Keeping out IT intruders
Article Date: Oct 01 2004Picture this. Someone is trying to steal your data and vandalise your business. True. You can prevent this.
Earlier this month, online payment service Worldpay hit the headlines for all the wrong reasons. It became the latest victim of a malicious distributed denial of service attack, whereby its website was bombarded with enough traffic to render it inoperable.
This affected thousands of customers and one week on, problems persisted, with transactions taking longer than normal to process. More worrying though, is that this marked the second time in the space of a year that Worldpay has been the target of such an attack.
‘Our ability to deliver service to customers has been adversely affected as a result and we apologise unreservedly to our customers for any inconvenience,’ commented a spokesman.
Theft is on the up
Hardly comforting words. But Worldpay is not alone. Keeping the thieves and vandals at bay is a top priority for any business. IT systems are now more under threat than ever before from malicious attacks, hackers, viruses and data theft.
According to security firm Symantec, 30,000 PCs a day are being hacked into globally. Small businesses had a significantly higher targeted attack rate this year than during 2003.
But business owners and CEOs are sleepwalking into a nightmare. Less than a quarter of those surveyed saw the threat of someone stealing confidential company information as a primary concern, even though over half of respondents admitted that the theft or loss of customer or supplier data would have an extreme impact on their business.
Hackers are one step ahead
One of the problems to address is the speed and proliferation at which new technologies enter the marketplace. The rise in remote working and virtual private networks (VPNs) has also made it easier for data to be hacked into. All information travelling over the internet can be easily intercepted. (VPN is a private data network that makes use of a public network, such as the internet, whereby encryption permits VPN users to send data, secure in the knowledge that it will be difficult to be intercepted/read by unauthorised users.)
According to RSA, a provider of security solutions to SMEs, the time it takes to notice a vulnerability in your IT systems is about six hours – but it takes a lot longer than that to respond. Conversely, the time to infect a network is getting shorter and shorter.
‘When the boom in broadband kicked off, firewalls were not installed as the norm, which was a mistake. There is now a significant percentage of companies that do not have a firewall or keep it up to date. It used to take two hours to infect a broadband connection – it now takes 20 minutes,’ comments Jim Norton, senior policy adviser to the Institute of Directors.
John Schwarz, president and chief operating officer at Symantec, believes that companies will always be at risk from security attacks, with an average of 400 new viruses and 250 new vulnerabilities exposed each week on a global basis.
‘Hackers are very adaptable. What we can do is minimise threats, and make it so that the cost of the attacks will outweigh the benefits, making it unproductive,’ he comments.
Education is prevention
Norton believes that training, rather than money, is the issue when it comes to companies formulating an IT security strategy.
‘If owner-managers are presented with a straightforward system, they will buy into it. But they don’t want a structure with lots of manual maintenance – small businesses may be vulnerable but they are also hard-nosed,’ he adds.
One solution may be to take a long hard look at the level of awareness of security issues within your organisation – people who use information must be trained in good practice. As Jeremy Ward, consultant on operational risk management at Symantec outlines, 80 per cent of good practice can be achieved by better understanding, amongst staff, of the nature and threat of security issues.
‘Security has been given a poor brand image – it is seen as something that prevents you from doing things, rather than helping you. Those of us in the game would say that security isn’t something you buy and sell, but something you have to live,’ comments Ward.
Eradicate mistakes
Ward adds that people make mistakes, with statistics showing that the majority of IT security problems are caused by employees, not malicious hackers.
‘Companies can do 90 per cent of what should be done themselves. It’s a lot easier to protect your systems from an attack than to recover from one,’ he stresses.
This is a view echoed by Alan Cornwell, chief executive officer of document protection company Sealed Media.
‘Educating your employees in the use of technology is a key ingredient. Identify who has access to information, and what those individuals will be doing with it. Determine what rights they have. A lot of companies forget that the core asset they have is the information flying around and I don’t think they protect it enough,’ believes Cornwell.
PROTECTING YOUR IT ASSETS – A step-by-step approach
Step 1
At the most basic level, anti-virus software should be installed on every computer on a network. Be warned however, that with the rise in the number of viruses in circulation, your anti-virus software will need to be regularly updated.
‘Anti-virus looks at actual data and protects against malicious ones that come through. But there are other ways that hackers can get in so you need to have intrusion detection systems in place,’ advises Avner Pelag, products and services director at managed IT services provider hSo.
Step 2
A firewall will go some way towards blocking others from hacking into your network, but it won’t stop someone who can, for example, guess a password or protect against a vulnerability if it has been opened from within your organisation.
Step 3
Ultimately, the best way to protect your systems is to make it hard for hackers to access them. Ensuring that you use a password that is not easy to guess (for example, a mix of symbols alongside letters), and changing it regularly can help to dissuade hackers.
Tim Pickard, marketing director at RSA, gives the following advice: ‘Technology is only one part of the equation – you need to be able to recognise when you are under threat. Deploy effective password management, install a firewall and above all educate and train your employees.’
Step 4
Security breaches may occur because of fragmented and inconsistent efforts across company departments, so it’s important that efforts are carried out as a whole rather than in isolation.
‘Too often one department will be supportive of information security efforts, while another department within the same organisation will be resistant. Although it is neither feasible nor desirable to make everyone in an organisation familiar with the complexities of information security, it is important that there is a common agreement on a baseline policy,’ recommends Mike Small, director of the eTrust strategy at management software company Computer Associates.
Step 5
Many companies are now looking at information classification policies, to help managers and employees understand exactly what information is valuable, who has access to it and how this information can be used.
Step 6
One other solution could be to outsource your security needs – this means you do not have to commit long-term or invest heavily in a system that may not complement your business as it grows. One company that specialises in helping SMEs with disaster recovery issues is managed IT services provider hSo, whose VAULT solution offers off-site data back-up.
