Five business practices that allow cybercriminals to access company data

Cybercriminals are increasingly targeting small to medium-sized businesses but threats to data security do not always come from outside the business. Companies need to embrace and adopt a lock-down process that constantly monitors for new and emerging threats from a variety of channels.

“Cybercriminals will turn your most valuable assets against you. That same internet connection you use to make financial transactions can let in a trojan horse. The iPhone and Android smartphones your workers use to communicate with each other could be used to gain access to sensitive company documents. The social media channels you use to engage customers can be hijacked and used to harm your reputation. How can you arm yourself with the digital tools you and your workforce need to succeed without those very same tools being used against you?” asks Lloyd Borrett, Security Evangelist for AVG (AU/NZ) Pty Ltd.

“Too many small business owners are letting their guard down. The very people we hire to help us succeed are very often the people that can cripple a network and bring down a business - all because they didn’t know how to exercise proper caution in their use of the web and mobile.”

1. Social networks

Most social networking activity revolves around community spirit and sharing a wide range of data including documents, music, video and links. People trust people they know. Users are more likely to click an infected link if it comes from a trusted colleague or friend.

There are two ways to help protect against this. Firstly, using 'scan before you click' will ensure shared links and files are checked and safe. Secondly, beef up your security policy. 40% of companies allow access to social networking technology, but only 23% of businesses say they have any appropriate security policies in place. Offer staff some guidelines to keep them and your business network safe.

2. Messaging and spam chat

Viruses and other malware can be hidden in files sent via instant messaging (IM), so introduce some policies to educate and control the use of IM. Some IM services link your screen name to your email address when you register. Having your email address so readily available can result in an increased number of spam and phishing attacks.

Don’t use an email address that can be easily identified by your IM username.

3. Insider threats under your nose

Although businesses might rightly be more concerned about shadowy cybercriminal outsiders, the reality is that employees are responsible for introducing the majority of malware onto company networks and thus pose a similar or even greater threat.

Background checks on potential employees - especially IT and technical staff - are essential, and high-risk businesses should consider using advanced tools to conduct criminal history and social security searches to ensure their employees are totally trustworthy. The best advice is relatively basic - trust your gut feel, educate staff on keeping their data and network safe, and enforce a robust internal security policy combined with a security audit.

4. Don't lose remote control

While preventing staff from leaking malware into a business has its challenges, staff who are allowed to access the company network remotely are even harder to control. Allowing staff to use their own smartphones, tablets and PCs for work increases the risk that malware may get inside the company network.

An obvious way to close this security hole is to prevent staff from using their own machines. Businesses could use virtualisation technology to create a virtual safe-zone within your hardware - like an embassy does in a foreign country. Whatever your approach, it is essential to establish a strong set of security controls that ensure all staff only use hardware with appropriate internet security software in place, with automatic updates working and subject to regular audit procedures.

5. USB sticks and smartphones

Plug-in memory USB sticks and portable drives are particularly good at spreading malware. They appear innocuous compared to a laptop or smartphone but can hold several gigabytes of code - some of which may be malicious. Allowing employees an unchecked option to insert these into company computers is an unnecessary risk. Email-equipped smartphones pose similar risks to company networks as do desktop computers. Smartphones can help spread malware onto other susceptible devices on the network and hackers have been known to use text messages to guide unsuspecting users onto websites containing infected code.

Removable devices can be automatically checked using business security software, or users can choose to run a manual scan before accessing any of the files on the stick. Business owners should also create policies to keep personal and business drives separate on any machine.

Borrett says, “These five doors need to be slammed shut to prevent small to medium-sized businesses from becoming the latest victims of cybercrime. Make no mistake, these businesses are a target and the threats are many.”

The AVG Small Business Security Guide provides some simple but effective steps you can take to secure your business. Plus AVG’s Business Resource Centre has a library of guides and tools that can help you protect your business from identity theft, data breaches, online banking break-ins and other computer crimes.

AVG (AU/NZ) also has a comprehensive range of security tips and video tips which can help you ensure your data security.