Email Security Your Business!

Email Security Your Business!

There various threats your business and one threat is to your emails, this doesn’t matter what ever system or device you are using at the time to check emails.

The threats are phishing , spam , email borne malware, discovery demand , acceptable use violations.

Phishing – emails sent to try and get you to give out your personal information like banking details    and password,  (Spear Phishing) emails personally directed to user and these may get through you filter and have a link to a bogus site.

Spam – clicking on spam can be costly as to links can be bogus and also cost you staff time in deleting spam mail all these can reduce productivity .

so as one says time is money .

Email Borne Malware – Emails attachment and links can be bearers of viruses and malware that can corrupt you operating system or network , this will need the user to become award of not clicking unsolicited email links.

Discovery Demand - Legislation request email a good example would be the emails of the Sun and news of the world group during the inquiry. This includes text messages too.

Civil and criminal investigations can bring penalties if u have not archived the email and data too.

Acceptable usage violations – staff using company emails for personal use and also using personal device to send company information, the latest example is the scandal within the CIA and the US Army Generals and mistresses love affairs. 

Gen Petraeus and Gen Allen both served in Tampa, Florida, home to US Central Command

Once you are aware of the threats you need to assess them to understand the risk the pose to the company.

How often have you stored your password for your office network  on your mobile and not used the mobile security to secure the phone also have u sent an email from your business account to with personal info in it, this will be archived by the company and may be used against you in disciplinary hearing .

BYOD is bring your own desktop/device, many people today are using their own devices to work on and these may not be up the security standard required by the company, causing a noncompliance issue.

Archiving – with selected software archiving can be done, and the storage of relevant emails can be important if any legal issues arise. Archive storage can be on-site or in the cloud for easy recovery, for disclosure if required.

Education

Staff and management must be aware of company policies and the law when using various devices within the company. Regular training and updates to staff will also aide compliance for certain legislation include DPA.

  

Social Media

The use of various social media sites to communicate with clients and piers should not be encouraged. It is best used for marketing and following trends, sending business messages to and from clients can end up in the public domain.

This can lead to loss of confidence in your ability to manage communication and understand privacy for clients.

Policies

Good questions to ask are.

Does the company have an email policy

Are staff aware of the acceptable use policy.

Do these policies cover staff and  BYOD devices ,Business Continuity plan.

Mobile Security

 Broadcasting your details

Even with all the court issues between Apple and Samsung, whatever device you use will still need some form of security. 

                                                                              

From Iphone to Ipad or Galaxy to Galaxy Note, your device will have a signature where ever you go as the device will try for a WIFI network thus leaving a list of IP addresses as you go.

During that time, anyone on the wifi network you are in can download malicious code to your device also have a valuable device will attract attention from unwanted admirers.

General tips to avoid losing it or having it 'jacked' as they say.

Lock you device- using a simple password may be sufficient and setting the lock to activate after a few minutes of inactivity will be a start.

Voice mail- With phones you should also set a password for your voice mail as the papers proved it can be accessed from almost anywhere using a simple technique. This was published in the press and shown on television, so to protect your business info left on voice mail, set a password. just to let you know it is a criminal offence as 'The Sun staff' know. 

Update- don’t forget to let your updates keep coming as they always help with little bits of code security.

Wifi – It is now available nearly everywhere so switch it off unless needed.  As your device will always try to connect to a network when on and you don’t now who is on any network until too late.

Anti-Virus – always have one installed on your device. Don’t forget to get your IT department to secure it if company phone/device.

Segregate your profile – if you use your own device for work it would be advised to have a work profile and personal profile to isolate the information on device.

GPS – when not required switch it off as it leave a trace of your locations, showing off like using Foursquare or Facebook locations this can be shown to set a pattern and affect personal security.

Apps – not in use switch apps off as a lot of apps use up power and access address book and other systems setting.  

Social media – if using a company device don’t be adding people unless for business needs. SMS message too can carry malicious software too so the random text message from you local Indian may not be from them as you may think.

There are tools that you can use when you travel and apps that can be downloaded that will lock your phone if you loose it, and other to secure files that need to be. Also be aware of personal secure as devices can and will be stolen give a chance.  

Wifi and Blue tooth can be easily picked up as I have noticed while I was walking my dog I was able to access several network on my phone, this is known as a drive by and was commonly used by government bodies when sniffing and eavesdrops on criminals etc.   

2012 Events Can your Business Cope.

Can Your Business Cope

2012 is an eventful year for the UK and Northern Ireland with the Queens jubilee and the Olympics, with these events there are opportunities for the scammers and hacker to make gains from unsuspecting people and businesses. Also the events can increase pressures for businesses in relation to staff and technical demands 

 

Scam and Malware,                                                   

Email scam looking to gather personal information and business information, Man in the Middle acts when staff are browsing site in relation to events as these can host malware when u click on the sites.

Fraud as in sites offering services and so called special deals.

Then use the motto “it’s too good to be true” and click away from it.

Technical Issues.

These can be anything from requiring a new part/ equipment sent from a supplier and can be delayed due to traffic and demands for equipment possibly.

Bandwidth for internet connections will be reduced because demand by media and public viewers online. This can cause delays on data transfer download speeds slowly up, wifi signals getting over run.

                                                                                     

Manning and Traffic.

With more traffic on the streets of London and the special Olympic lanes this can cause delays for staff coming to work. Train overcrowding with day trippers to see events.

So how will you cope when staff in larger numbers, do not turn up for shifts and days. The infamous sickie or duvet day to watch the sports they like.

