Are You Digitally Protected?

Digitally Protecting Your Business

Your business is all set to go; the stationery is printed, the phone is on, the internet is pulsing at the modem, you’re about to make your first contacts! The excitement is building! Stop!

But have you thought about how you will protect your business in the digital age? No, then it’s something you should do and right now is the best time to do it.

IT security is an absolute necessity for any business. Start right now; at the beginning of your business’s life, before you have to deal with the consequences of not protecting your digital assets. Or before you get into too many bad and insecure practices.

IT security is a large and complex area; sadly one that put’s off many new businesses, because they don’t understand what they need and when.

Never fear. Here are the basics you need to know. Doing nothing is not an option.

Risk Assessment

First you need to assess the risks. Let’s assume you are a small business with one or two employees. I’ll assume you have two computers (it doesn’t matter if they are desktops or laptops), a broadband internet connection and a company website (hosted by a third party).

The principle threats could be:

• Hacking of your company website;
• Hacking into your company’s computers via the internet;
• Interception of your emails;
• Spoofing of your emails;
• Leakage of your company information and IP;
• Online file exchange – interception, compromise and alteration;
• Loss of data by fire or theft of computer equipment.

Most business people also have smartphones and tablets, where these are used to exchange files and send/receive emails, the same security concerns coexist. Be sure that the solutions you deploy cover these items too.

The next step is to document your response to these threats.

This list is a starting point. I’ll deal with each of these threats as they affect our assumed company.

1. Hacking of Your Company Website

Since we are assuming a hosted site by a third-party supplier this requires no additional funding, just some due diligence; asking the right questions of the third-party supplier and getting the written statement of security from the same.

Seems obvious doesn’t it with our new “IT security hat” on? You’d be surprised at how few small businesses concern themselves with this basic requirement when selecting their hosting partner.

2. Hacking Into Your Company’s Computers

Probably a low level risk, but still a risk, given that you have no network continually connected via the modem to the internet. You need to adopt some basic good practice policies. Password-protect your modem’s administrator setup (change the default factory password) and engage your computer’s firewall to block incoming connections from unknown sources. These two steps alone will reduce the threat to a minimal acceptable level.

3. Interception of Your Emails

When you send an email it seldom goes from sender to recipient in one unbroken point-to-point way. More often it will pass via multiple servers, where copies might be taken (legitimately for continuity reasons), there might be temporary copies made for the same reason as above. As a result they are open to the possibility of unauthorised access. You may have read in the press that some email handlers are routinely intercepting and reading emails for commercial reasons. Do we want this to happen to our business mail? I would say, probably not. To counter this threat see below ‘Make use of Encryption”.

4. Spoofing of Your Emails

Email spoofing is the act of creating an email with a forged sender address in order to fool the recipient into believing it is an authorised email from a known accepted sender. An email can be spoofed after being read at one of the interception points we discussed above, or if the person conducting the spoof already knows the recipient’s email address. See “Make use of Encryption” below to help mitigate the risk.

5. Leakage of your company information and IP

Data leakage can be the result of email interception, your message is read and any sensitive information contained within the email is made public knowledge or used maliciously to defraud you. An employee of your company who is an authorised user of your email system could deliberately leak information or your IP via an email. It’s certainly less visible than walking out the front door with an arm full of paper containing this information. ‘Making use of Encryption” (below) will help you.

6. On-line File Exchange

Many people have started using third-party file exchange services such as “Dropbox”, because files can be too large to be sent as attachments to emails. These file exchange services are subject to unauthorised access to the files stored on them in much the same way as having email intercepted on a server it passes through on route. Use of encryption (below) is a good place to start.

7. Data loss by Fire or Theft

The final threat that is posed is the loss of data due to fire or theft. This can be countered very easily by making sure you do regular daily and weekly back-ups, these back-ups should preferably be stored off-site at another location.

IT Security Policy

Once you’ve finished the risk assessment you can produce your own company IT security policy document. This is something that all directors and employees should have access to and adhere to. It sets out the framework of how each user should conduct business online.

Topics will include common sense good practice guidelines, such as;

• never open emails from unknown sources,
• don’t open unknown programs from any source,
• don’t click on links within websites that are unknown,
• don’t leave passwords laying around on post-it notes. etc

Each company’s risks will be slightly different.

Make Use of Encryption

Encryption deals with four of the above threats. But already I can hear you saying… “Hang on a minute, we can’t just arbitrarily start to use encryption when communicating by email with our suppliers, partners and clients or when sharing files, it’s far too complicated and probably too expensive”.

It needn’t be complicated or expensive. Modern secure digital communications can be user friendly and affordable. Let’s take a simple look at what I’m proposing.

Email encryption can be viewed as the digital equivalent of writing a letter, which is then posted in an envelope (so that the message cannot be read on route) rather than sending your message on a postcard (which of course could be read on route). Would you happily send all your business mail using a postcard?

Historically, the problem was how can I send something to a recipient that is encrypted when they will not have the ability to decrypt it? Now there are solutions that offer an effective, efficient solution and with a third-party endorsement.

Key Exchange

For encrypted email to work there has to be a way of securely exchanging your key that locks the email within its “encrypted envelope”. To increase the security of the encryption system we need to use two keys (they are known as a key pair). The first is your public-key, used to decrypt data that has been encrypted by you, using the second key known as your private-key.

The production of these key pairs is performed as a background operation by the securing system using your email address (yourname@yourcompany.com), this unique data string ensures that the key pair is linked to you and not usable by any other person. At the same time that it produces this key pair it produces a second key pair for your recipient linked to their email address. Delivering these to the recipient as it sends them your public key, along with your first encrypted email. It does this so that they may reply to you in encrypted form without the need for them to necessarily be users of the same encryption system. Instantly there is no technological barrier to using email encryption.

Ticking Off the Threats

The interception of your emails on route is now rendered useless, since the contents can no longer be read by anyone but the authorised recipient.

The spoofing of your emails or those of your recipients cannot be achieved since the attacker would not be able to produce an encrypted email that could be decrypted by the respective private-key.

Data leakage is dealt with in two ways; firstly and most obviously since the content of the encrypted email cannot be read on route casual leakage is taken care of, with regard to an employee smuggling information out of the business by using your email system. Your system will now demand that each email is either encrypted and audited or at least audited. This way an audit log is created detailing who sent what, to whom and when. This goes a long way to discouraging employees from using email to steal or leak information to others. For very sensitive information it can be set as a rule that the system encrypts it by default.

The same system I have described here is also capable of being used for secure file exchange with no associated size restrictions but all of the associated benefits.

Wrapping Up

This covers off the threats we have identified here. I have over simplified the descriptions of both the threats and the counter threats to allow you to understand the ideas discussed here. There are counter measures available that every business should consider before they learn the hard facts of not taking IT security seriously.

Not the Whole Story

This brief overview is not the whole IT security story but I hope it has served as an introduction for those who see the value in protecting their businesses from the digital threats posed today. You can read more and delve deeper into this interesting facet of computing at SecurityForum.org  or Egress.com.