Business guide to internet security
It’s hard to imagine modern Australian business without the internet but in the last few years it has become fraught with danger. Internet crooks are the dotcom entrepreneurs of crime, using the power of computers and the interconnections of the network against innocent businesses to make money. Make no mistake: viruses, spam and spyware are the products of a global ‘business’ that is worth as much as $60bn a year. To put that into context, online crime is bigger than the global drugs trade. With so much money at stake, it’s not surprising the problem is getting worse.
In November 2008, web hosting service McColo Corp was taken down after being credited with hosting up to 75 percent of email threats. In the days following the takedown, spam levels declined massively by 65 percent. Yet by the end of November, the threats had surged again, returning to two-thirds of what they had been.
The risks are only part of the story. Internet security is also a competitive advantage. Customers and suppliers want to understand what security arrangements are in place to protect their privacy and protection. Who will contact your customers if a computer security incident hits your business? IT security isn’t just good practice, it’s good business.
Viruses, spam and phishing
According to MessageLabs’ analysis of more than a billion emails a week during 2008, one email in every 100 contains a virus. One in nearly 200 is a fraudulent phishing email. Seven in every 10 contain spam. Put simply, unless you protect yourself properly, email and web access is always going to give you problems.
But what do these terms mean for business? If 70 percent of email is unwanted spam advertising, it means 70 percent of your email server’s capacity and 70 percent of the broadband bandwidth is wasted. Wouldn’t it be better to cut off the flow of spam before it reaches your network? That way you keep the bandwidth and server capacity for your business not the criminal’s.
Phishing emails are more dangerous. They are used to trick people into giving away private information on fake (but highly realistic) websites. A common technique is to persuade people that they need to log into their online bank account to sort out a bogus transaction. Criminals use these sites to get bank account numbers, passwords, credit card information and passwords. Another common trick is to get employees to log into a fake company website so that criminals can get user names and passwords to log into your network. The risks of business fraud are obvious. These fake sites are often so realistic in appearance, even some security experts can’t tell them apart from the real thing, let alone the average employee.
However, the worst threat comes from malware. Call them viruses, worms, Trojans or spyware, they all spell bad news. Malware is an unwanted program written by criminals running on a computer in your business, and that’s a never good idea.
What sort of damage could this do? Viruses can give hackers remote access to your data and remote control of your systems. They can also be used to launch criminal attacks on other computers. They can send out thousands of spam email messages. They can infect other computers. Worst of all, they can do all this without any outward sign that something is wrong. Other kinds of viruses display intrusive adverts for pornography and gambling, and even disable security software. If there is a way to make money from your computers, there is a virus that will do it. Viruses spread in email attachments, when people visit certain websites or simply spreading from computer to computer on the network.
‘It can’t happen to me’. Really?
Many businesses, especially those with minimal IT support, tend to put a low priority on protecting themselves. Ironically, this makes them more attractive targets. Consider the accounting firm that was infected by a virus because their anti-virus software wasn’t up to date. It took them days to clean up their computers, and their reputation suffered because their computers turned into ‘zombies’ which send out spam email to all and sundry. The repairs cost thousands, but the damage to reputation is incalculable.
Imagine a manufacturing business where certain employees downloaded pornography in the office. If an employee took the company to an employment tribunal for permitting a degrading and offensive environment it could turn into a serious waste of management time, with substantial financial implications. It can happen. In one recent case, a tribunal found an employer guilty of sex discrimination because employees were looking at pornography in the room where the complainant worked.
Employees behaving badly
There are pressing legal, productivity and reputation issues associated with internet security. All business owners should ask themselves the following questions:
● What if an employee inadvertently defames someone or binds the company to a damaging contract by email?
● What if someone takes you to an employment tribunal claiming a hostile working environment? Damages in discrimination cases can be high.
● Do you want your employees downloading pornography or other inappropriate content on work computers? It’ll probably happen; the majority of visits to pornographic sites occur during office hours.
● How much productivity can you afford to lose to ‘cyber slacking’ or employees browsing non-work-related websites on company time?
● What would happen if an employee sent sensitive information to a competitor or disclosed confidential information to an unauthorised person by email? Would you be able to enforce company policies, or even track the breach?
These are important questions. The problems behind them are not the result of outside attack but reputations still suffer, clients still leave and careers still crash and burn. Companies need to write and enforce acceptable use policies, and they need technology to help them do it
-Mark Sunner is chief security analyst for MessageLabs (www.messagelabs.com.au), leading provider managed security services to businesses, removing security problems before they reach the company network.