To serve and protect
Data security might not be sexy, but it is a serious issue deserving the attention of small business owners. What’s the least a small business needs to know and who can help? By Vikki Bland.
Because the protection of business information doesn’t directly make money for a business, most small business owners are less than passionate about understanding data security threats and investing in technology tools to help protect their computers and networks. Yet ironically, business owners pay close attention to ensuring their financial accounts are accurate and up to date, even though this is another administrative task that doesn’t directly generate income. Does fear of running afoul of the IRD, the Department of Labour and employees make the difference – and if so, why doesn’t the prospect of permanent business information loss create the same anxieties? This is a mystery data security specialists have been at a loss to explain for some time. “I can’t understand how small businesses employ people to manage their accounts but take a DIY approach to data security,” says one IT service provider. The consensus amongst the majority of security analysts and software providers we spoke to for this feature, is that small business data security and backup solutions (the two should always go hand in hand) should be selected installed, monitored, and managed by a local IT services provider. Stephen West, ANZ small business channel manager for Trend Micro, says if he had his bathroom renovated he wouldn’t be asking the plumber what colour to paint the walls, he’d ask a painter. Similarly, an IT services provider understands how to approach data security holistically throughout a business and its networks, taking into account people and business practices as well as technologies. “A small business owner is not going to call HP [or Microsoft] when they have a problem; they are going to call their local ICT service provider because they don’t know what part of their technology package is causing the problem,” says West. The damage they do So what are the main data security threats today and how are they reaching business systems? Threats identified include those borne by email and, perhaps surprisingly, software telephony systems operating over a public Internet connection. General web surfing is also far from secure, with viruses, trojans and ‘data leaks’ (which describe the loss of protected information into the public domain) occurring in general business-related web searches or transactions. Recent bizarrely-named malware, including the ‘Storm worm’ and ‘Zlob’ trojan family, have the potential to cause widespread data corruption throughout a computer network, and phishing (a term used to describe the extraction of passwords and PIN numbers though emails or web sites) is also growing in sophistication. Rather than send a general email or message, phishing criminals now attempt to first steal personal identification details through other means, such as hacking into social networking sites, then use that information to convince email and web browsing recipients that correspondence and requests for information can be trusted. The havoc regularly wrecked amongst computer systems throughout the country (of course many businesses think it won’t happen to them) include losing access to applications and email for an entire week or longer, being unable to access the Internet or operate a website for days following ‘Denial of Service’ attacks, and corruption of business information so that files and folders can no longer be opened or accessed. Internally, security breaches also occur as a result of staff or ex-staff accessing information they shouldn’t, or altering spreadsheets in error. Customers and business partners may receive unauthorised emails because employees are not aware of email and information protocols, and crucial files can be accidentally or deliberately deleted. In fact, Eric Krieger, country manager for data security consultant Secure Computing New Zealand, says some of the most significant business damage occurs as a result of internal data leakage. “Despite company polices and technological gate-keeping, businesses are not doing enough to ensure outbound emails do not include sensitive information,” says Krieger. According to a Symantec Internet Security Threat Report, theft or loss of computer or other data-storage medium made up 46 percent of all data breaches that could lead to identity theft during the period from 1st January to 30 June, 2007. “As the amount of information generated by businesses continues to increase and is stored on a growing number of end point devices that may be compromised, lost or stolen, encryption should be applied, based on policy, to help protect sensitive information and interactions as part of a larger information protection strategy,” said Brian Foster, vice president, product management, for Symantec. (If you’re wondering what on earth an end-point device is, it simply means any device that acts as an ‘end point’ for a wider business network. Examples include USB connected devices, Compact Flash memory cards, iPods, CDs, DVDs and other storage devices, laptops, and smart phones.) Trend Micro’s West says the number of unique malware samples is ‘going bananas’. “Three or four years ago we would see 50 unique [malware] variants per day requiring immediate updates, now it’s something like 800 per hour. The growth is exponential – and phishers and spammers are making a lot more money than the security software industry,” he says. Most security analysts agree that web browsing is now riskier than email-borne spam thanks to advances in spam filters and other email management technologies. And while Microsoft’s development of a security conscious operating system – Vista – is a step in the right direction, it is not designed to replace a wider data security solution and strategy. “Vista is a seat-belt; a fantastic safety device, but it won’t stop accidents,” says West. Ben Green, Windows Business Group manager for Microsoft says that’s okay – Vista was not designed to stand alone. However, it does have some cool security features which can only help, and are worth small businesses taking note of. These include a user account control feature, which helps prevent staff (and family members) installing unauthorised software; and BitLocker Drive Encryption, which protect the contents of a hard drive or laptop if it is stolen or misplaced. Green says Vista can also create complete PC backups, and fully restore a PC environment including operating system, installed programs, user settings, and data files. “Most bad things that happen occur while people are using web and email. If you are running Vista with Internet Explorer 7.0 in protected mode as your