Although rapidly changing information technology delivers countless benefits, it also brings new security risks that can harm businesses that are not prepared. We mostly hear about security breaches and attacks against large corporations and government departments, but small to medium businesses are just as vulnerable and face similar IT security risks. There are a number of preventive steps organisations can take to increase their cyber security in a rapidly changing world. The key is to know the threats and be prepared to deal with them.
Changing business processes and IT demands are raising security issues. While threats are becoming more targeted against individuals, employees are being allowed to use home PCs, smart phones and consumer-grade applications for business purposes. They are also using social networks, such as LinkedIn and Twitter, while on the job. The trend towards working on unmanaged PCs, smart phones and social networks is complicating the security challenges.
One implication of these developments has been the growth of ‘spear-phishing’ attacks – where the attacker targets an organisation by researching and finding email addresses of key personnel who are likely to work with sensitive documents and have higher levels of permission on the file server. Cyber criminals can use information found online - such as Facebook and LinkedIn profiles - to create customised emails that seem real to the user who is tricked into downloading malicious software from infected web pages or attachments.
Another technique attackers use, is to send spoof emails from social networking sites announcing the latest pictures or updates from contacts. Clicking on the link in the fake email can result in a security breach.
The low tech solution is to be more diligent and suspicious of emails, even if they seem real. If you receive an email about the latest updates from a social networking site, you can enter through the login page instead of clicking the link. Some experts advise to never click on links in emails, even if you believe they are from trusted sources.
Raising employee awareness of the risks can only go so far. Small to medium businesses need to work behind the scenes to increase IT security.
The first step is to make sure you are up to date with your security updates-often called patching. Make sure that Microsoft Update is activated so that you can receive Microsoft Office updates as they are released. Adobe Flash and PDF Reader are other applications that should be updated regularly. If unsure whether you are up to date, there are products available that scan all software and report missing security patches. Outdated servers that can no longer be patched, or that work only when security is disabled, are risky and should be isolated on a separate network.
It’s also important to have regular security assessments to determine the risks, and how they are being addressed. The architecture of internet connected networks and internal networks needs to be reviewed, along with how access to these is controlled. The rapid change in technology means that these assessments need to be undertaken quarterly for at-risk systems that are connected to the internet.
Function-specific custom web applications used for critical business-to-business and business-to-consumer solutions need to be tested regularly to ensure that data integrity is maintained. Of particular concern are peer-to-peer (P2P) networks. There have been many recent cases where sensitive and confidential data has been publicly available on commercial P2P networks.
Other areas that need to be considered in a security assessment are wireless technologies and remote access to the network by employees, sub-contractors and suppliers. These need to be reviewed to ensure that the right people have access only to data they are authorized to use.
The rapidly changing world of information technology makes it necessary to take preventive steps to keep data secure. As hackers and scammers adapt to changes quickly, IT departments need to keep up by having the latest patches and assessing security regularly.