Blog

News, opinions and updates from the Virtuoso team.

Jul
04

Cyber security lessons for Law Firms

Why it's so important

For law firms the safety and security of their own and clients’ data is not only a legal and compliance requirement, it is also essential to their growth - and even survival. You only need to think of the recent  ‘Panama Papers’ hacking news story at the law firm Mossack Fonesca, which earlier this year announced it would cease trading, to appreciate just how important it is.

Continue Reading
Jun
27

Office 365 has raised the game and here’s why (Pt.2)

Part 2 – Microsoft Planner

A few weeks back we took a closer look at Microsoft’s group chat tool, Teams. This week, we’re turning our attention to Microsoft Planner which has been designed to be a user-friendly, collaborative and highly visual task management tool.

Continue Reading
Jun
20

The Advantages of Outsourcing (Part 1)

It’s no secret that contracting with an outside party to take care of certain tasks instead of hiring new employees is becoming more widespread in the modern business paradigm. Today we’re talking about outsourcing. The reason more and more businesses are getting on this bandwagon is that and it can help your business grow and save money when it's done right. This blog is the first in a series of articles to highlight the many advantages of building outsourced resources into your business model.

Continue Reading
May
25

Microsoft’s commitment to GDPR

Today (Friday 25th May), is the day when the European Union’s General Data Protection Regulation — better known as GDPR — officially takes effect. Its effects have been far reaching and you’ve no doubt been bombarded with emails from services and products you use or own because of it.

Continue Reading
May
02

Taking back your time with Windows 10

Despite some people claiming they never have enough time, we all share the same 24 hours in a day. And now, more than ever perhaps, it seems like those 24 hours are just not enough. In the digital age, people feel more overwhelmed than ever and most of us would love more time – not necessarily time to do more work, but more time to do what we love. Microsoft have recognised this and made Windows 10’s most recent updates geared towards helping you reclaim the most precious of assets – time. 

Continue Reading
Apr
16

In good company

 Virtuoso is delighted to announce that we have become a Corporate Partner of the Royal Aeronautical Society, the world’s only professional body dedicated to aerospace.

Founded in 1866 and with its HQ in Mayfair the Society promotes the highest professional standards and provides a central forum for sharing knowledge.  This is one of the reasons why Virtuoso, a much younger organisation but with a similar approach to standards and knowledge, decided to become a Corporate Partner.

Other considerations are the many briefings (open only to Corporate Partners) with a wide range of speakers and topics as well as the excellent networking opportunities these offer to our clients. The quality and range of meeting rooms and hospitality gives Virtuoso the opportunity to host customer meetings in the heart of Mayfair in surroundings that contribute to every discussion.

Continue Reading
Aug
03

Keeping Small Businesses Safe: Combating Cybercrime on a SMEs Budget

What happens on the hight street stays on the hight street

When hackers breach the security of corporations it makes headlines, yet there is rarely a mention when cybercrime hits small to medium sized enterprises (SMEs). Very few people are even aware that today’s cybercriminals are targeting SMEs, not just super-sized global businesses.

According to Verizon’s 2013 Data Breach Investigations Report, 71% of the data breaches investigated by the company’s forensic analysis unit targeted small businesses with fewer than 100 employees. Of that group, businesses with less than 10 employees were the most frequently attacked.

Everyone is a victim when it comes to cybercrime

The loss and exposure of confidential data from a cyber attack is costly to both the people victimised and the businesses whose data was compromised.

For the victim, hackers typically retrieve personal information, bank account, credit card and financial data resulting in identity fraud. The stress and time involved to reclaim their identity and get their financial house back in order is beyond measure.

Cypercrime comes at a high price for SMEs

According to research compiled by the Ponemon Institute in their 2nd Annual Cost of Cyber Crime Study, the average cost per breached record in the U.S. is anywhere between $150 to $200 and will of course be similar in the UK. This amount factors in the costs of the investigation and notification process, fixing the issue that led to the breach, possible liability and litigation costs, lost business, and the time and effort that go into damage control. In many cases, a damaged reputation may prove to be irreparable. Nearly two-thirds of victimised companies are out of business within six months of a significant cyber attack, making cybercrime the death knell for many SMEs. This is because the consequences of cybercrime extend well beyond the actual incident and have long-lasting implications.

