Interview: Protecting Your Small Business From Cybercrime


Image: José Goulão/Flickr

If you think that only bigwig companies like Google and Facebook have security problems, think again. Small businesses are also prone to hackers, phishers, sneaky employees, and others with designs to wreak havoc on company assets.

Safeguarding against these tricksters takes more than just a firewall. We caught up with Robert Gorby, the Global Head of Small Business Propositions for software security company AVG, to learn more about what small business owners need to do to stay safe.

BP: What’s the most common security threat that small businesses face?

Small business security used to be a more straightforward matter. Email was the primary channel used by external attackers and installing an anti-virus product and exercising caution when opening attachments mitigated the majority of threats.

The threat landscape has changed radically over recent years, and the Web has become the attack channel of choice for cybercriminals, who are stealthy, motivated by profit and highly skilled in web tricks and techniques. With 95% of online threats now web-based, relying on anti-virus software alone is no longer enough for businesses.

While attackers still use email, they have discovered that the Web in general provides them with a much broader range of options. Considering that the majority of small businesses are ‘internet-active’, meaning they rely on the internet to run their business (completing online transactions with suppliers & customers, storing information about customers, exchanging sensitive business information over email and IM), web based threats are fast becoming the most common security threat faced by small businesses.

These web-based threats are growing and exist in numerous areas, including:

Social Networking Sites
While many businesses have policies preventing employees from accessing social networking sites, there is a growing number of small businesses using social networks as a cost-effective marketing and recruitment tool. So blocking them is not always the answer.

Email & Spam
Although still a popular method of attack, e-mail is a far less effective way to fool people into opening things they shouldn’t than the world wide web.

Instant Messaging
As with email, viruses and other malware can be hidden in files sent via IM. Some staff may be unfamiliar with the IM which can increase the risk that infected attachments will be clicked on so training is a must

Compromised business web sites
Compounding the problem is the fact that no website can be considered safe. Even small business websites (it’s not just the big brands!) are targets for cybercriminals intent on compromising sites for short periods of time (often less than 24hrs) so that they can steal data from visitors (potential customers of the business).


Image: dunkv/Flickr


BP: Is this also the most dangerous threat? If not, could you tell me what the most dangerous threat is?

Whilst web based threats are most common (Figures cited by the World Economic Forum indicate that online theft alone in 2009 totaled around $1 trillion), small businesses should not overlook the so-called ‘insider threat’ (from disgruntled employees, contractors or business partners).

The increasingly fragmented nature of many companies means that staff, partners and even customers also present a viable concern for small businesses. Companies have become increasingly fragmented and rely increasingly on consultants and outside expertise. Other factors, such as increased mergers and acquisitions, have made some companies become increasingly volatile as they merged with competitors and adopted their staff.

Whilst they may not be as frequent, the impact of a security breach from an insider can sometimes be more dangerous for a business, given the level of access they have to the businesses information, passwords, systems and networks. So employees experiencing financial problems could use their standard business systems and resources to commit fraud.

It is important for businesses to consider the different tactics employed by either group (the cyber-criminal or insiders), however, the best overall approach is to have a robust and adaptive security strategy in place to keep pace with the fast-evolving nature of IT security, no matter where the threat originates.

BP: What can a business do about these threats?

Securing your small business from Internet malware does require some forethought and a small investment in money and time. By taking action now, however, the time and cost will be more than offset against the potential lost revenues and wasted management time in dealing with security issues that will likely otherwise occur later in your company’s lifetime. When thinking about online security for your business, consider the age-old medical adage: “prevention is better than cure”.

The essential steps to protecting your business from these threats can be broken down into three categories – Policy, Technology and Process.

Policy
1. Decide whether computers, laptops and software are to be supplied by your company, or by your staff – and reflect these decisions in your policies, purchasing and processes
2. Document a simple acceptable-use policy for any computer that is used for company business or media that is used to store or transport company data
3. Create an acceptable password-strength policy and ensure that all computers and other IT equipment are password protected
4. Require that all security incidents are promptly reported and managed to a business stakeholder

Technology

1. Ensure all operating systems and application software are updated with the latest security patches as they are developed – preferably using automatic update technology
2. Ensure all computers have an up-to-date security software suite on them
3. Every computer should have its own firewall software, in addition to any premises based network firewall you may be running
4. If managing your own file storage and email servers, ensure these are also running up-to-date security software

Process
1. Ensure all staff receive basic online security training and instruction in your policies
2. Ensure regular backups are taken of all company files, data, email and other systems
3. Change all passwords regularly, especially when an employee or contractor leaves the company, and in particular change administrator passwords or shared passwords to centralised networks or systems
4. Take security breaches seriously – isolate any compromised systems from the network and involve an IT security professional if necessary to ensure the malware is fully removed


Image: turtlemom4bacon/Flickr

BP: What’s one of the sneakiest social engineering tricks you’ve seen?

One of the sneakiest social engineering tricks I have seen relates to the terrible Haiti Earthquake in January this year and was uncovered by my colleague Nick Fitzgerald in our research labs. The earthquake was one of the biggest natural disasters the world has experienced in recent years and jolted many people into action to donate aid from the 4 corners of the world. Unfortunately, as happens with these events, many unsuspecting donors (both businesses and individuals) were conned by donations scams. This particular scam was one of the most sneaky and offensive scams I have come across as it not only robbed people of their donated money, but it also denied the stricken Haitians much needed cash to help survive and rebuild.

Distributed via email, it requested donations for a US charity ‘Haiti Helping Hand’. To the casual observer it looked genuine and also spoke of their work in responding to other disasters such as Hurricane Katrina. To the trained eye, it was strange that a charity that responded to Hurricane Katrina (2005) had a domain that was only registered two days after the Haiti earthquake (Jan 2010). In addition there was no ‘contact us’ section, meaning they wanted to remain anonymous. Finally, there were only two links on the page. One to the site’s privacy policy (questionable) and the other to a PayPal donation page. They clearly used PayPal as it is widely considered a trusted method for donating and paying and would encourage more people to donate.

Needless to say, donations to this site were not making their way to their intended targets in Haiti.
Translating this social engineering experience into learning for small businesses, I would recommend that businesses instil in their employees (particularly new starters) a healthy dose of ‘scepticism’ when it comes to sharing information with someone who is unknown or whose motives are suspect.

Note from Robert: To find out more about what small businesses like about AVG’s solutions, see our AVG At Work site.

Written by Drea Knufken

Currently, I create and execute content- and PR strategies for clients, including thought leadership and messaging. I also ghostwrite and produce press releases, white papers, case studies and other collateral.