Employers

The enormous amount of information a business keeps about clients, suppliers and staff is stored and maintained on electronic media i.e. hard drives, computers, servers which can be damaged, lost or stolen.  There is an obligation on employers to ensure this information is protected.

Here are just two areas of compliance relating to technology use in business to think about.

Employees

All business owners have an obligation to protect their employees.

Traditionally this has involved providing a safe workplace physically – now it includes a safe technology environment.

The fact is, today the use of electronic resources gives rise to potential misuse by employees.  Such misuse may be in contravention of laws including equal opportunity and discrimination, defamation and infringement of intellectual property.  This is a technology threat.

It can occur when employees use their computers to:

a.     Harass other employees through messages containing racial slurs, pornographic images or gender related remarks.

b.    Defamation can occur where a message contains a false statement that subjects an individual to hatred, ridicule or contempt.

c.     Emailing information from the Internet or printed material without authorisation of the author/publisher.

Employers may be exposed to “Vicarious Liability” which means employers may be held liable for unlawful or inappropriate use of technology (and other areas) by employees.  To avoid liability employers must demonstrate reasonable precautions and due diligence.

One method employers could use to protect themselves is by managing electronic mail, Internet browsing and archiving of emails so they can be in control of what is allowed in and out of the organisation.

This is now possible to do without buying any hardware or software (i.e. as a service) and it’s inexpensive.

Data Retention

There is another obligation for employers associated with using today’s electronic resources – retention of electronic documents. Example: Privacy Act 1988 Section 4a – “An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.”

http://www.privacy.gov.au/publications/npps01.html

There are numerous government Acts which reinforce the message about maintaining access to electronic company information for a long period, including the Electronic Transactions Act, The Australian Taxation Act and the Industrial Relations Act – but there are many more.

In fact it can actually work against you if whilst involved in a legal matter it is perceived that you destroyed or didn’t demonstrate any duty of care for company data.

Today employers need to show they have taken ‘reasonable steps” to protect the information in their care.

This could involve strict policies regarding backing up data regularly, offsite storage, disaster recovery/business continuity planning and even the use of external services.

Some of the services that can assist an employer include the automatic archiving of all electronic mail and attachments, as today these are legitimate business documents.

Speak to your IT provider about what services they offer which can help you protect your business from exposure to compliance related technology threats.

Note: This document should not be viewed as legal advice. If you need to explore these topics further you should consult your legal advisors.

Rather than purchasing new software which requires installation and maintenance on your own computer network, SaaS allows you access to whatever software you may need remotely, for a small fee.

For many businesses this reduces the significant time and cost associated with managing a complex hardware and software network.

The responsibility for managing upgrades or patches rests with your SaaS provider. No installation is required to make an application available to another staff member. And no matter where you are, if you can access the Internet, you have access to the software you need.

Salesforce.com is an example.  This company provides a Web-based Customer Relationship Management (CRM) solution for sales, service, marketing and call centre operations. You subscribe and gain access to the service over the Internet from anywhere in the world.

Why SaaS for Business?

There appears to be a number of benefits to a SaaS solution:

1. No initial outlay
When purchasing software for installation on your network, you are faced with a significant up-front investment – not only for the application, but also for its installation on all computers within your organisation (plus hardware). A SaaS solution requires no upfront investment.

2. Your application works immediately
There’s almost no lag between choosing your software solution and having it up and running.  With no requirement to install either hardware or software most SaaS applications are active within 24 hours.

3. Fixed costs
SaaS services are offered on a subscription basis. You pay to have access to an application.  All associated costs are included within the subscription cost – support, security and upgrades etc.

4. No network interruptions for installation/upgrades
All new software, upgrades and patches are installed by the SaaS provider.

5. Less risk
Once you purchase software or hardware you own it. With SaaS you pay only for the period in which you use the software. This allows some flexibility for changing needs in the future.

Why SaaS for security, such as email cleansing, Internet management?
A SaaS solution may be the best choice when considering the security of your network and how   email and web-based tools have become essential to business today.  But at the same time, the threats that email and web browsing expose a business to have become more extreme.