Small businesses obviously don’t have the same financial footing to rebound and carry on with business as usual in the way organisations like Amazon, Apple, or Citibank can.

Symantec’s research found that customers affected by security breaches are generally less forgiving of smaller businesses, especially smaller online retailers, than larger companies. SMEs are contending not only with lost revenue and expenses, but also the possibility of never regaining the trust of customers, clients and business partners.

Symantec’s 2012 State of Information Survey found that nearly half of all SMEs admitted to a data breach damaging their reputation and driving customers away.

The trend of cybercriminals preying on smaller businesses doesn’t seem to be waning. According to Symantec, the number of cybercrime attacks targeting firms with fewer than 250 employees jumped from 18 percent of all attacks in 2011 to 31 percent in 2012.

Why cybercrminals are zeroing in on small business

Large corporations have the resources to invest heavily in the most sophisticated security strategies and successfully stop most cybercrime attempts. A typical large enterprise may have over twenty in- house IT dedicated employees ensuring that every device connecting to their network is adequately protected.

In comparison, SMEs have neither the money nor the manpower of large enterprises and can’t afford the same level of security. Very few SMEs have full- time IT dedicated personnel on hand to run routine security checks. Even those who do have in-house IT support often find that their internal resources are too bogged down with other tasks to properly address security upkeep.

A joint survey of 1000 SMEs conducted in September of 2013 by McAfee Internet Security and Office Depot further confirms how relaxed many SMEs are when it comes to protecting their data.

Not only have SMEs become easy prey for cybercriminals, but their sheer abundance also makes them an alluring target. In 2013, there were 4.9 million businesses in the UK, over 99% of which were small and medium enterprises. Even in a struggling economy, it’s projected that there are still an estimated 200,000 startups launching every month with only a handful of employees.

SMEs are not "too small to matter"

Since most cybercrimes affecting smaller businesses go unreported by the media, there is no sense of urgency by SMEs to prepare for cyber attacks. Too many SMEs mistakenly view their operations and data as trivial to hackers. They feel that large online retailers, global banks, and government entities are much more attractive targets for hackers.

The goals and methods of cyber attackers are evolving and will continue to evolve. The era of one “big heist” for hackers is over. Cybercriminals today often prefer to infiltrate the data of many small businesses at once, stealing from victims in tiny increments over time so as to not set off an immediate alarm. This method takes advantage of those SMEs who are especially lax with their security processes and may not even realise there has been a security breach for days or sometimes even weeks.

SMEs must end the “It will never happen to us” mindset. For instance, political “hactivists” have been responsible for a number of high-profile Denial-of-Service (DDoS) attacks in recent years. The goal of a hactivist is to disrupt the status quo and wreck havoc on the technology infrastructure of larger corporations and government entities. It’s a form of cyber anarchy: A “stick it to the man” philosophy spearheaded by groups like 4chan, Anonymous, LulzSec, and Anti- Sec.

An owner or Chief Information Officer (CIO) at a SME may read of these high publicised attacks in the press and not think anything of it. They aren’t Sony, Apple, or the Department of Defence, so why would a hactivist target their data? But it’s estimated that there are on average 1.29 DDoS attacks throughout the world every two minutes and such activity is much broader in scope than the press may lead us to believe.

SMEs- The access ramp to bigger & better data

One reason small businesses are more vulnerable is they’re often the inroad to larger better-protected entities. They are often sub-contracted as a vendor, supplier, or service provider to a larger organisation. This makes SMEs an attractive entry point for raiding the data of a larger company. Since larger enterprises have more sophisticated security processes in place to thwart cyber attacks, SMEs often unknowingly become a Trojan horse used by hackers to gain backdoor access to a bigger company’s data. There is malware specifically designed to use a SMEs website as a means to crack the database of a larger business partner.

For this reason, many potential clients or business partners may ask for specifics on how their data will be safeguarded before they sign an agreement. Some may require an independent security audit be conducted. They may also ask SMEs to fill out a legally binding questionnaire pertaining to their security practices.

An SME that is unable to prove they’re on top of their infrastructure’s security will likely lose out on potentially significant deals and business relationships. More large enterprises are being careful to vet any business partners they’re entrusting their data to.

