NetDefence

Security • Compliance • Productivity

Today running a business involves complying with a range of local, state and federal government laws ranging from taxes to privacy issues to work safety – the list goes on and you guessed it, this also includes technology use in business.

Employers

The enormous amount of information a business keeps about clients, suppliers and staff is stored and maintained on electronic media i.e. hard drives, computers, servers which can be damaged, lost or stolen.  There is an obligation on employers to ensure this information is protected.

Here are just two areas of compliance relating to technology use in business to think about.

Employees

All business owners have an obligation to protect their employees.

Traditionally this has involved providing a safe workplace physically – now it includes a safe technology environment.

The fact is, today the use of electronic resources gives rise to potential misuse by employees.  Such misuse may be in contravention of laws including equal opportunity and discrimination, defamation and infringement of intellectual property.  This is a technology threat.

It can occur when employees use their computers to:

a.     Harass other employees through messages containing racial slurs, pornographic images or gender related remarks.

b.    Defamation can occur where a message contains a false statement that subjects an individual to hatred, ridicule or contempt.

c.     Emailing information from the Internet or printed material without authorisation of the author/publisher.

Employers may be exposed to “Vicarious Liability” which means employers may be held liable for unlawful or inappropriate use of technology (and other areas) by employees.  To avoid liability employers must demonstrate reasonable precautions and due diligence.

One method employers could use to protect themselves is by managing electronic mail, Internet browsing and archiving of emails so they can be in control of what is allowed in and out of the organisation.

This is now possible to do without buying any hardware or software (i.e. as a service) and it’s inexpensive.

Data Retention

There is another obligation for employers associated with using today’s electronic resources – retention of electronic documents. Example: Privacy Act 1988 Section 4a – “An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.”

http://www.privacy.gov.au/publications/npps01.html

There are numerous government Acts which reinforce the message about maintaining access to electronic company information for a long period, including the Electronic Transactions Act, The Australian Taxation Act and the Industrial Relations Act – but there are many more.

In fact it can actually work against you if whilst involved in a legal matter it is perceived that you destroyed or didn’t demonstrate any duty of care for company data.

Today employers need to show they have taken ‘reasonable steps” to protect the information in their care.

This could involve strict policies regarding backing up data regularly, offsite storage, disaster recovery/business continuity planning and even the use of external services.

Some of the services that can assist an employer include the automatic archiving of all electronic mail and attachments, as today these are legitimate business documents.

Speak to your IT provider about what services they offer which can help you protect your business from exposure to compliance related technology threats.

Note: This document should not be viewed as legal advice. If you need to explore these topics further you should consult your legal advisors.

You may have heard of a new term within the IT industry ‘SaaS’ – Software as a Service.

Rather than purchasing new software which requires installation and maintenance on your own computer network, SaaS allows you access to whatever software you may need remotely, for a small fee.

For many businesses this reduces the significant time and cost associated with managing a complex hardware and software network.

The responsibility for managing upgrades or patches rests with your SaaS provider. No installation is required to make an application available to another staff member. And no matter where you are, if you can access the Internet, you have access to the software you need.

Salesforce.com is an example.  This company provides a Web-based Customer Relationship Management (CRM) solution for sales, service, marketing and call centre operations. You subscribe and gain access to the service over the Internet from anywhere in the world.

Why SaaS for Business?

There appears to be a number of benefits to a SaaS solution:

1. No initial outlay
When purchasing software for installation on your network, you are faced with a significant up-front investment – not only for the application, but also for its installation on all computers within your organisation (plus hardware). A SaaS solution requires no upfront investment.

2. Your application works immediately
There’s almost no lag between choosing your software solution and having it up and running.  With no requirement to install either hardware or software most SaaS applications are active within 24 hours.

3. Fixed costs
SaaS services are offered on a subscription basis. You pay to have access to an application.  All associated costs are included within the subscription cost – support, security and upgrades etc.

4. No network interruptions for installation/upgrades
All new software, upgrades and patches are installed by the SaaS provider.

