From pizza and wine shops to doctors and dentists surgeries, small businesses are falling victim to data theft, credit card fraud and the many other facets of digital crime at an alarmingly high rate.
The key problem is one I hear time and time again. Business owners think of computer and data security as a problem that mostly involves hackers who only target large firms. This is simple not the case. Far more small firms get hacked than any other. Why? Because they are easy targets.
Yet hacking is only a small part of the problem. Disgruntled suppliers have been known to steal data to make money and of course the disgruntled employees use the same to secure better jobs, and of course to cause their ex-employer pain. Thieves will make off with desktop computers, laptops, mobile devices etc, all of these containing information and often the owner is more worried about the information becoming public than the loss of the hardware. Lets look at an example.
Health Club and Spa
The owner is a very hard working gentleman who was adamant that no-one would attack him because he has nothing of value. The club has more than 500 members, with detailed health data on all of those 500 members. The value of that data alone is £50k at a modest £100 per record.
Then there is the card data. The vast majority of those 500 members will have paid on a credit or debit card. If we took a conservative number and said 75% used a card, that is 375 card records just for the members.The club has onsite a cafe cum bar and a number of networking groups frequent the establishment. Steering to the conservative, lets add another 500 card records so we are now up to 875 card records. With a simple value of £30 per card records, there is another £26,250.
The club likes to engage with its members socially and is very active on Twitter and Facebook. Over the past year we are seeing more and more businesses attacked for the social media details of their connections with large twitter accounts becoming more prime targets.
Put simply, the club is a goldmine of information waiting for the picking and with an insecure WEP WiFi network and open network ports in public area, it is yet another example of a business waiting to be breached.
12 CONTROLS TO HELP KEEP YOU SAFE
1. Keep clean machines: Your computers should be equipped with the latest security software, web browsers and operating systems. This simple step is the best defense against viruses, malware and other online threats that are constantly changing. Install key software updates as soon as they are available and set antivirus software to run a scan after each update.
2. Secure your Wi-Fi networks: If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
3. Provide firewall security for your Internet connection: A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure your operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home systems are protected by a firewall as well.
4. Control physical access to your computers and create user accounts for each person: Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee. Administrative privileges should only be given to trusted IT staff and key personnel.
5. Protect payment card systems and information: Work with banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may have certain security obligations under agreements with your bank or processor, so make sure you know your liabilities. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
6. Limit authority to install software and access information: Don’t provide any single employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install software without permission.
7. Get tough on passwords: Require employees to use strong passwords and change them every three to six months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry.
8. Get tough on Suppliers: If your supplier is providing a technology service, ask to see their latest independent security assessment report. Ask to see their ISO27001 or IASME certificate. If they need remote access to your systems, do not just enable it and forget about it. If the supplier gets hacked, and they have access to your systems, you get hacked automatically. Only enable remote access when it is actually needed.
9. Website: Security of your website is NOT done by the ISP or the hosting provider. If you chose a simple password for your websites administration system then expect to have that password cracked. (See point 7). Equally, if you outsource your website to an agency, ask to see their latest independent penetration test report for your site. If they can not provide you with one, question them as to why they do not take your reputation and image seriously.
10. Encrypt your laptops: It is a simple thing to do but often overlooked. If you have sensitive information on your laptops, encrypt them. Use tools such as Microsoft BitLocker to ensure that if your laptop is stolen, your data is not available to the thieves.
11. Update your Data Protection Registration: Make sure you re-visit your Data Protection Registration on at least an annual basis. This aids you in looking at the data you have in your business and keeping you in line with the Data Protection Act.
12. Get an independent security review: It is true that an ounce of prevention of better than a pound of cure. Talk to a digital security provider and find out how they can help you. You may be surprised, the cost may just be a lot less than you though it would be.
Author - Peter Bassill
Author - Peter Bassill
No comments:
Post a Comment