To stay secure a good defence is the best offense

SMEs must understand that the time has come to get serious with their security. Sadly, many small businesses have a false sense of security. In the McAfee/ Office Depot joint survey of 1000 SMEs, over 66% were confident in the security of their data and devices despite admitting to obvious flaws.

Cybercrime is only one cause of compromised data. There are 3 primary causes of breached security at businesses according to the June 2013 Symantec Global Cost of a Data Breach study. Only 37% are attributed to malicious attacks. The remaining 64% are human error and technology errors.

Data breaches aren’t always about bad people doing bad things. Many are the result of good employees making mistakes or of technology failure. SMEs don’t necessarily need a large budget or dozens of employees to adequately protect sensitive data. A secure environment is possible even on a SMEs budget. Here are a few steps to improving data and network security.

STEP 1

Know all devices connection to your network

Keep a frequently updated list of every device that connects to your network. This inventory is especially important given today’s BYOD (Bring-Your-Own-Device) workplace where employees can access your network through several different devices. Knowing what these devices are and ensuring they’re all configured properly will optimise network security.

All it takes is a regularly scheduled review to add or remove any devices and affirm that every end point is secure. Much of this process can be inexpensively automated through a Mobile Device Monitoring (MDM) tool. A MDM tool will approve or quarantine any new device accessing the network, enforce encryption settings if sensitive information is stored on such a device, and remotely locate, lock, and wipe company data from lost or stolen devices.

STEP 2

Educate & train employees

Every employee should participate in regular general awareness security training. This will not only reduce security breaches directly tied to employee error or negligence but also train employees to be on the defence against cybercrime. Employees are critical to your security success and the prevention of data breaches. Hackers commonly break into networks by taking advantage of unknowing employees. Phishing attacks – legitimate looking emails specifically crafted to mislead recipients into clicking a malicious link where they’re asked to provide their username and password - are still successfully used by hackers to capture login credentials.

If a large company makes the news for a data breach tied to an infected email, be sure to share that news with employees with a warning. Come up with fun ways to teach employees how to identify spear-phishing email attempts and better secure their systems and devices.

It is also important to have a security policy written for employees that clearly identifies the best practices for internal and remote workers. For example, password security is critical and passwords should be frequently updated to a combination of numbers, lower case letters and special characters that cannot be easily guessed. Security policy training should be integrated into any new employee orientation. This policy should be updated periodically. More important than anything, this security policy must be enforced to be effective.

STEP 3

Perform an audit of sensitive business information

If you want to keep your most sensitive business information secure, it’s important to know exactly where it’s stored. A detailed quarterly audit is recommended.

STEP 4

Use Cloud and Managed Service Providers

Overall, the cloud is likely a more secure data solution for small business. Any conception that the cloud isn’t safe is outdated. Most of 2013’s security breaches were the result of lost or stolen devices, printed documents falling into the wrong hands, and employee errors leading to unintended disclosures. It’s fair to speculate that many of these breaches wouldn’t have occurred had this information been stored in the cloud rather than computers, laptops, and vulnerable servers. SMEs with limited budgets are actually enhancing their security by moving to the cloud. Since there is no way a SME can match a large enterprise’s internal services, moving services like emails, backups, and collaborative file sharing to the cloud not only reduces total-cost-of- ownership, but gives access to top-level security to better defend against internal and external threats.

Meanwhile, a Managed Service Provider (MSP) can assume responsibility for security measures like the administering of complex security devices, technical controls like firewalls, patching, antivirus software updates, intrusion-detection and log analysis systems.

MSPs are also capable of generating a branded risk report for any potential client or business partner reviewing your security measures. This third- party manual assessment of your network security can instill confidence in prospective business partners by proving to them that any possible security risks or vulnerabilities will be properly managed and addressed.

 

Continue Reading
Jul
01

Remember… Always Practice Safe BYOD

Posted by Markus McIver in Security, BYOD

No matter what blog or magazine read these days, it seems like everyone is talking about today’s increasingly mobile workforce and the BYOD (Bring-Your- Own-Device) movement.

We live in an exciting time when work can be done at any time from any place. Employees love the fact that they can get work done on their iPad as they sit poolside sipping a Pina Colada. Businesses love the cost savings along with the happier and more productive employees they’re noticing. Meanwhile, customers and clients take note that their emails are commonly answered outside traditional work hours with a “Sent from my iPhone” tagline at the bottom.