5. Less risk
Once you purchase software or hardware you own it. With SaaS you pay only for the period in which you use the software. This allows some flexibility for changing needs in the future.

Why SaaS for security, such as email cleansing, Internet management?
A SaaS solution may be the best choice when considering the security of your network and how   email and web-based tools have become essential to business today.  But at the same time, the threats that email and web browsing expose a business to have become more extreme.

Today you can use security measures that stop threats before they reach your network.  Proactivity is more effective than being reactive; a SaaS security solution is a successful way of creating a secure buffer around your network.

Here’s why:

1. Threats change at an astronomical rate.

2. Your bandwidth is being sucked up by email you don’t want
If over 90% of email is spam it has no business being in your network. You don’t want the mail, you certainly don’t want it clogging up your bandwidth and costing you money.

3. Your people are increasingly mobile
What happens when your people work remotely?  They still access your network.  A SaaS solution is active whenever they access the Internet, from wherever they may be.
4. Productivity and efficiency are key contributors to business success
SaaS can provide a valuable insight into how email and the Internet impact your business. As well as specific information regarding what’s being received, sent and accessed, appropriate reporting can give a snapshot of what trends exist.

Summary
If you’re looking for ways to ensure your business has the most cost-effective means of accessing software and ideas to make your technology more efficient, productive and secure then a SaaS security solution is well worth investigating.

We often talk about malware here on the NetDefence blog and the importance in having effective anti-virus software on each computer you use, however sometimes even having your anti-virus software up to date will not protect you.

A Zero Day Exploit is any vulnerability in software that is unpatched at that point in time. Zero Day Exploits are constantly being found by anti-virus companies and patches are released, but the time in between is when your computer is at high risk.

Today (25th February 2009) a Zero Day Exploit has been found for Microsoft Excel and appears to be affecting all versions on all operating systems. This exploit allows someone to run code on your computer which can install a trojan called Trojan.Mdropper.AC. It is highly recommended you are very cautious in opening Excel files over the next 24 hours and ensure you run an update on your anti-virus software.

When a Zero Day Exploit like this occurs, your only defence may be using your own smarts to determine whether an email is legitimate or not. Ask yourself, do I know this sender? Am I expecting this email and attachment? If you can’t answer at lease one of these questions, it is best to delete the email and keep your computer virus free!

Even though IT managers and departments have been primarily concerned about security, ultimately it is the responsibility of business owners and chief information or executive officers (CIO, CEO) to protect an organisation from threats.

In the years since the Internet first came on the scene, the security scenario has undergone rapid changes and developments as threat and counter-threats have been developed and deployed.
As IT security threats continue the form and nature of these threats may not be what most people expect – or even suspect.

Here are some of the top security threats you will hear more about during 2009:

Lost Laptops and Careless Employees

The increasing portability of laptops and storage devices is of concern. This increases the chances of these portable computing and storage devices being stolen not only for their resale value, but for importantly the information contained within. This problem is compounded by the apparent lack of security awareness by many employees which extends to employees and their internet-based social networks.

Weak Policies
IT security experts have also expressed increasing concern over identity thefts.
While most companies limit physical access to employee records, many companies still have vulnerabilities in terms of systems and procedures in handling these.

Many companies do not purge data when the company’s computers are reassigned or disposed of; others do not even install passwords on employee computers; still more do not encrypt personal information when these are transmitted over the Internet or company networks.

Overconfidence
Some business owners feel their company’s security is more than adequate to meet existing and potential threats. Anti-virus, anti-spyware, anti-spam software and improved techniques have all contributed to the complacency of businesses.

However, security is 24/7, check, double check and triple check, random reviews and tests. It is a never-ending activity and while automation may have relieved the pressures a bit, there is no room for error or overconfidence – especially as many threats are coming from unexpected sources.

What can you do to minimise exposure to your business?
Analyse your security policies and procedures – if you don’t have any in place, start on them now.
Work with your technology providers. They should have some good ideas about what you can do to improve your protection.