browser, [our research shows] you are 60 percent less likely to get malware or a virus than if you browse the web or use email without this protection mode on,” says Green. Steps to security Technology and software are great tools to use towards securing business information, but Mark Pullen, Australia and New Zealand country manager for IT security brand RSA, speaks for many security specialists when he says the worst thing a small business can do is to “rush out and buy a whole pile of technology” when deciding to get serious about information security. “Sit back and work out what is the most sensitive information to the business. Do a risk assessment – what is the impact of loss of information on the business; the consequences, material costs and financial impact,” says Pullen. Of course, many businesses find all their information is business critical and unable to be lost, which is a great way to realise the importance of regular data backups and security measures, says Pullen. He says risk assessments can be conducted by IT service providers but can also be DIY efforts – after all, those in the business know the value of the information better than anyone else. Once a risk assessment is complete, Pullen says the next step is to research a managed security service provider (see the side box for a starting point list of IT service providers) who will oversee data security measures for the business and provide an online backup service. Alternatively, a telecommunications company may provide backup and security services over an Internet connection. Pullen says while it’s, of course, possible for a small business to buy their own data security technologies, including software, hardware and backup devices, it’s important to realise these technologies are one part of a much wider data security solution, and it takes skill to configure them so they work properly. West says there’s also no need for small businesses to have data security specialists and IT service providers constantly on site – many can access a small business network and monitor data security through remote access software and a secure Internet connection. “The days of an IT guy coming in with a screwdriver and handing you a bill are gone. All of our products allow reseller remote access to the products, and the channel is used to providing these services,” says West. Stephen MacDonald, engineering services manager for Check Point Software Technologies, says too many small businesses are locked out of enterprise data security solutions, forcing them to purchase consumer-grade data security products with a DIY approach to set up and monitoring. He says, as a result, Checkpoint avoids the consumer market entirely, using on-the-ground IT service providers to implement products and services. “Over the last 18 months our focus has been on secure remote access and perimeter security, as well as device encryption and centralised security management,” says MacDonald. He says the percentage of overall business communications and transactions occurring over an Internet connection will continue to increase, as will reliance on devices used outside of a traditional network perimeter and on the other side of a network firewall – laptops, smart phones and WiFi-capable devices. “Mobile devices are the weakest link in the chain and the key message we want to get across to small businesses is that there are solutions in the market that are easily deployed and accessible,” says MacDonald. Secure computing Krieger agrees Internet use is the biggest threat to small business data security. “Because Web 2.0 is a very interactive world. The Internet has become the application, so protection needs to extend out to every device and [information source]. Businesses also need reporting tools that can give back information.” He says reactive technologies are outdated – even a couple of hours is too long to wait for a software programme to identify and react to a new threat. “Proactive security measures are critical because of the incidence of blended threats – for example a PDF file could be full of problems, but it passes through the firewall because it [initially] looks all right. Hackers are also becoming more sophisticated; these are not gadget kids that like to show off their skills – this is now a highly commercial business and we have to stay one step ahead of them all the time.” Chris Barton, regional manager Australia and New Zealand for security hardware and software maker SonicWall, says hardware firewall devices on the perimeter of a network are also now necessary – security software will block viruses and malicious activity but hardware firewalls are designed to work in tandem by interacting with the security software and enforcing business security policies. For example, a hardware firewall may isolate a remote laptop or smart phone device and require it to complete a security check before it is permitted to connect to the business network. Like most small business security solutions, Sonic products can be installed and implemented through IT consultants and service providers including telecommunications companies, says Barton. “If a small business just buys it and plugs it in, in 90 percent of cases the solution won’t be as secure as it needs to be because it has not been configured properly. Our partners have to go through a considerable amount of training with us and have to be certified,” he says. Craig Scroggie, vice president, Pacific Region for Symantec, says his company recently conducted an Internet security threat report which resulted in some interesting findings. “It’s not devices, it’s information that is most valuable to any business. Fraud and identity theft have become a significant focus for organised criminals and they are predominantly targeting public websites like social networking sites. When people put their information up there, they do so for social networking and business networking; the big sites are targeted because they are a great place to steal information from,” says Scroggie. In a now familiar piece of advice, he says Symantec encourages customers to work with small business IT specialists or online security solution providers (Symantec has an online service) to implement a tailored data security solution. “Businesses need to ask: what happens in the event that we have a problem? Do we have a business continuity and disaster recovery plan; are we backing up and testing the recoverability of our systems? And how regularly do we back up – if we did lose our information, would we have to roll back a week, a day, a year?” says Scroggie. These are critical questions: small businesses will do well to make the time to answer them now. Vikki Bland is an Auckland-based freelance specialist IT writer. Email [email protected]