Like anything related to business technology, there are naysayers who are quick to warn that a more mobile and dispersed workforce also means increased security risks.
Do they have a point?

 

It turns out there are some very legitimate concerns but nothing that can’t be minimised, if not altogether eradicated, with the practice of safe BYOD.

Here are a few suggestions

Create a Mobile Device Security Policy

A comprehensive mobile security policy is critical. This policy must cover everything from the type of devices allowed to how and where data and files are edited, saved, and shared.  Combining this policy with a sound mobile strategy is your best bet to integrate BYOD into your workplace with minimal consequences.

Enforce this Policy

It’s good to take the time to prepare a document that outlines policy, but don’t stop there. Be sure to enforce this policy. This is especially important for small-to-midsise businesses, particularly startups that are sometimes guilty of being too laid back despite all the caffeine consumed at their in-office coffee bars. Make the following words your mantra when it comes to enforcing this policy. No Exceptions. Ever. Seriously, 41% of small businesses have a BYOD policy in place but 25% make exceptions to their own rules.

Train Employees

A BYOD plan has no chance of succeeding unless it is properly communicated to users. It’s important that each employee recognise his or her responsibilities and the repercussions of failing to follow security rules. The best defense against cyber crime will always be a knowledgeable and conscientious employee.

BYOD can give any organisation, big or small, a competitive advantage. Harness the power of BYOD by planning ahead and sticking to your plan.

Continue Reading
Tags: #Security, #BYOD
Jun
30

Why SMEs Must Proactively Address the Threat of Mobile Hacks

Posted by Markus McIver in Security

More cyber criminals are targeting small-to-medium sized businesses. One reason for this is too many workplaces have insufficient bring-your-own-device (BYOD) policies in place. Some have none at all. Although firms are generally more knowledgeable about network security risks than in years past, they still woefully underestimate the security vulnerabilities linked to mobile devices like smartphones and tablets.

This is a real cause for concern since data breaches have the ability to put many already financially challenged SMEs out of business.

If customer/client data has been breached, there could be potential litigation costs, and naturally, lost goodwill and an irreparable hit to brand or company reputation.

 

Don’t Just Say You’re Worried About the Bad Guys… Deal With Them

SMEs say they view network security as a major priority but their inaction when it comes to mobile devices paints a different picture. An April 2013 study found that only 16% of SMEs have a mobility policy in place.

Despite the fact that stolen devices are a major problem in today’s mobile workforce, only 37% of mobility policies enforced today have a clear protocol outlined for lost devices.

Even more troubling is the fact that those firms who have implemented mobility policies have initiated plans with some very obvious flaws.

Key components of a mobility policy such as personal device use, public Wi-Fi accessibility, and data transmission and storage are often omitted from many policies.

Thankfully, most SME cyber crimes can be avoided with a comprehensive mobility policy and the help of mobile endpoint mobile device management services.

A Mobility Policy Is All About Acceptable/Unacceptable Behaviours

Your initial mobility policy doesn’t have to be all encompassing. There should be room for modifications, as things will evolve over time. Start small by laying some basic usage ground rules, defining acceptable devices and protocols for setting passwords for devices and downloading third-party apps. Define what data belongs to the company and how it’s to be edited, saved, and shared. Be sure to enforce these policies and detail the repercussions for abuse.

Features of Mobile Device Management Services

MDM services are available at an affordable cost. These services help IT managers identify and monitor the mobile devices accessing their network. This centralised management makes it easier to get each device configured for business access to securely share and update documents and content. MDM services proactively secure mobile devices by:

  • Specifying password policy and enforcing encryption settings
  • Detecting and restricting tampered device
  • Remotely locating, locking, and wiping out lost or stolen devices
  • Removing corporate data from any system while leaving personal data intact
  • Enabling real time diagnosis/resolution of device, user, or app issues

It’s important to realise that no one is immune to cyber crime. The ability to identify and combat imminent threats is critical and SMEs must be proactive in implementing solid practices that accomplish just that.

