STRATEGIC THINKING FOR YOUR BUSINESS
WINTER 2015
SAFE AND SECURE
Nigel Brooks, Dean Foreman & Carl Chapman
4
7
WELCOME...
...TO YOUR QUARTERLY MAGAZINE BUSINESS TALK
Welcome to the winter issue of Business Talk from Capital Support. The 2015 UK Government survey on information security breaches, conducted annually by PwC, showed an increase in the number of breaches experienced by businesses, with 74% of SMEs recording some form of breach, up from 60% on the previous year. Furthermore, the survey reports that for smaller businesses, the average cost to them of their worst breach in terms of disruption, lost sales, recovery of assets, and fines and compensation had increased to £75,200, up from £65,000 in 2014.
With these stark statistics, Business Talk once again focuses on the critically important aspect of IT security. It is not possible to over-exaggerate the potential harm to your business of a security breach and, today, the risks are at their greatest. I hope you find this issue informative and thought-provoking. Once you have read through the articles, please don’t hesitate to get in touch should you think you need to review or assess your IT security – we’re here to help! Nigel Brooks Managing Partner Dean Foreman Managing Partner Carl Chapman Chief Operating Officer
PAGE 2
Call 020 7458 1250 or go online at www.capitalsupport.com
11 SAFE AND SECURE
The business imperatives of effective IT security
page 4
Getting prepared – fighting back
page 7
Keeping secure – practical steps for any business
page 11
Meet the expert
page 14
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 3
THE BUSINESS IMPERATIVES OF EFFECTIVE IT SECURITY Developing a business is hard work and requires a lot of your time and energy. Any business owner can tell you that it’s a challenging, yet rewarding, experience to run a business. However, not all business owners are aware of the threats that lie in wait, ready to bring your business to an abrupt halt.
A
S COMPANIES EMBRACE the digital era evermore, they need to be aware of the risks out there that are looking to destroy your business productivity or worse. No matter what size your company is, you need to understand the critical imperatives of having effective IT security, the types of potential threats and the impact that they have on your business.
Steps to greater security The quickest way to establishing effective IT security systems and practices is to take a step back and evaluate the status of your business and the risks present in your company. After you have assessed how vulnerable your company is, you need to take action on putting systems and practices into place that will safeguard your company from attack.
If you do not have a fully effective IT security system in place, your business is at risk. It might not seem apparent at first, but when you do not have protection or defences in place to ward off harmful threats, you could lose more than you might realise. From loss of data and system downtime to impact on productivity and damaged brand reputation, anybody with the right tools can break in and wreak havoc on your company.
Develop a Security Plan With the speed of technological development, you need to have a plan in place to stay a step ahead of potential security breaches. Without a plan, a business risks everything when a security breach happens. You and your team will need to ask what steps will need to be taken in the event of a security breach and how to correct them in a quick and effective manner.
>>
PAGE 4
Call 020 7458 1250 or go online at www.capitalsupport.com
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 5
>> Types of potential threats There are all kinds of threats out there and they have all been curated by individuals looking to take advantage of you, your system and your business. They may have different motives and practices, but they all spell bad things for your company. When developing your security plan, it helps to understand the potential threats that are waiting to jump on your business and digital infrastructure.
Trojan horses are impostor files that look to be desirable but are malicious. Unlike viruses, they do not replicate themselves but still contain malicious code that causes loss or theft of data. Worms are standalone malware software that replicates itself in order to spread to other computers. Unlike a virus, it does not need to attach itself to an existing program. Worms often use a computer network to spread itself, relying on security failures on the target computer to access it.
Hackers. A hacker is the top of the food chain when it comes to vulnerabilities in the digital world. A hacker is an individual who illegally gains access to data and systems. This may be anything from your emails, website and financial data to total control over your computer or business network. They often use tools like viruses and malware to gain an advantage over you.
Employees. A significant potential threat comes from within. This could either be a current or previous disgruntled employee, particularly someone with knowledge of your systems, seeking retaliation, or simply staff carelessness – someone leaving a password on a sticky note, not being alert to phishing emails, or omitting to put a passcode on their mobile device.
