Eleven tips for SMB information security

There is no shortage of news stories about internet security breaches. While the breaches at big name companies are the ones that tend to make headlines, small to medium-sized businesses (SMBs) are becoming the preferred target of cybercriminals since they are less likely to have strong security in place.

According to the Verizon 2012 Data Breach Investigations Report, in 2011 there were almost 12 times as many breaches at organisations with between 11 and 100 employees than at those with between 101 and 1000 employees, with cybercriminals choosing high-volume, low-risk attacks against weaker targets.

Although the risks are increasing, many businesses are still jeopardising their business - and business reputation - by relying on inadequate internet security that doesn’t keep pace with constantly evolving online threats.

An attack on your business could cause irreparable damage, from lost productivity and sales to a trashed brand image. According to the AVG SMB Market Landscape Report 2011, the average cost of a security breach is US$6370. This does not take into account intangible costs like sullied reputation, loss of future business, customer trust, goodwill and flight to competitors.

The potential impact of security flaws on customer perceptions - and business reputation - was borne out in the Ponemon Institute’s 2012 Consumer Study on Data Breach Notification.

It found 83% of respondents believe organisations that fail to protect their personal information are untrustworthy. It also showed customer loyalty is at risk following a security breach notification. In response to being notified of a breach by an organisation, 15% said they would end their relationship, 39% said they would consider doing so and 62% said the notification decreased their trust and confidence in the organisation.

The effects of a damaged reputation live on long after the headlines have died down. Many will recall the big breaches of 2011 and 2012:

• The online theft of 6.5 million user passwords from LinkedIn.
• More than 1.5 million Australian user accounts compromised after an attack on Sony’s global PlayStation network.
• A lost unencrypted US Space Agency laptop, containing codes that control the International Space Station, was one of 5408 computer security ‘incidents’ that resulted in unauthorised access to NASA systems or installation of malicious software in the previous two years.

Yet, despite the NASA experience, internet security is not rocket science. AVG found at least 70% of the targeted cyber intrusions commonly seen in the last year could have been easily prevented if businesses had implemented basic mitigation strategies. Verizon went even further in its 2012 Data Breach Investigations Report, saying almost every breach - 97% - was avoidable through simple or intermediate controls!

Nor are breaches restricted to the big names in the corporate world. With many large businesses now tooled up to respond quickly to cyberthreats, including employing chief security officers (CSOs), cybercriminals have turned their efforts to SMBs.

The Australian Business Assessment of Computer Use Security (ABACUS) survey from the Australian Institute of Criminology suggested a high proportion of SMBs are taking unnecessary business security risks: fewer than 1 in 10 SMBs were automatically updating their computers.

You can buy insurance to recoup some of the recovery costs from a breach - but you can’t buy your reputation. So what is needed to protect your operation - and its image - from cyberthreats?

A whole-of-business approach is necessary to constantly monitor new and emerging threats from all online channels. Businesses need to treat internet security the same way as corporate governance and brand protection. This is a boardroom issue, not simply a technology debate.

No company should be operating without stringent online safety precautions in place, particularly when effective measures are readily available. Having automatically updated, always-on antivirus and internet software running across all company computers and employees’ mobile devices is a must.

While businesses are adopting social networking as a promotional and marketing opportunity to engage customers, precautions such as web link scanning are needed to protect against associated online threats. If those precautions are absent, businesses will be left scrambling to salvage their image and reputation following an attack.

Practical steps

At the end of the day, cybersecurity is about managing both risk and reputation. Here are 11 tips to help SMBs do just that:

1. Install internet security software - According to the AVG Community Powered Threat Report, 99% of malware is delivered via the web; 90% from popular websites. More than 70% of websites with malicious code are legitimate sites that cybercriminals have infected. More than 85% of all email is spam and more than 80% of those spam emails contain malicious links. Internet security software protects you from identity theft, spyware, viruses and other malicious software.

2. Update - A disturbing number of major security threats target holes that were patched years ago, because many businesses simply don’t keep their software up to date. Keep protection updated for all computers and mobile computing devices that are brought in or taken home by staff and contractors.

3. Automate - Ensure backups occur automatically and frequently. Don’t turn automatic updates off.

4. Promote strong password management - Use passwords that are not easy to guess, are as long as possible (at least 10 characters) and which include a combination of upper and lowercase letters, numbers and symbols. User accounts need strong passwords, yet the most common password is ‘123456’, according to a Sydney Morning Herald report on the hacking of Hotmail accounts in 2009.

5. Scan first, ask questions later - As a first line of defence in social networking activity, use ‘scan before you click’ technology to ensure shared links and files are checked and safe.

6. Educate - Even with the best security software installed on all devices, you still need to educate staff about risks. Implement a robust online security policy and provide staff with written security guidelines to keep them and your business network safe. Don’t assume everyone is tech savvy. Those Nigerian and Lotto win scam emails still exist because so many people still fall victim to them.

7. Police - Beef up your security policy and enforce your robust internal policy with regular security audits.

8. Create a DMZ (de-militarised zone) - If you need to provide visitors with internet access, invest in networking equipment that provides a DMZ that will give your visitors restricted access so they can’t infect your systems, install software or log into your files.

9. Be antisocial to cybercrims - Social networking sites are not just a marketer’s new best friend; they are also the cybercriminal’s new playground. AVG research shows the top 50 social networking sites have 20,000 compromised pages containing web threats or illegal content that could harm your computer or lead to personal data. More than half of those pages were on Facebook and a third on YouTube.

10. Cover all bases - including Mac. You need proper protection for every operating system platform used by your business. The Mac and Linux/FreeBSD operating system platforms can be compromised just as easily as the Windows platform. In 2011, AVG saw a significant increase in Mac-related malware. In our experience, a platform only needs to have 10% market share to become sufficiently worthwhile to malware authors so it’s no surprise that with the number of Mac users rising, cybercriminals will now think it’s worth the effort to develop malware for that environment. Cross-platform threats also exist, as many Microsoft Word viruses work on both PC and Mac for instance. While the bad guys will target security flaws in most of the major browsers as they become aware of them, they more often target security lapses in operating systems and other utility software like Adobe Acrobat Reader, Adobe Flash and Apple iTunes.

11. Mobilise mobile device protection - A lot of malicious web-based content is specifically designed to attack smartphones and tablets, which can also be hacked over shared Wi-Fi networks. All mobile devices should be password protected and have security software installed that automatically combats viruses and malware, actively checks web pages in real time, tracks lost or stolen devices and can remotely wipe them.

Michael McKinnon is Security Advisor at AVG (AU/NZ), the distributor of AVG Technologies’ AVG internet and mobile security software in Australasia. He is passionate about security and fights on the ‘front line’ in the war against cybercrime, educating and empowering businesses and consumers to stay safe online - no matter how tech-savvy they may be.