Continue Reading
Tags: #Security
Jun
18

Stay Secure...More Hackers Targeting SMEs

Many SMEs don’t realise it, but the path to some grand cybercrime score of a lifetime may go right through their backdoor. SMEs are commonly vendors, suppliers, or service providers who work with much larger enterprises.

Unfortunately, they may be unaware that this makes them a prime target for hackers. Worse yet, this may be costing them new business.  Larger companies likely have their security game in check, making it difficult for hackers to crack their data. They have both the financial resources and staffing power to stay on top of security practices. But smaller firms continue to lag when it comes to security. In many cases, the gateway to accessing a large company’s info and data is through the smaller company working with them.

Exposed vulnerabilities in security can lead cybercriminals right to the larger corporation they’ve been after. Cybercriminals Target Companies with 250 or fewer employees.  In 2012, Symantec research confirmed that cybercriminals are increasingly targeting smaller businesses with 250 or fewer employees. Attacks aimed at this demographic practically doubled from the previous year. This news has made larger enterprises particularly careful about whom they do business with. This means that any SME targeting high-end B2B clients, or those seeking partnerships with large public or government entities, must be prepared to accurately answer questions pertaining to security. This requires an honest assessment of the processes taken to limit security risks.

View Security Measures as Investments

CIOs must start viewing any extra investment to enhance security as a competitive differentiator in attracting new business. Adopting the kind of security measures that large enterprises seek from third-party partners they agree to work with will inevitably pay off. The payoff will come by way of new revenue-generating business contracts that will likely surpass whatever was spent to improve security.

Would-be business partners have likely already asked for specifics about protecting the integrity of their data. Some larger entities require that SMEs complete a questionnaire addressing their security concerns. This kind of documentation can be legally binding so it’s important that answers aren’t fudged just to land new business. If you can’t answer “yes” to any question about security, find out what it takes to address that particular security concern.

Where a Managed Service Provider Comes In

Anyone who isn’t yet working with a Managed Service Provider (MSP) should consider it. First, a manual network and security assessment offers a third-party perspective that will uncover any potential business-killing security risks. A good MSP will produce a branded risk report to help you gain the confidence of prospects to win new business.   A MSP can properly manage key elements of a small company’s security plan.   This includes administrative controls like documentation, security awareness training, and audits as well as technical controls like antivirus software, firewalls, patches, and intrusion prevention. Good management alone can eliminate most security vulnerabilities and improve security.

Continue Reading
May
06

Just Because You’re Not a Big Target, Doesn’t Mean You’re Safe

Not too long ago, the New York Times’ website experienced a well-publicised attack, which raises the question – how can this happen to such a world-renowned organisation? If this can happen to the New York Times, what does this bode for the security of a small company’s website? What’s to stop someone from sending visitors of your site to an adult site or something equally offensive?


The short answer to that question is nothing. In the New York Times’ attack, the attackers changed the newspapers’ Domain Name System (DNS) records to send visitors to a Syrian website. The same type of thing can very well happen to your business website. For a clearer perspective, let’s get into the specifics of the attack and explain what DNS is.

The perpetrators of the New York Times’ attack targeted the site’s Internet DNS records. To better understand this, know that computers communicate in numbers, whereas we speak in letters. In order for us to have an easy-to-remember destination like nytimes.com, the IP address must be converted to that particular URL through DNS.

Therefore, no matter how big or small a company’s online presence is, every website is vulnerable to the same DNS hacking as the New York Times’ site.  The good news is the websites of smaller companies or organizations fly under the radar and rarely targeted. Larger targets like the New York Times, or LinkedIn, which was recently redirected to a domain sales page, are more likely targets.

For now...

There is no reason to panic and prioritize securing DNS over other things right now. But there is a belief that DNS vulnerability will be something cybercriminals pick on more often down the road.

Here are a few ways to stay safe

Select a Registrar with a Solid Reputation for Security Chances are, you purchased your domain name through a reputable registrar like GoDaddy, Bluehost, 1&1, or Dreamhost. Obviously, you need to create a strong password for when you log into the registrar to manage your site’s files.

Nonetheless, recent DNS attacks are concerning because they’re far more than the average password hack.  It was actually the security of the registrars themselves that was compromised in recent attacks. The attackers were basically able to change any DNS record in that registrar’s directory. What’s particularly frightening is the registrars attacked had solid reputations. The New York Times, along with sites like Twitter and the Huffington Post, is registered with Melbourne IT. LinkedIn, Craigslist and US Airways are registered with Network Solutions. Both had been believed to be secure.

