Saturday, 30 July 2011

Business Security Awareness - What every Business needs to know

When you are running a business, you depend on technology, devices and IT services, you need to be aware of several security implications. The greater the level of access to the numerous systems you have in place, the greater the number of security precautions you must take to protect each and every part of the system, whilst allowing access to users.

The Dangers

No matter what kind of business you’re running, your IT infrastructure could be the target of one or more of the following attacks:
  • Internal
o A disgruntled employee seeking revenge
o An employee trying to defraud the company
o Industrial Espionage
o An employee trying to gain unauthorized access to information
  • External
o Random Attacks
oTargeted Attacks
§ Industrial Espionage
§ Hacktivism
§ Financial Gain
§ Disgruntled ex-employee seeking revenge


Types of data that are highly prized include: Internal attacks are generally the most insidious: The individual launching the attack often has a good understanding of what security measures he/she is up against and the requisite knowledge to bypass those measures and ensure the attack is undetected. When disgruntled employees are the source of trouble, they are highly motivated and unlikely to give up easily. Apart from taking revenge on the employer, some ex-employees see considerable financial gain if they steal valuable and confidential data which they can then sell on to unscrupulous competitors:
  • Client lists
  • Clients financial data
  •  Trade secrets for which competitors might be willing to pay significant amounts of money.

External attacks can take on multiple forms. Many hackers simply perform random internet scans for known vulnerabilities. They are looking for easy targets – those who believe that, because they are a small company, no one really has the motivation to attack their small IT infrastructure and that their systems are therefore safe. They also have no idea that most of these attacks are not targeted but carried out by programs designed to look out for vulnerable systems through random internet scans. These programs are not run within specific parameters, they do not distinguish between Microsoft and the small corner grocer – if the IT system is connected to the Internet, they will attack both.


Targeted attacks, as the name implies, are those that are designed and executed against your IT infrastructure with intent. Targeted attacks are carried out for various reasons, including:
  •  They have easy access
  • They know which systems are vulnerable
  •  The target business does things that go against the hacker group ideology
  •  Targets seem to have lax security
  •  Target systems are considered to be valuable data sources
  • Competitor paid groups engage these attacks to carry out industrial espionage on your business

For each of the above reasons, your business can become a target – the only variables are the size of the business, the infrastructure and the type of operation. A wireless Access Point in operation might provide easy access, especially if there is parking space nearby. If your IT infrastructure is not regularly patched and maintained it will most likely have known vulnerabilities. Your business might operate in an industry or have business practices that a hacker group might be ideologically opposed to. If you are running a small shop that is not IT oriented, attackers might believe that the business is likely to lack proper security and could therefore be an easy target.

The bottom line is that business size is not really an effective defence; small businesses make a good target for some attackers inasmuch as larger businesses make a good target for other attackers.

What should one do?

What is crucial for businesses is that they understand the implications of weak security and there is a high level of awareness within the organization. There are many resources online that show businesses how to go about securing an IT infrastructure. Always keep in mind that security is about achieving a cost to benefit ratio. If mitigating a risk costs more than the risk itself, it does not make sense to manage that risk. Conversely, mitigating no risks at all will be a very costly decision as the likelihood of a network being compromised increases substantially. Every compromise, no matter how small, costs money – be it to restore the system, the loss of important information or the loss of the business’ reputation.

The following is a list of must-have security measures for any business:
  • Patch management (make sure your software is up-to-date with the latest security patches)
  • Antivirus
  • Proper configuration (do not be content with having servers/services simply running; look up guides and make sure the configuration you have set for your servers/services is optimal from a security perspective)
  • Close any unused ports and promptly remove unused/retired user accounts
  • Ensure no unnecessary shares are open
  • Ensure proper access control
  • Monitor logs /events
  • Test your web applications for security (in 86% of all attacks a web interface was exploited)
  • Implement a vulnerability management program (regularly test the controls above work and intelligently spend budget on the verified issues that impact your business the most)

Security is a vast subject and some people may find themselves at a loss trying to understand and manage security risks. However, every bit of knowledge helps. If you are aware of the dangers you are in a better position to avoid them.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software development company that provides a single source for network administrators to address their network security, content security and messaging needs.

All product and company names herein may be trademarks of their respective owners.