Consider some of the smarter technologies now available such as managed online solutions that protect your business from outside your network. Rather than buying hardware and software which you have to maintain and replace every few years, you can ‘turn on’ security services which operate from the Internet, are updated constantly and cost less than a hamburger per person per month.

Much has been made of the Government’s $42bn stimulus package over the last few weeks. People earning under $100,000 are eligible for rebates of up to $900 each. The only catch? You must have completed your 2007/2008 tax return.

Enterprising cyber criminals will no doubt see this as an opportunity to fleece people of their personal details through a phishing scheme. The Australian Tax Office Commissioner Michael D’Ascenzo has already stated “We are worried that unscrupulous people will use the interest surrounding the payments as an opportunity to try the usual scams”.

In the US, where similar plans are taking place a scam has already surfaced. Whilst this scam seems to be inactive currently, it looks like it was designed to encourage the recipient to download a trojan disguised as an application form. This simple trick could enable the trojan to be installed on your computer in the form of a key logger, spam server or other internet threat.

The ATO (or any other organisation for that matter) will never ask you to provide personal details via email. If you receive an email you are suspicious of, do not open it. Scams can be reported at http://www.scamwatch.gov.au. If you’re not sure about an email it is better to speak with the company affected (Such as the ATO) to check if it’s legitimate than to risk compromising your computers security.

Where have you seen that expression lately?

This is a term to describe an Internet service that focuses on building online communities of people who share common interests and activities, or who are interested in exploring similar ideas and thoughts with other people.

Today there are hundreds of social networking websites on the Internet, but the ones you will probably have seen or heard are Facebook, MySpace, YouTube and Bebo.

Some large organisations use these sites to deliver internal training and communications whilst others view this communication as a tool to develop business relationships.

Currently there are different views offered online about whether real business can be developed through social networking sites, if the relationships are superficial, and if it can possibly replace face to face relationship development.

Today most businesses see social networking as a threat to office productivity; employees can spend a lot of time communicating with friends about a myriad of social issues during office time instead of working.

The Age newspaper reported that Facebook alone could be costing Australian business over $5 billion in lost productivity per year. Note this article was published in August 2007!

Outside the workplace the availability of computers with Internet access has made it much easier to communicate with friends and relatives more often.

According to a study by Nielson Online (Sydney, March 2008) the amount of time Australians are spending online has, for the first time ever, surpassed the amount of time spent watching television.

So this has created a problem for employers as they are not only responsible for employee activity on the Internet, now they need to protect themselves from staff using their computers for the wrong purposes.

Once again technology has provided the problem and the answer. There are solutions employers can use to control Internet use within their business and they typically come in two forms: in-house and managed online solutions (over the Internet).

The in-house solution requires you purchase hardware, software and ongoing management from the IT team, which large businesses can normally justify.

But it is different for small businesses that do not have a single IT person on staff. This is where the ‘online managed solution’ works for them.

They typically pay a small fee per user per month i.e. $5 which allows them to manage Internet for their company any way they choose. This means they can control where staff can go, block inappropriate or time wasting sites and view overall activity every month with sophisticated reports. Some services also provide additional threat protection against malware and viruses.

When a business decides to implement either of these solutions they should develop a company policy and make all staff fully aware of it.

One thing is for sure… Internet use in business is here to stay.

It is estimated there are over 800 million computers connected to the Internet on any given day and that around 40% are infected with some kind of malicious software.

This can cause them to be in danger of some type of fraud, providing private information about the company or its users, or even being apart of a cybercriminal’s network acting as a robot – unknowingly.

This could have occurred for a variety of reasons; users on a network may have visited websites containing suspect pop-ups or they could have downloaded a dangerous file, or sadly, they may have done nothing more than typed in an Internet address and become infected.  But one thing is for sure – if the company network had the appropriate focus on network security it may have been avoided.

If your company has not addressed the security of your network as part of your business plans, it is imperative you do it now.

