About two decades after the ‘internet revolution’, cybercriminals are getting more daring. They are innovative too as they think ahead of their victims. Analysts say a third of small and medium enterprises (SMEs) are now falling victim of online crime. LUCAS AJANAKU writes on the risks and how to mitigate them
From the beginning of the mid-1990s, the internet began to have a tremendous impact on the way business is done. The ease with which selling of goods and services across long distances and international borders ‘with just the tap on the keyboard of the PC or a click of a mouse’ created almost endless opportunities for businesses, both large and small. This was later complemented by the telecoms revolution in Nigeria and the increasing accessibility of mobile phones and mobile internet.
With this new innovation also came opportunities for people to want to cut corners using the internet It is astonishing the various dimensions cybercrimes have taken from 419 to identity stealing and to hacking into the servers of key government security agencies, banks and others. This has become a cause of global concern to organisations such as the world’s largest anti-fraud organisation and premier provider of anti-fraud training and education, the Association of Certified Fraud Examiners (ACFE).
In his remarks to more than 2,500 anti-fraud professionals at the 24th Annual ACFE Global Fraud Conference in June last year, ACFE founder and Chairman Dr. Joseph T. Wells expressed concern over the rising attacks on even SMEs.
On the group’s website, Wells was quoted as saying having said: “We all know, or should know, that there is really no such thing as a secure computer — one that can’t be eventually hacked. We’ve all read of data thefts of millions upon millions of individual records. “Most of these are committed by international gangs, which makes them exceedingly difficult to stop and even more difficult to prosecute.
“But what is not as well known is that small business has been increasingly made a target as large organisations develop stronger controls over their networks and digital data, attacks on small enterprises have mushroomed. “What this means is that antifraud experts serving small businesses must educate them of the threat and encourage them to invest in the proper resources to reduce their vulnerabilities.”
An online cyber security platform, PC Pro, reports that the statistics for cybercrime, online fraud and data theft make for disturbing reading. It lamented that the Federation of Small Businesses (FSB) estimated the cost of cyber frauds to businesses in the UK to be £4,000 per year, with around a third of FSB members falling victim to online crimes such as malware infections, hacking attacks or data breaches.
It lamented that for the small- to medium-sized-business (SMB) owner especially, the impact of such attacks go beyond the immediate financial loss and disruption to the daily working schedule, adding that there’s loss of reputation and customer trust. Despite this, it is SMBs that have the most difficulty finding affordable and applicable security measures.
To help SMEs overcome these challenges, experts at PC Pro have charted ways out. Some of them are:
Data knowledge
Not all data is equal. The starting point for any business must be to understand what data is business-critical or sensitive. How it is used and where it is stored must be identified. The most basic of audits could be accomplished just by considering what might happen if a breach were to occur and data, such as financial data, or employee or customer records, was compromised.
Once the likely effects of data is established on business, there is need for a blueprint for business-impact levels.
“High-risk data needs to be appropriately secured, and you can devote more of your resources to ensuring it is. Just note that your job doesn’t stop there – you can’t ignore data that you’ve classified as less risky; rather, you must prioritise your security efforts accordingly,” experts said.
Easy password management
Passwords are at the core of every security policy yet ensuring that they’re secured and enforced isn’t easy. Consumers have services such as LastPass to help generate and manage their passwords, but should a business use password managers?
LastPass and other such services have enterprise versions available at a low cost per user. These offer all the basic secure-password-generation options that would be expected, with a variety of business-orientated extras: for example, one could set company-wide minimum password standards to meet one’s policy requirements, or apply customised policies to restrict access to specific devices, groups or locations.
“Then there’s Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) integration. This can import existing AD profiles, automate reporting tools to highlight weaknesses in the password security chain, and offers real-time syncing across devices to help with the rise of the Bring Your Own Device (BYOD) culture. It can be protected by a master password, which could be reset or revoked by the administrator,” PC Pro added.
Education/communication
Everyone in business must understand the company’s security policy and know why it is important to strictly adhere to it. It doesn’t need to be expensive: it could be integrated easily into the staff-induction process, and one could consider six-monthly refreshers to bring existing employees up to date with any changes – including threats of which they should be aware.