Today you can use security measures that stop threats before they reach your network.  Proactivity is more effective than being reactive; a SaaS security solution is a successful way of creating a secure buffer around your network.

Here’s why:

1. Threats change at an astronomical rate.

2. Your bandwidth is being sucked up by email you don’t want
If over 90% of email is spam it has no business being in your network. You don’t want the mail, you certainly don’t want it clogging up your bandwidth and costing you money.

3. Your people are increasingly mobile
What happens when your people work remotely?  They still access your network.  A SaaS solution is active whenever they access the Internet, from wherever they may be.
4. Productivity and efficiency are key contributors to business success
SaaS can provide a valuable insight into how email and the Internet impact your business. As well as specific information regarding what’s being received, sent and accessed, appropriate reporting can give a snapshot of what trends exist.

Summary
If you’re looking for ways to ensure your business has the most cost-effective means of accessing software and ideas to make your technology more efficient, productive and secure then a SaaS security solution is well worth investigating.

A Zero Day Exploit is any vulnerability in software that is unpatched at that point in time. Zero Day Exploits are constantly being found by anti-virus companies and patches are released, but the time in between is when your computer is at high risk.

Today (25th February 2009) a Zero Day Exploit has been found for Microsoft Excel and appears to be affecting all versions on all operating systems. This exploit allows someone to run code on your computer which can install a trojan called Trojan.Mdropper.AC. It is highly recommended you are very cautious in opening Excel files over the next 24 hours and ensure you run an update on your anti-virus software.

When a Zero Day Exploit like this occurs, your only defence may be using your own smarts to determine whether an email is legitimate or not. Ask yourself, do I know this sender? Am I expecting this email and attachment? If you can’t answer at lease one of these questions, it is best to delete the email and keep your computer virus free!

In the years since the Internet first came on the scene, the security scenario has undergone rapid changes and developments as threat and counter-threats have been developed and deployed.
As IT security threats continue the form and nature of these threats may not be what most people expect – or even suspect.

Here are some of the top security threats you will hear more about during 2009:

Lost Laptops and Careless Employees

The increasing portability of laptops and storage devices is of concern. This increases the chances of these portable computing and storage devices being stolen not only for their resale value, but for importantly the information contained within. This problem is compounded by the apparent lack of security awareness by many employees which extends to employees and their internet-based social networks.

Weak Policies
IT security experts have also expressed increasing concern over identity thefts.
While most companies limit physical access to employee records, many companies still have vulnerabilities in terms of systems and procedures in handling these.

Many companies do not purge data when the company’s computers are reassigned or disposed of; others do not even install passwords on employee computers; still more do not encrypt personal information when these are transmitted over the Internet or company networks.

Overconfidence
Some business owners feel their company’s security is more than adequate to meet existing and potential threats. Anti-virus, anti-spyware, anti-spam software and improved techniques have all contributed to the complacency of businesses.

However, security is 24/7, check, double check and triple check, random reviews and tests. It is a never-ending activity and while automation may have relieved the pressures a bit, there is no room for error or overconfidence – especially as many threats are coming from unexpected sources.

What can you do to minimise exposure to your business?
Analyse your security policies and procedures – if you don’t have any in place, start on them now.
Work with your technology providers. They should have some good ideas about what you can do to improve your protection.

Consider some of the smarter technologies now available such as managed online solutions that protect your business from outside your network. Rather than buying hardware and software which you have to maintain and replace every few years, you can ‘turn on’ security services which operate from the Internet, are updated constantly and cost less than a hamburger per person per month.

Enterprising cyber criminals will no doubt see this as an opportunity to fleece people of their personal details through a phishing scheme. The Australian Tax Office Commissioner Michael D’Ascenzo has already stated “We are worried that unscrupulous people will use the interest surrounding the payments as an opportunity to try the usual scams”.

In the US, where similar plans are taking place a scam has already surfaced. Whilst this scam seems to be inactive currently, it looks like it was designed to encourage the recipient to download a trojan disguised as an application form. This simple trick could enable the trojan to be installed on your computer in the form of a key logger, spam server or other internet threat.