According to Heimdal Security, leading cyber criminals and hackers on average cause financial damage between $350,000 to over $100,000,000 each.
The threats to a business from a digital attack like malware or a rogue employee can be critical. While not all malware and viruses are designed to ruin a business and force it to crumble, they can still have devastating effects if not prevented or taken care of.
Malware. Malware, short for malicious
Business impact
software, describes a type of code or program that has been installed on your computer without your knowledge. Malware is designed to intentionally infect your computer, mobile device or network to gain an advantage over it and you.
GETTING PREPARED – FIGHTING BACK
Depending on its severity, malware can do an array of harm such as forcing your email system to send mass-email and further spread the malware, to stealing bank information and other private financial data.
Viruses, Trojan Horses and worms. Viruses are a type of malware. Viruses on a computer are similar to biological viruses in the world: they do their damage by replicating themselves from file to file, program to program and computer to computer, infecting everything in their path.
PAGE 6
Unsure if your systems and processes are secure? Contact us for a free consultation.
Call 020 7458 1250 or go online at www.capitalsupport.com
Whether you are new to IT security systems or a veteran, it’s important to keep your computers and networks up to date. If you do not regularly evaluate the effectiveness of your IT real estate, the vulnerability of your security systems can only increase.
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 7
HE FIRST STEP in developing a secure IT structure in your business is to evaluate its security strength by auditing your IT system assets. There are a number of critical steps that you need to take in order to audit your system.
T
3. Prioritise vulnerabilities. Now that you have a list of assets and the risks that are prevalent for your business, order them from most to least important. Prioritise items on the list in terms of high and low vulnerability and high and low value to your business.
1. Know your assets. Your company first needs to determine all of the IT assets that it has. This will help you determine where the priorities are as you complete the audit and make security changes. Assets can include hardware, software, data and information. As well as the obvious computers, servers and applications, think also about mobile devices, log-in details, passwords and physical access arrangements.
4. Implement access controls and protocols. Network access control is critical for limiting access to your network. Controls keep out unauthorised individuals looking to access your company assets or wreak havoc on your systems. Your company’s network access controls should include these features: data encryption, digital signatures, verification of IP addresses, usernames, verifying cookies for webpages and more.
2. Assess the risks. It’s important to know what needs to be protected, but it’s not enough to only understand what is at risk. Knowing how your information and equipment is at risk gets you closer to a safer IT structure. Develop a list of all types of threats that risk endangering each item on your asset list, thinking as broadly as possible so nothing is overlooked.
5. Implement defences. Network access control combined with intrusion prevention systems, can protect your sensitive data and deny access by unwanted intruders like hackers. The most common type of prevention system is a ‘firewall’ which will help to keep out undesired content. Firewalls are critical to the defence against intrusions.
PAGE 8
Call 020 7458 1250 or go online at www.capitalsupport.com
6. Implement identity and access management. Identity and access management is the control over a user’s access to company assets. Users will need to be authenticated through software or manually request access before they can be allowed to view or use specified company assets.
7. Create regular backups. No security audit and IT infrastructure upgrade is complete without a backup. Faulty hardware can be just as detrimental to your business as a hacker is. Backup your data on a consistent and regular basis. There are a number of approaches to implementing effective backup systems so seek advice as to one that best suits your needs. 8. Increase email protection. Spam and phishing emails are one of the most common types of threats against companies of any size. They look to target individuals who are not educated on phishing habits. Keep your employees informed about the best email practices for incoming and outgoing emails. To further reduce the risk of an attack via email, increase your network’s filtering to weed out common types of spam and phishing attempts.
Call 020 7458 1250 or go online at www.capitalsupport.com
9. Friend or foe. Developing a strong defence against cyber-attacks is complex and can be challenging for companies. Once you have gone through the necessary steps of auditing and protecting your company’s systems and data, it doesn’t end there. In fact, known third parties such as suppliers, contract workers and even your own employees can still damage your business or steal valuable information even with the best defence systems in place.