So what else can be done?

Set Up a Registry Lock & Inquire About Other Optional Security

A registry lock makes it difficult for anyone to make even the most mundane changes to your registrar account without manual intervention by a staff registrar. This likely comes at an additional cost and not every domain registrar has it available.

Ask your registrar about registry locking and other additional security measures like two factor authentication, which requires another verifying factor in addition to your login and password, or IP address dependent logins, which limits access to your account from anywhere outside of one particular IP address.

While adding any of these extra safeguards will limit your ability to make easy account change or access your files from remote locations, it may be a worthwhile price to pay.

Continue Reading
Apr
14

Now You See It, There It... Stays: Decreasing business costs and risks of costly data loss

We live in a 24/7 global economy that is more dependent than ever on technology. Even the technology of small and medium sized businesses (SMEs) houses sensitive digital data - employee and customer information, internal emails, documents and financial records, sales orders and transaction histories. Not to mention applications and programs critical to daily business function and services.

Employees at SMEs require continuous access to the critical business data needed to meet the demands of the customers or clients they service. They even want this access while they’re at home or on the go running errands.

To satisfy this demand, many companies and organisations now allow employees to BYOD (Bring-Your-Own-Device) and “do business” using their personal  laptops, tablets and mobile phones. The web, Wi-Fi networks and mobile devices with robust memory and battery life have made this constant access to a SMEs back office infrastructure a reality. Regrettably this flexibility and freedom is accompanied by an ominous risk of data loss.

Just a single data loss or breach can be costly to SMEs. Data losses and leaks come with lingering continuous costs that many SMEs cannot easily shake or overcome. Revenue is lost if employee productivity and customer accessibility/ service are stalled by data loss. The expenses associated with internal research and investigation, system repair and maintenance, and data security protection are another heavy price SMEs must pay. If cybercrime is involved, affected customers must be notified, the potential exists for litigation, and many customers will likely never return due to mistrust.

While corporate-level data losses are well publicised, many SMEs mistakenly believe their data isn’t at risk. This mistake can prove to be a costly one.

 

Why C-Suite Management at SMEs Can No Longer Ignore Data Loss

▪ Following a significant data loss, it is estimated that SMEs can lose up to 25% in daily revenue by the end of the first week.

▪ According to the National Archives & Records Administration in Washington, 93% of companies that have experienced data loss, and  prolonged downtime for ten or more days have filed for bankruptcy within twelve  months of the incident. 50% wasted no time and filed for bankruptcy  immediately. 43% of companies with no data recovery and business continuity plan actually go out of business following a major data loss.

How quickly can your business be restored if critical data is lost? When was the last time backup processes were tested to ensure all data is recoverable and business operations are quickly restored?

▪ A survey conducted by Symantec SME revealed that fewer than half of SMEs surveyed backup their data each week. Only 23% of those surveyed said they backup data every day and have a business continuity plan in place.

▪ The percentage of cybercriminal attacks targeting businesses with fewer than 250 employees doubled in 2012. The vulnerabilities of naive small business owners have been noted, and hackers have now placed the proverbial bull’s-eye on these perceived weak links. If sensitive customer data is leaked, SMEs may face overwhelming financial liabilities, which could include reimbursing affected customers and legal fees.

▪ BYOD isn’t a trend or passing fad. It is here to stay and the fact of the matter is businesses no longer own the devices used by employees. This is unprecedented. It’s not as if the employees of yesterday could haul home their file cabinets and desk. This obviously comes with a number of data security risks. The number of networks, applications, and end points where data can be accessed has multiplied with BYOD. Who manages these devices? Who secures these devices? Do SMEs have the right to back up data on machines they do not own? If an employee loses a laptop, or goes AWOL on the company, what data do they have and does anyone else in the company have access to it?

 

Management Is On Notice

Businesses today are playing on a much bigger playing field than they were two decades ago. Any SME that trusts the security and backup of critical business data with a limited and overburdened in-house IT team, or forsakes internal IT support altogether for emergency on- call help when things go bad (Break/Fix Mentality), is playing with fire and begging to be burned.

