Published On: Thu, Jul 23rd, 2015

Worried about security

Share This
Tags

identityI run an expanding Health & Beauty business. I obviously keep confidential client records and we use a variety of channels for our communications including Facebook, email, digital newsletters, texts and so on.  It seems as if every week these days I see another scare where a business has been hacked and customers being furious. It really worries me since an issue affecting even a few of my clients would probably ruin my business. We use our phones and tablets at work and to check diaries remotely, and someone told me that’s my weak link and I should also investigate what he called (I think!) identity access management which presumably means which of my team I allow to access our server?
Am I worrying about nothing or should I be concerned?

Can you answer this question?  Please fill in the comment form below.

Got a question for the experts? Email your question to businesseditor at email.com

About the Author

- Kizzi Nkwocha is the editor of My Entrepreneur Magazine and publisher of My Making Money Magazine, the net’s fastest growing wealth creation publication. Kizzi Nkwocha made his mark in the UK as a publicist, journalist and social media pioneer. As a widely respected and successful media consultant he has represented a diverse range of clients including the King of Uganda, and Amnesty International. Nkwocha has also become a well-known personality on both radio and television. He has been the focus of a Channel 4 documentary on publicity and has hosted his own talk show, London Line, on Sky TV. He has also produced and presented both radio and TV shows in Cyprus and Spain. Nkwocha has published a number of books on running your own business and in 2011 his team won the Specialized Information Publishing Association (SIPA) award for best use of social media. In the UK he runs a successful consultancy called Social Biz Training which trains people on how to use social media for business.

Displaying 3 Comments
Have Your Say
  1. You’ve identified a potential problem which you believe could really be harmful to your business if it occurred. If this is the case, trust your instincts and search for a specialist/s in on-line security and get some advice on this so you can make appropriate decisions and take action.

  2. ghutchings@receptional.com' Eugene O’Sullivan says:

    This is a very common question, but is not one that has a simple answer.

    In this internet based world, being online to advertise services, communicate with customers and to compete in markets that are becoming more and more saturated and competitive is a must for every business. All of us use the internet as a 1st port of call for new business or to find out about something; we simply “google it”.

    Not having some sort of presence on the internet is simply not an option, however this immediately leads to the big concern for security aware individuals; “Is my data safe” and “what happens if I get hacked and or lose my data”?

    Unfortunately there is no one answer to this question or to quell the fear. In the past security wasn’t such a big an issue. Yes there were attacks and breaches but they were on a much smaller scale with less financial backing and less informed people carrying out the attacks; today it is very different. Attacks are carried out by criminal gangs and in some instances are even state funded.

    There are even, easily accessible websites that offer the opportunity to buy “off the shelf” attacking solutions from the hacking community. This allows almost anyone with a basic knowledge of computers to initiate an attack.

    So, to address your question, which is actually very common, “Is my data safe”?

    The honest answer is no. You will never be able to protect yourself entirely. If the US government cannot protect themselves with the billions of dollars they have to throw at the problem, what chance do you as an SMB have? The most you can hope to achieve is to be aware of the most common risks and mitigate against them.

    Your number 1 risk is staff. With the working attitude of employees changing, and the job no longer being 9-5 or specifically office based. Many employees now work from home either during the day, or into the evening when they get home. They will use all manner of devices over un-secure home broadband lines, which are often only protected by a basic password.

    Some of these devices are owned by the organization and some are owned by the employee themselves (BYOD). This raises the question “what are my staff doing at night?” are they accessing data they shouldn’t or worse still, downloading or sending data to competitors.

    If there are specific employees that need remote access, your 1st action should be to ensure they have a “static IP address” on their broadband router, and for all remote access to your data to be configured over a secure VPN tunnel.

    You should also know who you are employing and then only give access to sensitive data after a period of probation. This will allow you to build up a certain level of trust before giving greater access to company data, whether internally or externally, and as always least privilege access is a must.

    Whilst you may feel that your employees need to use mobile devices to connect to company data, restrictions should be put in place along with logging of user identity and what data was accessed. Training for all staff should be given to help them spot signs of potential attacks such as unexpected emails and web sites to avoid. This is where IAM comes into its own. With this technology in place it becomes much easier to manage what user rights a user has and to log what, where and when data was accessed. But this software can be very expensive and is not for everyone. Corporates should definitely look into it but what about the SMB.

    For the SMB I think a similar approach can be taken all be it with more IT intervention and control than using IAM.

    All BYOD or company devices should be logged and asset tagged. Strict polices should be in place about what data can be accessed and least privilege given to this. Logon hours should be setup and of course logging should be in place and monitored. Only users who need access externally should be given it. Mobile Device Management is a must. Users should be trained on how to use devices securely be that not using public Wi-Fi, always having PIN numbers on devices and using VPN’s where possible. Users should be told to report any issues or suspicious occurrences to IT.

    The 2nd risk is malicious hacking and this can manifest itself in many different ways, from a simple innocent looking email with embedded malicious code, to websites that have been attacked and embedded with malicious code.

    Installing a good quality firewall is your best course of action. It needs to be a good quality unit which comes with a “security updates subscription” so that the software on the equipment is regularly updated with the identification of latest malicious codes, a bit like Anti-Virus software.

    With these policies and procedures in place you are only ever improving your chances, never preventing an attacker or malicious/disgruntled user from getting access to your company data so the risk will always be there.

    Yes, you should be concerned about these issues, and following the points detailed above will mitigate the risks, but please remember, if someone really wants to get in, they will.

    What you are doing by following these recommendations is helping your IT provider’s chances of finding what, where and when the data was taken and taking action in this area.

  3. tonym@fridays-group.co.uk' Ian Collard says:

    A positive is that you have recognised a potential problem exists, and it could have a critical impact on your business. Blissful ignorance is the most dangerous place to be.

    It’s worth considering what is at risk from unrestricted or unprotected access to your customer data. If you are holding customer data in an unprotected format e.g. an unencrypted spreadsheet or database then the first and most simple step is to make sure that data lives in a place where it can only be accessed via a username and password at the very minimum! You might consider encrypting it too.

    If your systems are interfaced and accessed by employees, suppliers, customers etc make sure the users can properly authenticate themselves with what is known as “two factor authentication”. There are some very cheap ways of doing this using some Google tools for example Google Authenticator.

    Access also takes many forms such as using mobile technology, social networks, home working, internet enablement, internal systems, and shared files. Try to ensure that your data is behind a firewall and check the firewall settings, especially if you are on a cloud service for hosting your data. Ask your service provider for the information and how it affects access. Many cloud providers give differentiated access i.e. the business owner and some staff may have access to all systems but suppliers, customers etc only have access to a limited amount of services and systems.

    You don’t mention it in your question but if you are processing credit card transactions on line, there are also some very stringent requirements from the Payment Card Industry around the way you hold credit card information. If in doubt it’s worth spending some money to find out from a qualified professional.

    Enabling access to your infrastructure is an absolute requirement – but so is the necessity to ensure that the access is restricted, controlled and appropriate.”

    The value in many businesses is in their Intellectual property and their data. This is often unrecognised and is generally not valued from a financial perspective until a business is looking to be sold. The enormity of having this value diminished is often never recognised until a hacking or incident that causes real or reputational damage.

    The best advice is to get the best advice.

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

A small test to protect us from evil-doers *