Only an hour is needed every now and then to sit with an employee to explain how security applies to their particular role and to answer any questions. Education and communication are just as important as tools against cybercrime as the computer technology used to defend the firm’s data.
However, in order to be effective, it has to be implemented from the bottom up and the top down – that is, everyone from the CEO to the summer temp needs to be on board if a security policy is to work. That doesn’t mean the same training should be given to all; the best training is tailored to the specific role of the employee and the threats they may encounter.
Encrypt or not?
It stated that of all the security tips, encryption is probably the most controversial. But it is also the most valuable in terms of data protection. It is controversial because encryption has always been seen as being the realm of the nerd and thus beyond the ken of ordinary business owners; plus there’s the small matter of convenience to consider.
Both arguments are becoming weaker as encryption technologies become easier to deploy and work with. If a laptop/storage device is lost or stolen and the data on it is encrypted, then it’s far less likely to pose a security risk to your business. However, every business needs to weigh up the protection/convenience ratio before jumping in.
The same goes for data in transit. Despite the recent Heartbleed hacking scare, it is far safer to make sure all online transactions are carried out using Secure Sockets Layer (SSL) than over an insecure connection. The best-practice advice is to investigate what encryption options are available to suit your data, devices and business usage.
They argue that the bottom line is that, from SSL and encrypted USB containers at one end of the scale to on-the-fly encryption at the other, encrypted data is more secure than data that is not.
Adopt cloud computing
While the idea of encrypting everything may be controversial, the idea of embracing the cloud technology for professional work purposes is seen by some as positively scandalous. However, the cloud could be a genuinely secure choice for most small businesses.
In particular, it makes sense if the company does not have the time or knowledge to be on top of all the security issues, and the updates and implementations it needs, because a good cloud service provider (CSP) does have time.
The experts say there is no need to be scared of the cloud for data storage or application-serving usage, since a reputable CSP will be more proactive than you at maintaining software patches and implementing security – in order to survive, CSPs have to take security seriously. They could also do so at less cost to your bottom line than you can.
The anytime/anywhere nature of cloud access even provides a good disaster-recovery route for smaller businesses. Of course, the cloud is not 100 per cent secure, and you need to think about where your data is located and who has access to it.
Get ready
An integral part of any small-business IT security strategy is a formal document that goes into proper detail – and is then kept updated, rather than stuffed in a drawer and forgotten about. It may sound tedious, but you must plan not only how to protect your data and resources, but also what to do in the event that things go wrong.
Although many SMEs assume such an IT security policy is something that only large enterprises require, they are wrong – every business, including the smallest SMB, can benefit from implementing a security policy. The trick is to understand that it is more than just a formal document to be filed away gathering dust; it should be seen as a dynamic device to help you understand what data security means to the business. You can then build a structured response to suit your needs. Think of it as a commitment to protect all the data you create and use, and an absolutely integral part of your business processes.
The best IT security policy will detail not only how to protect your data but also how to react when things go awry. Setting out an incident-response strategy when you have a calm head is far better than trying to put things right in the heat of the moment.
Frequent update, patch
“If you want your business to be secure, you need to stay up to date. Specifically, you must update all the software you use day-to-day in your business: the operating systems of all the devices, from smartphones to servers, plus the software that runs on the security systems that protect them all.
“It is a no-brainer that keeping your antivirus software up to date will ensure it offers the best possible protection, yet for many small businesses this is low on the to-do list. Security software, generally, automatically checks for and installs updates. While the same might be said of operating system updates, auto-updates are usually switched off due to the resource drain and disruption they can cause,” they said.
Larger companies have patching policies and automated patch-management systems, but these are beyond the financial and implementational reach of most SMBs. Useful alternatives include deploying scanners to run regular system checks for unpatched or vulnerable software, and then scheduling those updates during your business’s off-peak times. Doing nothing isn’t an option, especially if a patch has already been made available. Think about it: if the patch is out, then would-be attackers will be aware of the problem and will be finding ways to exploit it. Patching is relatively low-cost, especially at the smaller end of the business scale, but investing your time in it will bring invaluable rewards when it comes to security.