Any disruptive or invasive technological event - even the smallest of incidents - can have an amplified impact on day-to-day business and profitability. Being proactive with data recovery solutions, and having emergency response procedures in place prior to a disruption or data disaster, is the only way to get critical data restored immediately to the data centre, minimise downtime, protect customer and client data and soften the impact of such events.

 

Data Security Threats Every SME Must Be Aware Of

Human Error and Employee Negligence

Human error, by way of unintentional data deletion, modification, and overwrites, has become much more prevalent in recent years. Much of this is the result of carelessly managed virtualisation technology. Virtualisation and cloud computing have enabled improved business continuity by allowing entire servers – including all data, operating systems, applications, and patches to be grouped into one software bundle or virtual server and subsequently backed up. The catch is humans must still instruct this technology how to perform, which is why so much of today’s data loss is linked to human error.

The complexity of these systems often presents a learning curve that involves quite a bit of trial by error. For example, a support engineer can accidentally overwrite his backup when he forgets to power off his replication software prior to formatting volumes on the primary site.

While most CIOs at SMEs are generally accepting and understanding that mistakes happen, they must be more stringent when it comes to managing risky negligent employee behaviours in this era of mobility and accessibility. Employee negligence puts a company or organisation’s critical business data at risk of being stolen by cybercriminals or malicious employees. Examples of this negligent behaviour include:

▪ Leaving computer systems unattended

▪ Weak passwords (“password” or “12345”) or passwords that aren’t frequently changed

▪ Opening email attachments or clicking hyperlinks embedded with spam

▪ Visiting restricted websites

Employee Mobility & Data Exposure

In the modern-day BYOD workplace, more people are doing daily business on their personal laptops, iPads and Blackberrys. They are also carrying around portable media like thumb drives, USB sticks and CDs.

These devices are not always backed up or secured by IT administrators. There is not only the potential for these devices to be lost or stolen but there is also a very high probability that employees using them are also accessing personal email, downloading music, browsing the web, playing games and hanging out on Facebook. This makes sensitive data susceptible to malware, viruses and hackers. All of this substantially ups the likelihood of data loss incidents.

 

Four Ways SMEs Can Minimise Data Loss

▪ Enforce Data Security

This is more or less the managing of the “human factor.” CIOs and those in SME management roles must communicate data protection policies to staff and ensure their implementation. Rules must be set, particularly with personal devices, to enforce security policies. It can  be as simple as sending reminders to not open email attachments from unknown sources, requiring passwords be reset every few months or the banning of specific file sharing or social networking sites.

In May of 2012, security concerns led to over 400,000 IBM employees being banned from using the cloud storage service Dropbox and Siri – the iPhone personal assistant. While far from an SME, if IBM can go that far and make such a demand to so many employees, a insurance agent can certainly remind his or her marketing representative to  not  play Farmville on Facebook if they’re using a laptop containing company and customer/client data.

▪ Stress the consequences

Both personal and business – of not properly protecting confidential data. Encourage employees to make passwords difficult to crack. Patch holes in the infrastructure’s walls by identifying the most critical data. Perhaps a trusted IT advisor can help implement processes to better protect that data’s security perimeters.

▪ Mobile Device Management

Mobile Device Management grants SMEs a semblance of control over the mobile devices used within the company. Devices tapping into company systems are identified and remotely monitored and managed 24/7. More importantly, they are proactively secured via specified password policies, encryption settings, and automated compliance actions. Lost or stolen devices can be located and either locked or stripped of all SME-related data.

▪ Snapshots

Fully backing up large amounts of data can be a lengthy process. The data being backed up is also vulnerable to file corruption from read errors. This means sizeable chunks of data may not be stored in the backup and be unavailable in the event of a full restore. This can be avoided by backing up critical data as snapshots, which are read-only copies of data frozen to a specific point in time and stored using minimal disk space. These virtual snapshots are immediately available for restores in the event of data loss.

▪ Cloud Replication and Disaster Recovery Services

The cloud provides SMEs who consider data backup to be too costly, time consuming and complex with a cost-effective, automated off-site data replication process that provides continuous availability to business-critical data and applications. Cloud replication can often get systems back online in under an hour following a data loss.

 

Continue Reading

Enquire now