This week, Get Safe Online.org announced the key findings of a new piece of research relating to the security readiness of micro businesses (small businesses with fewer than 10 employees). With 95% of small businesses having no dedicated IT manager, nor access to an external security consultancy company, how do these businesses remain fully up-to-date with all the latest online security issues?

Small businesses, from local tradesmen through to small retailers, are becoming increasingly reliant on their computers and the internet, but what happens when the local window cleaner’s schedule of work, including names and addresses of all his clients, are hacked from his home computer? Or all his financial information is erased due to a virus or trojan – details regarding his PAYE, VAT and all his expenses gone! With no thought having ever been given to backing up his system.

More concerning is the thought of a local retailer that stores all its customer financial details on their business computer, holding details of the clients’ direct debit details, names, addresses, bank sort codes and account numbers, and to go with them, personal telephone numbers to add authenticity, losing all the information to a targeted hack as a result of being linked to the internet without adequate protection.

But do these small businesses even know these risks exist?  How do we let them know, without seeming to burden them with even more work on top of the demands all businesses have to deal with? What happens when details of customers do become public as a direct result of a cyber attack and the local community loses confidence in providing any form of information to a business weather online or off?

Get Safe Online.org recently sat around the table with a number of small business organisations to discuss these issues and problems, share ideas and common goals, and work on plans to reach out to this very important section of UK business to build awareness and provide advice.

Doing nothing because it’s too hard to deal with is not an option.

- Tony Neate, Managing Director, Get Safe Online

New research from McAfee, the security software company, suggests that employees are putting their companies at risk by cavalier attitudes to confidential information.  The survey of 600 office workers across Europe reveals:

• 132 million sensitive documents are being taken out of UK offices each week on portable devices.
• 52% of European employees would take company data with them when they leave.
• Employees are increasingly using portable devices, including memory sticks and mobile phones to remove confidential data from their businesses.
• Employees frequently print out company financial information (83%), customer records (83%) and legal contracts (87%) but over half fail to shred them.

 Read Get Safe Online’s advice for small businesses, which covers staff policies, encryption and preventing theft with portable devices.

Technorati Tags: Business, security, data theft, McAfee, employees

Carnegie Mellon CyLab has just published the second edition of its Common Sense Guide to Prevention and Detection of Insider Threats.  (Hat tip to The Register.)

Insider threats such as fraud or sabotage are, in many ways, the most insidious and most dangerous.  This report analyses 150 actual cases.  It recommends that companies:

1. Institute periodic enterprise-wide risk assessments.
2. Institute periodic security awareness training for all employees.
3. Enforce separation of duties and least privilege (i.e. people only get the computer access and rights they need to do their job and not more).
4. Implement strict password and account management policies.
5. Log, monitor and audit employee online activities.
6. Use extra caution with system administrator and privileged users.
7. Actively defend against malicious code.
8. Use layered defence against remote attacks.
9. Monitor and respond to suspicious or disruptive behaviour (often the precursor to more serious problems).
10. Deactivate computer access when someone leaves the company.
11. Collect and safe data for use in investigations.
12. Implement secure backup and recovery processes.
13. Clearly document insider threat controls.

Technorati Tags: Insider, attacks, security, CyLab, Carnegie Mellon

Gartner, the IT analysts, predict that by the end of 2007, “75% of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defences.” (Source: BBC News.)

Visit Get Safe Online’s business advice centre to learn how to protect yourself.

Many businesses have servers, email systems, backup systems, network routers, administrator accounts and so on. All of these require passwords. In some cases, companies have more of these ‘super-passwords’ than they do employees.

Because they are the keys to the kingdom – imagine what would happen if a criminal had direct access to your email server or a competitor could access your file server – these passwords are especially important.

A recent survey by Cyber-Ark Software, an IT security company, found that while most individual passwords are updated:

• 13 percent of router passwords are never changed
• 21 percent of local workstation administrator passwords are never changed
• 13 percent of server passwords are never changed

Get Safe Online has detailed advice about choosing strong passwords and we recommend choosing new, strong passwords for any internet-connected device or piece of software. Never use the default, out-of-the-box setting. In addition, we have detailed advice for small businesses, including this article on controlling access to sensitive data.