The ATO (or any other organisation for that matter) will never ask you to provide personal details via email. If you receive an email you are suspicious of, do not open it. Scams can be reported at http://www.scamwatch.gov.au. If you’re not sure about an email it is better to speak with the company affected (Such as the ATO) to check if it’s legitimate than to risk compromising your computers security.

This is a term to describe an Internet service that focuses on building online communities of people who share common interests and activities, or who are interested in exploring similar ideas and thoughts with other people.

Today there are hundreds of social networking websites on the Internet, but the ones you will probably have seen or heard are Facebook, MySpace, YouTube and Bebo.

Some large organisations use these sites to deliver internal training and communications whilst others view this communication as a tool to develop business relationships.

Currently there are different views offered online about whether real business can be developed through social networking sites, if the relationships are superficial, and if it can possibly replace face to face relationship development.

Today most businesses see social networking as a threat to office productivity; employees can spend a lot of time communicating with friends about a myriad of social issues during office time instead of working.

The Age newspaper reported that Facebook alone could be costing Australian business over $5 billion in lost productivity per year. Note this article was published in August 2007!

Outside the workplace the availability of computers with Internet access has made it much easier to communicate with friends and relatives more often.

According to a study by Nielson Online (Sydney, March 2008) the amount of time Australians are spending online has, for the first time ever, surpassed the amount of time spent watching television.

So this has created a problem for employers as they are not only responsible for employee activity on the Internet, now they need to protect themselves from staff using their computers for the wrong purposes.

Once again technology has provided the problem and the answer. There are solutions employers can use to control Internet use within their business and they typically come in two forms: in-house and managed online solutions (over the Internet).

The in-house solution requires you purchase hardware, software and ongoing management from the IT team, which large businesses can normally justify.

But it is different for small businesses that do not have a single IT person on staff. This is where the ‘online managed solution’ works for them.

They typically pay a small fee per user per month i.e. $5 which allows them to manage Internet for their company any way they choose. This means they can control where staff can go, block inappropriate or time wasting sites and view overall activity every month with sophisticated reports. Some services also provide additional threat protection against malware and viruses.

When a business decides to implement either of these solutions they should develop a company policy and make all staff fully aware of it.

One thing is for sure… Internet use in business is here to stay.

This can cause them to be in danger of some type of fraud, providing private information about the company or its users, or even being apart of a cybercriminal’s network acting as a robot – unknowingly.

This could have occurred for a variety of reasons; users on a network may have visited websites containing suspect pop-ups or they could have downloaded a dangerous file, or sadly, they may have done nothing more than typed in an Internet address and become infected.  But one thing is for sure – if the company network had the appropriate focus on network security it may have been avoided.

If your company has not addressed the security of your network as part of your business plans, it is imperative you do it now.

The strength of your computer network’s security is critical.  It is really important to review how your network defends your business from the thousands of threats that amass every week when using the Internet.

But security involves a lot more – what about physical access to your systems? Can someone walk in with a USB stick, plug it in and infect you?  What about passwords?  Do you think about passwords when designing them or are you using a simple one that a 15 year old could work out in five minutes i.e.”Admin”?

There is a saying in the industry; ‘your security is only as good as its weakest point’; meaning if you are lax in just one area of your technology’s security, you set yourself up as a target.

If you do not understand how your network is connected and how the security is setup, get your IT provider to explain it to you – in plain English.

They should speak to you about a number of areas:

1. How your business connects to the Internet

2. What protection you have installed – firewall, up to date solution for viruses, spam and malware for all machines including laptops, desktops and servers

3. How to improve your plan so you can sleep at night.

4. Review your security strategy on a regular basis.  There is an incredible amount of threats out there and you may need to update your solution occasionally

Today you have the advantage of using sophisticated technologies to fight the ‘bad stuff’.
NetDefence can clean your email prior to receiving it and allow you to manage Internet access outside your network, meaning you don’t pay to download it.

Or this: Another staff member browses a website like Yellow Pages, Sensis or BigPond and clicks on a picture or advertisement where they are prompted with a message to ‘scan their computer for security reasons’.  Upon clicking yes, they are now infected with a Trojan Horse which installs code that sends passwords, banking details and other private information back to a hacker.

