by accident and you can get a copy back within minutes.

With some research showing that 48% of businesses experience data loss each year, online backup can be a really effective way to protect your company.

Why use online backup?

Businesses have traditionally backed their data up to tapes, hard drives or CDs. So, why use online backup instead of these tried-and-tested methods?

• You don’t have to mess around swapping tapes or disks, or remembering to keep them somewhere safe, off your premises.
• Online backup is largely automated. Although you still need to monitor and test your backups, online backup has fewer management overheads.
• Fewer capacity issues. Online backup services are flexible, so as your data grows you can just pay a little extra for more storage.
• No hardware to buy or replace. You never need to replace backup drives, tapes or disks when they wear out.
• Keep track of file versions. Most online backup systems let you recover copies of files that have changed several times.
• Even if your office burns down and your server is destroyed, you can access your data online — from anywhere in the world.

Online backup: what to look for

Not all online backup services are equally safe and effective, so it’s important to choose an online backup supplier that:

• Takes at least two copies of your information and stores them in two different, secure data centres.
• Charges you only for the service you need. You shouldn’t be paying for unnecessary storage space or add-ons.
• Checks your data regularly for inconsistencies, so you can be confident your backups will work if you need to access them.
• Offers disaster recovery services, to be sure you can get up and running again quickly if you do have a problem.

Are online backups right for your business

An online backup service could be a good fit for your business if:

• You want a cost-effective, future-proof backup solution.
• You need a flexible data backup and retrieval mechanism.
• You need a backup system that doesn’t require too much looking after
• You want file-versioning without having to juggle lots of backup tapes.

To learn more about backups, read about how to find the right backup methods, and see the five key questions to ask about your backup system.

This is a post from Danny Walker, director at IT Farm.