The strength of your computer network’s security is critical.  It is really important to review how your network defends your business from the thousands of threats that amass every week when using the Internet.

But security involves a lot more – what about physical access to your systems? Can someone walk in with a USB stick, plug it in and infect you?  What about passwords?  Do you think about passwords when designing them or are you using a simple one that a 15 year old could work out in five minutes i.e.”Admin”?

There is a saying in the industry; ‘your security is only as good as its weakest point’; meaning if you are lax in just one area of your technology’s security, you set yourself up as a target.

If you do not understand how your network is connected and how the security is setup, get your IT provider to explain it to you – in plain English.

They should speak to you about a number of areas:

1. How your business connects to the Internet

2. What protection you have installed – firewall, up to date solution for viruses, spam and malware for all machines including laptops, desktops and servers

3. How to improve your plan so you can sleep at night.

4. Review your security strategy on a regular basis.  There is an incredible amount of threats out there and you may need to update your solution occasionally

Today you have the advantage of using sophisticated technologies to fight the ‘bad stuff’.
NetDefence can clean your email prior to receiving it and allow you to manage Internet access outside your network, meaning you don’t pay to download it.

Picture this: One of your employees receives an email and they open it. This email is loaded with a virus that automatically picks an email address from their address book and attaches a random Microsoft Word or Excel document from their My Documents folder and sends it somewhere across the world.

Or this: Another staff member browses a website like Yellow Pages, Sensis or BigPond and clicks on a picture or advertisement where they are prompted with a message to ‘scan their computer for security reasons’.  Upon clicking yes, they are now infected with a Trojan Horse which installs code that sends passwords, banking details and other private information back to a hacker.

Both of these examples are real and occurred last November right here in Australia. During 2007 over 500,000 new technology threats were released around the world, mostly with malicious intent, to either attack business to break and enter computer networks or to gain personal information for a variety of purposes including credit card theft and social engineering.

There is a new ‘technology landscape’ using the Internet in business.  These threats are sophisticated and may have already penetrated your system without your knowledge and can cripple a business in minutes.

Malicious threats are now termed “malware” and include spyware, phishing, adware, viruses, spam, ‘drive by downloads’, botnets, Trojans, key loggers – the list is long and increasing.

Security firm vendor ScanSafe stated in July 2008 that “Web-based malware increased 278 per cent from January to June – this year” – (TechWorld July 18, 2008).

“There is now more malicious code being created worldwide than there is legitimate software”- said Symantec Corporation CEO John Thompson, (RSA Conference, San Francisco April 2008).

Today every business faces technology threats when using the Internet; it doesn’t matter whether they are large or small organisations – every one of them is a target.

If you are frightened by these comments… good, you need to be.  Your business could be at great risk simply because you didn’t know about the problem.

But you can do something about it.  You can and should use the Internet for business to take advantage of today’s technology – but you need to understand the risks and take precautions.

IT security has changed immensely over the years. We used to be worried about viruses that were transported via floppy disks we would pass around. Then we were worried about getting a virus through email. These days the threats are much more complex and we are having tore look past standard anti-virus software to fully protect our computers against attack.

The Managed Online Solutions that NetDefence provide are proactive in blocking malware. Traditional anti-virus software is reactive. The easy way to look at this is that our services stop malware from ever reaching you, whereas anti-virus software stops them after they reach you. So if you are able to block malware before they can cause you harm, you don’t need anti-virus software anymore, right?

Wrong.

Unfortunately there are many ways for malware to reach your computer. The two most common ways for malware to spread are through email or your web browser, however malware can still be transferred through disks, CD’s, DVD’s, USB drives, chat sessions and many other means. This is why we still recommend the use of anti-virus software.

Having anti-virus software installed though is only half the battle. For it to effectively protect you it needs to be routinely updated from the Internet. Most software will do this automatically for you, however we recommend you check regularly to see that you have the latest virus definitions installed, because as with all security, you are only as secure as your weakest link.