10. Plan for the future. Once you’ve compiled a list of potential vulnerabilities that could threaten your IT assets, you need to also look ahead and consider what could harm your IT systems in the future. Be alert to the latest developments and threats by monitoring news and the latest information on websites and forums such as itsecurity.com. Auditing your business’s network and IT infrastructure is critical for a company of any size. It doesn’t matter if you are a small business or a massive corporation. Hackers are everywhere, accidents can happen at any time and technology is always evolving. Always stay ahead of the game and regularly audit your IT systems and practices to ensure that they are secure. After all, it takes just one slip or one breach to potentially jeopardise the future of your business, the people you employ and the >> customers you serve.
PAGE 9
KEEPING SECURE PRACTICAL STEPS FOR ANY BUSINESS
>>
As technology evolves, so too do businesses. The most successful businesses are those that are capable of adapting to the market, its industry and the technology around it.
F
OR COMPANIES THAT RELY ON TECHNOLOGY (and which business doesn’t nowadays?), there are two key areas often overlooked yet must be considered in order to secure your business from the wide range of threats it is exposed to on a daily basis: firstly, how to manage off-site use of IT, i.e. ‘remote working’, and secondly, steps to take when purchasing or implementing any new IT equipment.
5 SECURITY TIPS TO SHARE WITH YOUR EMPLOYEES
Remote working security
Companies that have employees who travel and work outside of the office will need to take extra precautions when using their laptops, phones or tablets in public environments like hotels, airports, trains and coffee shops. When employees are outside of the office, they’re at a much greater risk. Firstly, there’s some clear practical steps that can be easily taken. These include not leaving devices unattended, taking care not to display confidential information on your screen while in a public areas, and avoiding accessing sensitive information over a public network such as a shared Wi-Fi.
>>
Passwords – these should be at least 10 characters long with a mix of lower and upper case, numbers and symbols. Browsers – ensure secure browsers are used when accessing company webmail remotely by using the HTTPS protocol. Email attachments – don’t open emails and attachments from unknown senders, and don’t use the Preview Pane in MS Outlook as it is the same as opening the email.
WINDOWS 10 TOP TIP Passport, a Windows 10 security feature, is designed to let users authenticate themselves to applications, websites and networks without using traditional passwords. After Windows 10 verifies that you have possession of your device, it will automatically authenticate to websites and applications on your behalf.
BYOD – ‘Bring your own device’ is where employees use their own smartphones, tablets or laptops for work. It is essential these are protected as well as the company’s own IT assets. Software downloads – ensure everyone understands the potential risks of downloading third party applications and abides to strict, clear guidelines.
Call us for guidance on assessing and implementing your company’s IT security systems.
PAGE 10
Call 020 7458 1250 or go online at www.capitalsupport.com
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 11
>> Using mobile devices
The mobile market has grown dramatically over recent years. Almost every employee in any company has a data-enabled mobile device, such as a smartphone or tablet. Companies can either provide their employees with devices to help them work remotely or allow them to bring in and use their own mobile device – often referred to as ‘Bring Your Own Device’ or BYOD. Users with mobile devices need to be aware of the dangers of connecting to the internet outside of their company’s URL filtering software. Cyber-attacks are more common than ever before as a result of techniques such as Wi-Fi listening and malware installation on fraudulent websites.
New equipment security
Whenever your company upgrades or purchases new IT equipment, there are some considerations that should be kept in mind. Here is some advice to get you started:
WINDOWS 10 TOP TIP Device Guard, another feature for Windows 10, focuses on blocking every day attacks by vouching for applications that attempt to access a Windows 10 machine or network. When an application that is not registered on Device Guard attempts access, Windows 10 will block the connection to keep your device and information secure.
1. Set a budget. Your company should
have a set annual budget in place to fund IT upgrades for both employees and the business itself. Most technology can and does ‘last’ a long time, but in many cases technology grows faster than its lifespan. So it’s important to keep your IT systems up-to-date and equipped to cope with the latest security threats.
