Your 5-step IT security parachute

Bill Bennett went to five IT security experts to determine the five easiest, most affordable, steps you can take right now to secure your business.

Online criminals can attack from anywhere in the world and at any time. New Zealand is in their sights. Like all criminals, they look for easy targets – which means the technology equivalents of unlocked doors, unprotected buildings and unguarded valuables. 
The scale of the problem is enormous. Security specialist Symantec reports cybercrime cost New Zealanders $257 million in 2015. The online attacks affected 856,000 people – roughly one in five of the population. And these are just the crimes we know about, many more go undetected.
All businesses are vulnerable. PwC Research found over half of all New Zealand businesses face an online attack at least once a year. Most businesses, especially smaller companies, don’t have an IT security strategy of any description.
Make sure your business isn’t easy pickings. Online thieves, blackmailers, con-artists and ransom hunters always look for low-hanging fruit.
That means not ignoring the problem and not skimping on the cost. After all, your entire business might be at stake. As Chillisoft director Geoff Cossey says: “If you go parachuting, you don’t go into a parachute shop and ask what they have going cheap”.
It’s best to get professional help with security – make that your longer term plan. In the meantime we asked five security experts to provide affordable, simple measures you can take now. 

1. Be smarter about passwords
Cloud computing is now centre stage. That means we use a lot more passwords as we log on to online services. It’s not unusual to have dozens, even hundreds of online accounts, each with a password. 
Rich Chetwynd is founder of ThisData, a New Zealand online protection specialist. He says: “The thing that is going to save your bacon is a password manager”. A password manager is software that remembers passwords and helps you pick safe ones.
Chetwynd says people often use the same password more than once. That’s dangerous. If criminals get your password from one breached site, they can access everything else. They may get at your email and bank accounts. Even if you change your basic password a little for each site, it is easy for crooks to guess your passwords. 
Password managers generate random gobbledegook passwords that are impossible to guess. That’s important. Chetwynd says if you use a real word, sooner or later the criminals will find it. Chetwynd says generated, complex passwords are much harder to crack.  
Top password managers include 1Password and Lastpass. The basic versions are free. You pay more for features like being able to share passwords between devices. 
Some popular security software packages include password managers.

2. Say yes to two-factor authentication
Better passwords are a good start; two-factor authentication makes you safer again. Chillisoft’s Geoff Cossey says: “Risks are multiplying faster than ever. You should take any simple opportunity to boost security. Two-factor authentication or one-time passwords are simple.” 
Security specialist Chillisoft sells software allowing companies to set up their own two-factor authentication or one-time passwords. “You may have used bank security tokens or dongles in the past. Two-factor and one-time passwords work the same,” says Cossey. “They mean you’re still safe even if someone gets your passwords. Once you’ve used it once, you get how it works and will keep on using it.”    
Online services like Google, Twitter and WordPress have free built-in two factor authentication. You log-on, then get, maybe a text-message on your phone, telling you to enter another code. Some use email or apps like Google Authenticator. Cossey say he uses the latter for safe access to the back end of his company’s website and email.  

3. Practice wise Wi-Fi
Most office Wi-Fi networks use encryption, so others can’t listen in. Patrick Devlin says most public Wi-Fi networks do not. Devlin is the ANZ managing director of Ruckus Wireless, a Wi-Fi hardware company. He says that doesn’t just open you to risks, it can also expose those at the other end of your communications.  
Devlin says it’s safer connecting to a website with an HTTPS connection. In effect HTTPS gives you a secure, encrypted tunnel from your device to the site. “Most browsers will give you a locked symbol telling you the link is encrypted. This should also be a reminder to put HTTPS on your own site for your safety and your customers’ safety.” 
An alternative is to use a VPN (virtual private network). This is another way of creating an encrypted tunnel to the site at the other end. He says in the past these were hard to use and expensive, but that’s no longer the case with VPN companies now targeting consumers. 
Devlin says be wary of free Wi-Fi in busy places like airports or public transport hubs. “As a rule, the easier it is to connect to an unknown network, the more likely it is a security risk.”

4. When devices are beyond your control
“Unless you put solid security in place, you have no control over what others working with you do with their own devices, even if they use them to access your services and systems,” warns Trend Micro senior security architect Peter Benson. This might put you at risk. 
He says one approach is to buy security software for employees, contractors and co-workers, and believes most people will use the tools if given them. 
Benson says the biggest risk comes from Android phones, because users can install apps from anywhere. Getting risky apps onto an iPhone is harder. 
He says if you use Office 365, Dropbox, Google Drive or other online services it pays to find a cloud app security broker. “Shared data makes it easier for malware to spread. You need tools with advanced sandboxing to stop it,” he says.
Benson also suggests investing in a Virtual Mobile Infrastructure. “This means you’re not actually putting data on a phone, people using it are effectively looking at a screen shot or an image of data and it can’t do any harm.”  

5. Don’t fall prey to ransomware
One of the nastiest new trends is ransomware – software that locks up your computer and data until you pay blackmailers a hefty fee. Mark Shaw from Symantec, a security software company, says the first step to avoiding the problem is being aware it exists. 
He says the most popular entry point for ransomware is in an email that looks like it comes from a trusted brand, maybe a bank or government department. 
“People feel stupid when they’re subjected to ransomware, they often don’t call for help. The criminals exploit this. The best way to minimise the risk is to make regular back-ups of data so you can recover if something happens. That way, if you’re attacked you can just buy another computer, then download your back-up from the cloud. 
“Then you need to protect what security people call the end-points: that’s your computers and phones. The best security software companies keep their products up-to-date. That will protect you from most threats.”  
Shaw says staff training is the key. “You need to make everyone you work with aware of the risk; that way they are more likely to make the right decision at the right time and not let the malware into your systems.”