The other morning at a networking breakfast a specialist underwriter addressed the group and presented some Cybercrime statistics from an Insurer’s viewpoint that might frighten the pants off a business owner.
Guest Post by David Peach, Your IT Director
To understand this problem, consider that the attack vectors are no longer just limited to your Computer. Think Smart Phone, Tablet , Laptop, Website, WiFi connections and Credit Cards. An Infected USB stick bought onsite in somebody’s pocket could bring a whole network down in seconds…. This problem is real and not going away anytime soon. Coupled with increasing legal and compliance issues associated with changes to Privacy laws (due to take effect in Australia in March 2014) the obligation on us as Business Owners to protect sensitive data is immense. It’d be fair to say that SME’s are more at risk because they don’t have a Geek army dedicated to managing security in the way Banks or Insurers might. Most are lucky if they have a part-time IT guy, so that places them at a greater risk.
How big is the problem? I can’t be sure.. it’s a moving target, but :
- In the calendar quarter ended July 2013, Mcafee reported they had discovered 14 Million new or variant malware strains – that’s about 155,000 unique discoveries every day. Not instances of attack mind you; but new viruses found in the wild…
- They estimate that this contributed to an annual $100 Billion (yes, Billion… with a ‘B’) leakage from the US economy alone in the year ending July 2013
- A different study in the UK found that less than 36% of SME’s had ‘adequate’ security provisions. How confident are you about yours?
As I listened , in my mind I was thinking.. “but it’s so straightforward to side-step these problems with a little care…” . I decided to write up some actionable steps that anybody can do that will at least minimise the risk of breach; and demonstrates diligence should your practises ever come under scrutiny.
Important note: security and convenience are at opposite ends of the spectrum. Your needs will fall somewhere between the two and your mileage may vary.
- Use anti-virus software: This is NOT NEGOTIABLE. Make sure its up to date. Your friend may tell you that he doesn’t need anti-virus on his computer because…. [insert dumb reasoning here]. Ignore that. It’s bad advice. Understand that just one wrong click could compromise his computer and all the others on his network, including yours. Don’t Risk it.
- Operating System and Application patches : APPLY THEM. If you want to lose sleep at night, ask an IT Guy about a zero-day attack. Understand that Windoze updates alone are not enough. Things like PDF viewers (Adobe, I’m looking at you…) and Java runtime are a common attack vector. Yes, I know its a pain in the bum dealing with those nagging upgrade messages… but you’ve gotta do them.
- If in doubt, chuck it out. THIS IS A CARDINAL RULE. Bad Guys will attempt to infect computers by luring users to click on a link or open an attachment. Social media has aided these miscreants to profile individuals like you. They see what you’re interested in or what you [post] then send you crafted messages, inviting you to click on something. Don’t do it; ever. Heard of the Cryptolocker Virus? Click on a link and say good-bye to ALL your data, immediately. Do not stop, Do not pass go, Do not collect $200 – you’re toast. Keystroke loggers are another favourite payload from the bad guys. They stealthily watch what you type and send your usernames and passwords to somebody in the Ukraine….
- Ignore website pop-ups: Pop-ups are the bane of our life and often contain malicious software which can trick a user into handing over personal info by verifying something that doesn’t need verifying… Be suspicious of these. If you invoke one, it might just download something in the background while appearing to do something useful in the foreground . This is known as a drive-by download. Not all pop-ups are bad and that’s the problem. Mostly, you can’t tell the difference….
- Backups: This one is simple to remember : 3-2-1 Three Copies of your data, Two different media formats; One of them offsite. If you have that, you’ve a reasonable chance of recovery from just about anything.
- Connections: If in doubt, block that connection request from an unknown person: Just say no to social media invitations from people you don’t know. It’s the on-line equivalent of inviting home the creepy guy you sat next to on the bus. You shared a bus-ride, not a connection.
- Don’t do banking on public Wi-Fi: Most Public Wi-Fi hotspots don’t encrypt information between you and the Hotspot. As your banking password leaves your laptop / iPad headed for your bank, any ‘packet sniffer’ (a programme which can intercept data) can intercept your unencrypted data. That cool looking hipster on the other side of the cafe could be your worst nightmare… If you choose to bank online on public Wi-Fi, understand you;re making public your very personal data. DONT DO IT. While you’re at it, make sure when you’re on a public Wi-Fi network that file sharing services on your computer are disabled… Ask an IT guy about a ‘man-in-the-middle’ attack – I swear you’ll never use public Wi-Fi again.