2. Align equipment purchases with security requirements. Define the specific
WINDOWS 10 TOP TIP Windows Hello, a feature of Windows 10 to boost security, is just one of many features to consider when upgrading IT systems. This Windows 10 feature is designed to remove the need of passwords through using biometrics: the computer’s ability to identify your face, fingerprint or iris. Windows Hello is just one of Microsoft’s many attempts at raising the bar of computer and IT equipment security.
needs of the business and how technology can help you achieve them – and, in particular, the changing requirements you may have with regards to security. Then ensure that any new purchases delivers against your specified requirements.
3. Purchase equipment via your IT provider. Avoid buying the ‘latest tech’
just because it’s new and stylish. Your IT provider can help you to determine what is best for your company and what isn’t, and then advise on the technical specification needed. They have the knowledge and experience to know what is most suitable to meet your needs. Mobile devices, remote technology and other technological advances make businesses more flexible than ever. However, no business should walk blindly towards new technology without taking the necessary precautions to secure themselves.
Let us advise you on secure remote working and equipment procurement.
PAGE 12
Call 020 7458 1250 or go online at www.capitalsupport.com
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 13
MEET THE EXPERT
of technical skill to deploy. Organisations that do not take external threats seriously and are not reaching a basic threshold of cybersecurity readiness are throwing their doors open to cyber-attacks. Q: Who is winning the Cyber war, the IT security companies or hackers?
Business Talk asks Dr Paul Stephens, Director of Computing, Digital Forensics and Cybersecurity at Canterbury Christ Church University, for advice on IT security. Q: What is the biggest IT security threat to businesses at the moment? A: Complacency. The biggest threat is not to take your IT security seriously. There are well-documented ways of protecting your systems and professional support readily available so you ignore these at your peril. The government provides lots of advice for SMEs including the Ten Steps to Cyber Security and the recently launched Cyber Essentials Scheme which also advises companies on how they can assure their customers that they meet certain security standards. Q: Should small businesses really need to be concerned about external threats? A: Absolutely! Small businesses with poorly protected systems provide an easy target for criminals and their malicious software. There are many freely available tools available to criminals that do not need a high level
PAGE 14
Call 020 7458 1250 or go online at www.capitalsupport.com
A: As a small to medium sized business it may be better to think of it not as a cyber war but as a number of battles that your company may be forced to be involved in. If you do not take heed of proper advice then you are setting yourself up to become an easy target. Many cyber threats look to exploit well-known problems and taking the government’s advice and that of your IT provider ensures that these holes are plugged. The automated nature of the tools used by criminals means that if the common exploits are not available they will move on to look for an easier target. Q: Is cloud storage more or less safe to store my company data compared to on-site storage? A: There are a number of pros and cons for each system. Cloud storage is quick and easy to deploy, with options for expanding when necessary, and costs are low. On the other hand, you are putting your data in someone else’s hands and relying on them to keep it safe. You may also find that accessing the data is slower as it is off-site. If your Internet connection goes down then your data is not accessible. Broadly, it’s the reverse for on-site storage so it is up to the individual business to decide which of these factors are a priority and then decide on the most appropriate solution for them. Q: Are my colleagues the biggest threat to my company’s IT systems and data? A: There are a number of threats to your company’s IT systems and your colleagues are just one aspect of that. It is important to realise that your personnel can be a weak link in the chain whether it is intentional or not. There
Call 020 7458 1250 or go online at www.capitalsupport.com
are fairly sophisticated ‘social engineering’ attacks which can be used by criminals to gain information unintentionally. This can be through technical phishing attacks (where an email is received which purports to be from a trusted source and directs them to give sensitive information to a spoofed website that looks genuine) or more psychological means with the attacker becoming a friend and asking for information about the company. There should be levels of security in a company where people only know certain information if they need to know it. There should also be some level of staff education about the kinds of attack that are possible so that they do not fall victim to them. Q. What top 3 questions should I ask my IT company about our IT security? A. First question would be: are we following the government’s Ten Steps advice and how are we doing that? Based upon the earlier questions, it may also be important to ask: How are we providing assurance to our customers that we are taking cybersecurity seriously? This could be done via the Cyber Essentials Scheme. Also, do we have the internal skills and resources needed for on-site storage or would cloud storage be a better solution? This should force an evaluation of the kind of storage that is right for your business.
PAGE 15