IT Security – Locking down your data
As security software grows in sophistication, so do security threats.
Vikki Bland goes in search of a painless, affordable path to small business data security.
As security software grows in sophistication, so do security threats.
Vikki Bland goes in search of a painless, affordable path to small business data security.
When it comes to data security failures, there are many horror stories – just ask any software or network consultant. Examples include businesses that lose access to applications and email for an entire week as a result of malicious code entering the business network; and those that can’t access the Internet or operate their websites for days following ‘Denial of Service’ attacks (also caused by malicious code or ‘malware’). Businesses also suffer internal security breaches as a result of staff or ex-staff accessing information they shouldn’t be able to access – spreadsheets can be altered in error, unauthorised emails sent to customers, and crucial files accidentally or deliberately deleted.
IT consultants say a surprisingly common security breach occurs when an ex-employee leaves and goes to work for a competitor only to find they still have online access to the business network and email of their previous employer. One marketing manager even received regular marketing meeting minutes from his previous employer, who was unknowingly still copying email to the ex-employee’s private email address.
Eric Krieger, country manager for data security consultant Secure Computing New Zealand, says some of the most significant business damage occurs as a result of internal data leakage.
“This might include regulated and protected information, intellectual property or trade secrets. Despite company polices and technological gate-keeping, businesses are not doing enough to ensure outbound emails do not include sensitive information,” says Krieger.
He says many New Zealand businesses wrongly believe the main threat to email communications comes from external sources and so implement firewalls and spam filters. However, emails are also vulnerable to unauthorised interception, modification and access – and through human error can be incorrectly addressed, inappropriately forwarded or misdirected.
“This can lead to issues best avoided, such as email identity theft and the unauthorised exposure of confidential or sensitive information, which can then possibly lead to bad publicity or even legal action,”
says Krieger.
Richard Prowse, country manager for software brand Symantec, says small businesses don’t necessarily want to be familiar with security technology.
“They just want it to work and don’t want the risk of exposure. Yet some of these companies are processing credit card details through online portals. They need to stand back and consider the risks if they are not reviewing their activities; and yes, they may need a local implementer who can provide advice. The network ‘end point’ is no longer a desktop, but an Internet café – or PDAs, laptops, and cell phones; all of which can be stolen,” says Prowse.
He says because businesses can’t rely on “right user behaviour” security technologies will always be necessary in addition to user policies and ongoing education.
“A major customer in New Zealand had an FTP service loaded onto their laptop and that service was transferring information out of the laptop to another location, without the business being aware of it. An effective security policy and the right technologies [would have stopped] the confidential information leaving the laptop,” says Prowse.
Unfortunately, it’s very difficult to get businesses to ‘own up’ to a major data security breach or to have them speak publicly about what they learned from it. However, in a recent survey by software firm Symantec around 44 percent of New Zealand small businesses said they had been affected by a data security threat.
(Perhaps more alarming, the same survey revealed that one in four small businesses in New Zealand do not conduct a daily
data backup.)
It’s no wonder small businesses find data security at best a chore and at worst a giant headache, but it’s obviously a business necessity. So what straightforward products and services are out there and what should you know about them?
Times are a-changing
Not long ago, operating system and application software was shipped with embedded security technologies switched to “off” and an expectation that an IT manager with the expertise would turn them on as required. At the same time, small businesses were advised to buy security software and hardware that would guard their business networks and computers from external threats. But while these actions were, and still are, better than no solution at all, they fall short of meeting all the data security needs of businesses today.
Beyond the installation of good security technologies, the nature of today’s data security attacks means there is now a need to use data security specialists who know exactly where and how each set of technologies should be applied – and which products have been designed with data security in mind from the outset.
“As a company, we have moved to a ‘security culture’ – our motto is now ‘ship it right and ship it secure’,” says Stephen Toulouse, group product manager for Microsoft’s Trustworthy Computer Group.
Speaking from Seattle in May, Toulouse says Microsoft placed security software developers on campus from the outset of Microsoft Vista development and
built security software into the Vista
kernel which detects and blocks
attempts at unauthorised modifications
by kernel hackers.
“One of the most important things for any software developer to think about when they sit down and make the product is how that product might be misused,” says Toulouse.
Some businesses now employ IT managers to manage existing and new data security vulnerabilities, while others use IT consultants and even telecommunications providers to provide direction and advice. Most security software specialists have a network of resellers trained in data security consulting and planning as well as in the correct implementation of security technologies and encourage small businesses to consult with these resellers (see sidebox for recommendations.)