- Only shop online on secure sites: Before entering your card details, always ensure that a locked padlock or unbroken key symbol is showing somewhere in your browser. Every browser is different so find out where your browser displays it and be vigilant. Note also: the beginning of the online retailer’s internet address should change from “http” to “https” to indicate the connection is secure; but be aware that some sites then change back to http after you’ve logged in. Sneaky bastards.
- Have multiple email accounts: A bad guy who has obtained your main email password has the keys to your life. He will lock you out of your email and then retrieve and reset passwords from the other sites you use; via your main email account. While he’s poking around in there, a casual browse of your email history would probably offer up a pile of personal data: from banking to passport details, including your date of birth. With that, you’ve been ‘owned’ … Hello identity theft! Keep a separate account for your bank and other credit cards, another for shopping and one for social media. That way, If one account gets compromised, you can perhaps contain the damage.
- Don’t drink the Apple Kool-Aid. Apple and its fan-boys will have you believe that Macs don’t get viruses. Most of my clients know I’m a Mac user and as much as it pains me to say it.. the idea that Macs are somehow magically immune to malware is pure and unadulterated crap. Work from the basis that Macs are as vulnerable to malware as PCs. Once upon a time Macs were less of a target, but that is no longer the case.
- Passwords: Use different passwords for each website you use frequently: Keeping a common password for all online accounts is a lot like having the same key for all locks in your house. Understand that for a bad guy, it’s MUCH easier to get hold of your on-line ‘key’. Once he’s got that.. you’re in trouble; he can go anywhere.
- Don’t store website passwords in your browser. Especially if you’re on a laptop/tablet that could get stolen or left in a taxi. Its also been shown that Firefox, Safari and Chrome ALL store passwords in easily opened, clear text files. They’re hidden, but if you know where to look, they’re easy to compromise. Security by obscurity is not a plan… When the browser offers to save a site password, just say ‘no thanks’.
- While you’re at it never reuse your main email password. Most online users have accounts in over a dozen sites.(FacePlant, Google +, LinkedIn, Pinterest, etc etc…) Try and use clever variations or start doing some memory-enhancement exercises. Ask me. I have some tips around this (passwords that is, not memory enhancement)
- Two-step verification: If your email or cloud service offers it, take the trouble to set this up (All the major social sites do). In addition to entering your password, you’ll be required to enter a verification code sent via SMS to your phone. So a bad guy might get your password, but without verification code they’ll be stumped. While you’re at it: if the site asks you security question alike “your mother’s maiden name” – use a nonsense answer like ‘CoffeeCup’ or something. Refer Point #3 above. It’s not that hard to work out your Mum’s maiden name…
- Edit your FaceBook account settings: Remove ALL your private data – address, phone number, birthdate and any other information that could be used to betray your identity. The more the bad guys know about you, the more convincing a phishing email they can spam you with. While you’re at it, tighten your privacy settings to “friends” instead of “friends of friends”.
- Don’t store your card details on websites: Mass data security breaches haven’t been common until recently, but seem to be on the rise. Adobe’s recent breach comes to mind when millions of Credit Card numbers were stolen and re-sold. Why take that risk? The extra 90 seconds it takes to key in your card each time is a small price to pay.
- Get your website developer to prove to you that they’ve ‘hardened’ your site against things like Cross-Site Scripting Attacks, SQL Injection and other equally Geeky stuff. Often times, I see a web developer who started out life as a print designer and has graduated to ‘doing’ websites. They do pretty pictures and nice colouring in.. but they have NO IDEA about hardened code that is resistant to tampering. In a future post, I’ll talk about how to select a web developer for your site.
Ok, stepping down off my soap box now.. If you think you’ve been compromised…. That’s a whole other rant.. which I’ll spare you for today. Just speak to your Banks and Card companies in a hurry. Then get your IT guy on the case. Speed is of the essence..
Guest Post by David Peach, Your IT Director
You can reach David on [email protected] Phone: 0418 281 978