Both of these examples are real and occurred last November right here in Australia. During 2007 over 500,000 new technology threats were released around the world, mostly with malicious intent, to either attack business to break and enter computer networks or to gain personal information for a variety of purposes including credit card theft and social engineering.

There is a new ‘technology landscape’ using the Internet in business.  These threats are sophisticated and may have already penetrated your system without your knowledge and can cripple a business in minutes.

Malicious threats are now termed “malware” and include spyware, phishing, adware, viruses, spam, ‘drive by downloads’, botnets, Trojans, key loggers – the list is long and increasing.

Security firm vendor ScanSafe stated in July 2008 that “Web-based malware increased 278 per cent from January to June – this year” – (TechWorld July 18, 2008).

“There is now more malicious code being created worldwide than there is legitimate software”- said Symantec Corporation CEO John Thompson, (RSA Conference, San Francisco April 2008).

Today every business faces technology threats when using the Internet; it doesn’t matter whether they are large or small organisations – every one of them is a target.

If you are frightened by these comments… good, you need to be.  Your business could be at great risk simply because you didn’t know about the problem.

But you can do something about it.  You can and should use the Internet for business to take advantage of today’s technology – but you need to understand the risks and take precautions.

The Managed Online Solutions that NetDefence provide are proactive in blocking malware. Traditional anti-virus software is reactive. The easy way to look at this is that our services stop malware from ever reaching you, whereas anti-virus software stops them after they reach you. So if you are able to block malware before they can cause you harm, you don’t need anti-virus software anymore, right?

Wrong.

Unfortunately there are many ways for malware to reach your computer. The two most common ways for malware to spread are through email or your web browser, however malware can still be transferred through disks, CD’s, DVD’s, USB drives, chat sessions and many other means. This is why we still recommend the use of anti-virus software.

Having anti-virus software installed though is only half the battle. For it to effectively protect you it needs to be routinely updated from the Internet. Most software will do this automatically for you, however we recommend you check regularly to see that you have the latest virus definitions installed, because as with all security, you are only as secure as your weakest link.

This has been a hot topic of late, with coverage in a lot of mainstream media. There are two trains of thought: First that Facebook is a waste of company time and should be blocked and second that employees are increasingly demanding access to social networking sites and may leave to find a job that will allow them to browse what they want whilst at work. So what should you do in your workplace?

Social Networking is on the rise, no matter which way you look at it. Facebook and MySpace both boast over 100 million users and are growing at a rapid pace. Add in sites like YouTube, Bebo and Orkut and you have a good share of the most visited websites in the world. The alarming thing for business owners is the amount of time users spend on social networking sites. As these sites encourage interaction between users, people are spending more and more time doing just that! With the majority of businesses having Internet access for employees, the temptation to get off topic at work has never been greater.

Last year Facebook was suggested as a $5b Waste of Time in an article by The Sydney Morning Herald. Whilst these claims may be over the top, there is certainly a cost associated with employees socialising rather than working.

So why would you want to allow these sites? Well in time you may not have a choice! Legal firm Deacons found in their Social Networking Survey 2008 that half of the respondents surveyed would refuse to work for an employer that blocked access to social networking sites. 76% of the respondents said that they see benefits to their organisation from allowing social networking sites. With current labour shortages and an increasing difficulty in employers finding good staff, the decision may already be made for you.

Let’s assume however, you don’t want to be forced into allowing your staff access to these sites, could they actually benefit your business? Well according to NASA, quite possibly! As of May 2008, NASA are trialling SocialCast, a business themed social network. SocialCast aims to take the interaction between users of these sites and put it to use in business. By allowing the exchange of ideas, comments and suggestions over your businesses SocialCast website, your users are participating in social networking and working!

Another popular business themed social network is LinkedIn, which has seem high adoption amongst mid level management and higher in many large corporations throughout the world. LinkedIn allows people to network or make contact with other professionals in their field and is now seen as an excellent recruitment service.

So whilst your business may not yet be ready for a move to a service like SocialCast, blocking your staff completely from social networking sites may require some more thought. With staff the biggest asset of any business, can you afford not to listen to them?