Dynamic Business

“What folks forget is how dangerous the Internet is today,” said Mike Greene, vice president for product strategy at PC Tools. “There’s a number of different ways for cyber-criminals to exploit businesses.”
Of course, this desire to remain invisible and the desire to make money rather than merely gain glory only adds to the challenge of fighting off such problems. While security suites have become more integrated — you’re much more likely to install a single suite that protects against viruses and spyware and a firewall to protect against unauthorised network intrusions than to buy separate products for each function — they still take time and money to manage.

“Balancing securing IT systems with making them available, and doing that in a cost-effective way, is a big challenge,” said John Donovan, managing director for Symantec. “A common thing we hear from smaller businesses is they simply don’t have the time.”

One useful solution in this context may be to use a managed security service. By effectively outsourcing your ongoing IT security management to a third party for a fixed monthly sum, you can hand off what is becoming an increasingly complex problem to someone with a higher degree of expertise.

That’s certainly a better approach than the ostrich-like stratagem of pretending nothing will go wrong. SMEs often assume that they are less likely to be the victims of a co-ordinated attack than a larger multinational firm, but such an assumption is largely unwarranted, experts warn. “if you don’t have a sensible protection strategy, getting attacked is only a matter of time,” said Paul Ducklin, Asia-Pacific head of technology for Sophos.

“There’s no reason you can’t have an attack against smaller companies,” said Greene. “It’s not that hard to figure out a way to exploit that relationship.”

“People need to realise it’s a money making business, and nobody’s immune. Criminals go for the weak link in the armour.”

In larger businesses, it makes sense to have both network-level protection (examining incoming data before it hits individual machines) and a separate desktop-level system. “The desktop is really the last line of defence,” Greene said. “If you go to the local coffee shop or the airport, you can’t rely on the stuff on the server.”

Protection shouldn’t be limited to machines in your own premises either. Ducklin points out that company web servers are now often hacked to provide links to sites which download malware. Those links are invisible to the naked eye, and the malicious software itself resides somewhere else, but the potential for reputational damage Running an on-access scanner on your web server (or more likely ensuring your provider does so), which checks pages as they load for possible illicit content, can help obviate such threats.
Online threats evolve rapidly, so even with a good protection strategy, you might still fall victim to an attack which results in lost information or compromised data. The most critical element in recovering from such a setback is having good backups of your existing systems, and the knowledge of how to restore them quickly — something many businesses struggle with.

“Australian SMEs fall down in their ability to actually have backup and recovery processes in place to recover from some sort of attack,” Donovan said. Surveys suggest that many businesses run backups less than once a day, making them particularly vulnerable. “Whether it’s a cyber-style attack or a physical attack, the ability to recover is somewhat compromised without backups,” Donovan said. “Also, in a lot of cases, they’re not modifying their policies as they grow.”

Having a good recovery strategy and regularly updated software will offer solid protection for most current scenarios. “Keep your computers patched and up to date,” Greene advises. “Deploy those solutions and let the armies of researchers deal with the problem.”

Legal Data Protection Responsibilities

Legal responsibilities for protecting data vary widely depending on the size and nature of your company. Smaller businesses generally aren’t subject to the provisions of the Privacy Act, but companies in specific sectors (such as finance or medicine) may fall under more specific regulations.

Regardless of the legal specifics, however, companies have an ethical and a practical obligation to ensure that business and customer data doesn’t fall into the wrong hands.

“When you’re operating as a business, you have an obligation to protect your customers’ data as well,” said PC Tools’ Mike Greene. “You have a legal and a moral obligation to make sure that’s protected as best as you can.”

“Most companies will collect data and it’s everyone’s expectation that you’re going to keep that data safe and private. The last thing someone wants to hear is that there’s nothing in place. You need to do your due diligence and do the right thing.”