Some security brands only rely on resellers. One example is Trend Micro, a data security brand not sold through consumer electronics stores.
“All our small business product sales go through a combination of small resellers and larger value resellers. We are trying to enable our channel partners and have them using our products themselves,” says Dave Patnaik, small business director for Trend Micro New Zealand.
A less common but growing trend is to outsource all data security management. This approach is better suited to small businesses that don’t employ dedicated IT staff. However, even large organisations sometimes outsource data security management to enable them to focus on core business, or simply because their data security needs are particularly complex.
Scott McKinnel, country manager for Check Point Software Technologies, says a managed security service “is the way to go” and about 30 percent of its enterprise and medium sized business customers now access a managed data security service via reseller partners. However, the quality of a managed service depends on reseller quality and training, says McKinnel, and many smaller resellers begin to experience growing pains once they reach a service management threshold. As such, he says telecommunications companies are probably the best positioned to deliver a managed data security service, and Check Point is “in talks” with New Zealand telcos to see whether this can be achieved.
“Without a telco, how do you provide a managed [data security] service to 1300 business customers in Invercargill? Big telcos are trusted small business advisors with points of presence all over New Zealand,” says McKinnel.
Security software
Although security software and hardware forms only part of an overall data security solution, it’s an important part and there are some very good products on the market. Fairly new to the security application scene is Microsoft, which in addition to building security features into core operating systems and applications, recently released a brand of ‘off the shelf’ consumer security software, called ‘Windows Live OneCare’.
OneCare is highly automated – the message is that home users just install it, subscribe to the online security and update service, and forget it. OneCare is also a good basic software product for home-based and non-networked small businesses because it works with the Windows XP Service Pack 2 operating systems and Vista. It can also automate general maintenance tasks such as backing up photos, music and files or de-fragmenting the hard drive to increase PC performance.
“OneCare guards against viruses, spyware, phishing scams and other security threats and handles a variety of essential PC care practices so customers can have peace of mind,” says Brett Roberts, director of innovation at Microsoft New Zealand.
Robert Pregnell, regional product marketing manager for Symantec End Point Security Solutions, says Symantec also recognises that handheld devices and smart phones should be considered “just PCs” when it comes to data security. Towards this, Symantec recently released a product called Symantec Mobile Security Suite 5.0, which resides on smart phone devices running the Symbian, Windows Mobile or Palm operating systems. It provides file encryption and remote data deletion in the event of loss or theft. The software is automatically kept up to date via wireless downloads and because mobile data downloads can be expensive, users and network administrators can configure the software to run a finite number of updates over a set time period.
On the email front, Secure Computing’s Krieger says minimising risk is the name of the game and there needs to be ongoing email policy enforcement, staff education and training along practical email guidelines.
Shane Webb, a former police officer and now a director of messaging security provider Secure Messaging New Zealand, says businesses can also use a secure electronic messaging service in which business email is hosted online and messages stored within a secure messaging server. (This is often housed within the IT network of a large IT solutions provider – Secure Messaging NZ uses the network of Fujitsu Australia.)
To access email, the sender logs into the secure messaging server online and composes an email message. This is encrypted and held while the intended recipient receives a notification to their standard email address advising that a secure message awaits them. A direct online link to the server and message is provided.
Webb says unlike older secure email service models; only one person is required to be a registered user of the secure messaging service, yet all emails and replies composed from the secure server are encrypted and protected.
Kevin Swainson, brand manager networking and security for IT supplier Renaissance, says providing easy-to-understand, ‘one point’ security solutions is important for small businesses which “don’t really want to know all the detail”.
Renaissance markets the SonicWall brand of ‘unified threat management’ firewall software and also distributes the McAfee brand of security software.
Like many security software specialists, Swainson believes most small business data security threats are caused by insecure
wireless networks.
“It amazes me how easy it is to go down to a consumer electronics store and purchase a wireless access point that is then plugged into a business network? All the keys and access points are typically left open and it’s quite a big call to expect the average small business user to lock all that down,” he says.
Instead, he recommends businesses seek the help of a data security professional to ensure the relevant keys are switched on within wireless access points and that there is ongoing monitoring of traffic to ensure someone else is not using the business’s bandwidth. NZB
Vikki Bland is an Auckland-based specialist IT writer.
Email [email protected]