When at work your staff could be using the internet to keep up with all that is happening and watching event live so reducing productivity over the Olympic period.

Global Terrorism and Activists.  

With such a larger public event the temptation to all sorts of terrorist groups make London and various other locations a nice target to attack for publicity.To minimise the risks, the government have over 13,500 troops and spending £553 to protect events.

Also we must not forget last summer the riots that hit London and Manchester and other places.

Planning.

So with all that could go wrong you may think what is the point of working during the Olympics, it’s the little customer who hates sports and wanted that service you’re offering or part you supply, and maybe those 500,000 toilets rolls ordered by the Olympic stadium that they need for the closing event.

Yes we need to keep work and planning is the key, planning your staff to be at work when they can possibly by a minor incentive for attendance during the period.

Making sure your backups are all working and have been checked and set for regular backups.

Planning any major tasks that may need to be completed outside normal hours.

2012 and the Cyberthreat a hard year ahead

                                                                  

The following information was extracted for
an artical by Ken Dunham

a Fellow of the ISSA US Chapter.

The Cyberthreat is a world wide fact and does not discriminate with the size of business your running.

Some threats:

Duqu – is a dirty cousin of the stuxnet virus which highlights the international cyberwarefare and espionage still going on between different countries.  

Zues – a theat to the financial services sector this continues to plague business and its counterpart Zitmofor mobile devices.

Zeroaccess – is a rootkit virus with increased stealth and tripwires for it own protection

Facebook still continues to have its attacks from various criminal organisations and other hacker groups.
These are only a few of the threats and its a case of when and not if i will be hacked or have a security issue from malware or virus.

There are a lot of cybercriminals out there but be assured there are also alot of cyber cops who are trawling the net and working hard against the criminal/hackers.

But they do also need your help as in introducing a Cyberthreat assessment and keeping your software up to date and patches when released .

2012 has lots of events ahead like the Olympics and the Euro championships, so the scrams will be starting therefore the need for a security of your information and vigilance will be a good start

In addition  staff awareness and a contingence plan will also help.  

www.iainyoungitconsulting.co.uk  

The Business case

A business case for using a Information security management system within a Small Business

The business

As a small business you should be aware of what information you hold, this can come in various forms of media.

If you are not sure of what information is it can be described as:  

Data that (1) has been verified to be accurate and timely, (2) is specific and organized for a purpose, (3) is presented within a context that gives it meaning and relevance, and (4) that can lead to an increase in understanding and decrease in uncertainty.

It can come in various forms eg, printed, written, oral, and visual and electronic. So as a business no matter type you are dealing with. It is all information. 

So then a problem come when classifying it and this can cause confusion examples of classifications are as follows:

Public – no effect on business operations or image
Sensitive – will have minor effect on business and brand
Private – will have personal effect
Confidential – can have a severe effect on business and brand.

As your business runs it deals with all forms of information and therefore you need to consider some form of management and also the legal requirements on the information you hold and how you use it.

Situation

Business manager goes to conference and take company laptop. Looses it on flight and has the only file of a new product the company plan to release.

The laptop has no passwords on it and no other security on it. Later that month a competitor releases new product which is what you had planned.

Business now goes under.

The company has now formal security policy or management system.

So what happens next?

Company decides to adopt an information security management system and this can be easily carried out with the right information and attitude.

Although this is a short but extreme scenario it can happen and prevention is better than the cure.

Benefits  

·         It reduces the risk of losing information
·         Minimizes the financial impact on company of security breaches
·         Increases efficiency by setting a security standard
·         Making the information more reliable

Costs

Organizational costs


·         Need to raise awareness for both staff and management
·         Adoption or adaption or a security policy.
·         Possibly having to release staff for none compliance

Design & development costs

·         Carrying out review of security
·         Preparation of policies guidelines and procedures.
·         Redesign of controls


Minimizing costs and time

It can take time to implement the changes needs and the knowledge required can mean a large outlay for training own staff to do this.

As a small business it can take a lot time that could be spent on business development so can be offset by using a information security consultant as they have the knowledge and can spend the time on the implementation and can take staff on awareness training minimizing the time lost by having several members of staff out of production at the same time.

The drafting of policies and procedures can take time as well but the consultant will have the knowledge to draft and with some consultation can draft specific policies for certain procedures within company.

The hardware side can be dealt with by the consultant too as they will have knowledge of certain products suitable for the role required.

Awareness and Compliance

Compliance and awareness                                                       

As a small business or sole trader you normally are running around with various hats, e.g. sales rep, manager, PR and H&S plus many more. While doing all these roles sometime information and data aren’t realised as one of the main things that keep a business going. In the current climate with cloud computing and social media, technology advances in hardware, business owners and managers can be in a constant state of confusion and bewilderment.

This is where and external head can ease the madness and it and information security consultants’ can come into their own with sensible and independent for the SMB’s.The question is for SMB owners and management are you aware or the regulations and what is meant by compliance, if not your business can suffer from lack of knowledge.

But cannot plead ignorance as all the regulations are available in various forms.

Compliance with the regulations is mandatory, like the data protection act, the computer misuse act, the Trade Description Act etc. Some of these are industry specific and if not complied with can lead to fines or even in the case of the Health & safety Act lead to criminal convictions and prison.
Therefore it is beneficial to small businesses to be aware of them even if they may not understand them. That is where a consultant can advise them.

Breaches of the data protection can be costly to companies, both in fines and the loss of credibility could break a business.So business owners don’t be confuddled. Seek advice and help to introduce policies that will lead to compliance and thus reduce risks.