Simplifying
IT Security
Kaspersky Lab Limited Edition
Simplifying
IT Security
Kaspersky Lab Limited Edition
By Georgina Gilmore and
Peter Beardmore
Simplifying IT Security For Dummies®, Kaspersky Lab Limited Edition
Published by
John Wiley & Sons, Ltd
The Atrium
Southern Gate
Chichester
West Sussex
PO19 8SQ
England
For details on how to create a custom For Dummies book for your business or
organisation, contact CorporateDevelopment@wiley.com. For information
about licensing the For Dummies brand for products or services, contact
BrandedRights&Licenses@Wiley.com.
Visit our Home Page on www.customdummies.com
Copyright © 2014 by John Wiley & Sons Ltd, Chichester, West Sussex, England
All Rights Reserved. No part of this publication may be reproduced, stored in a
retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the
Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by
the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London, W1T 4LP,
UK, without the permission in writing of the Publisher. Requests to the Publisher
for permission should be addressed to the Permissions Department, John Wiley &
Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, England,
or emailed to permreq@wiley.com, or faxed to (44) 1243 770620.
Trademarks: Wiley, For Dummies, the Dummies Man logo, A Reference for the Rest
of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com
and related trade dress are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates in the United States and other countries, and may not
be used without written permission. All other trademarks are the property of their
respective owners. John Wiley & Sons, Inc., is not associated with any product or
vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER, THE AUTHOR, AND
ANYONE ELSE INVOLVED IN PREPARING THIS WORK MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS
WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION
WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED
OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH
THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL,
ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS
REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT.
NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS
A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN
THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION
OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS
SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED
OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
Wiley also publishes its books in a variety of electronic formats. Some content that
appears in print may not be available in electronic books.
ISBN 978-1-118-84041-2 (pbk); ISBN 978-1-118-84822-7 (ebk)
Printed and bound in Great Britain by Page Bros, Norwich
Introduction
W
elcome to Simplifying IT Security For Dummies –
your guide to some of the information security
challenges that all sizes of business face in today’s
Internet-connected world. With valuable tips and
pointers, this book aims to help your business ensure
that sensitive information remains secure – so you’re
less likely to incur regulatory / legal penalties or suffer
damage to your business reputation.
Although the computing breakthroughs of the past
decade have helped business owners to cut costs,
boost efficiency and deliver even better levels of
customer service, those same new technologies have
created opportunities for hackers to attack innocent
businesses. More than ever before, all businesses –
even those that think they’ve got no confidential
information that they need to protect – should be
aware of the risks and how to avoid them . . . so that’s
why we’ve written this book.
About This Book
Although it’s small, this book is crammed full of
information to help growing businesses work out how
best to protect confidential information – including
sensitive information about their customers – and how
to secure their computers and mobile devices against
viruses, malicious attacks and more.
2
From the smallest businesses to the largest corporations,
every organisation is at risk from the sophisticated
methods that hackers use to access confidential
information and steal money from business bank
accounts. Whereas large multinationals can afford to
employ teams of IT security specialists, smaller
businesses are less likely to have in-house IT security
expertise. Simplifying IT Security For Dummies sets out
to help businesses by raising awareness of:
✓ Why virtually all businesses have sensitive
information that they need to protect.
✓ The range and nature of today’s information
security risks.
✓ The simple, ‘no-cost’ measures that help businesses
to protect confidential information.
✓ The easy-to-use products that can greatly improve
information security.
Foolish Assumptions
To help ensure this book provides the information you
need, we’ve made a few assumptions about you:
✓ The business that you own, manage or work for
uses laptops, desktops and / or mobile devices.
✓ You need to make sure your business doesn’t fall
foul of any information security regulations.
✓ You’re keen to ensure your business’s confidential
information remains confidential.
✓ You’d like to learn how to prevent hacker attacks
affecting your business’s day-to-day activities.
3
✓ You may be considering storing some of your
business information in ‘the cloud’.
✓ You’d welcome some tips on how to choose IT
security software that fits your business.
How This Book Is Organised
Simplifying IT Security For Dummies is divided into six
concise, information-packed chapters:
✓ Chapter 1: Why All Businesses Need to Protect
Sensitive Information. We explain the pitfalls of
having a false sense of security.
✓ Chapter 2: Working Out What Your Business
Needs. Even though all businesses need security,
this chapter considers how security requirements
can vary.
✓ Chapter 3: Discovering the Truth About Security
Threats. Learn why today’s IT is more complex
and the threats to businesses more dangerous.
✓ Chapter 4: Planning for Better Information
Security. Assess the risks – then make sure your
business knows how to avoid them. We also give
you some points to consider for securely storing
information in ‘the cloud’.
✓ Chapter 5: Choosing Security Software to Suit
Your Business. With so many products on the
market, we explain the factors that can help you
make the right selection.
✓ Chapter 6: Ten Questions to Help Identify How
to Protect Your Business. Use these questions as
a useful checklist when considering what you
need to protect your business.
4
Icons Used in This Book
To make it even easier for you to find the information
you need, we use these icons to highlight key text:
This target icon draws your attention to
top-notch advice.
The knotted string highlights important
information to bear in mind.
Watch out for these potential pitfalls!
Where to Go from Here
This book is a quick and easy read. You can dip in and
out of the text as you wish, or you can read the book
from cover to cover. Whichever way you choose, we’re
sure you’ll find it packed with great advice on how to
protect your customers’ information and the other
valuable data that your business stores and processes.
Chapter 1
Why All Businesses Need to
Protect Sensitive Information
In This Chapter
▶ Assessing the extra burdens on smaller businesses
▶ Securing precious business information
▶ Avoiding the perils of a false sense of security
▶ Understanding why cybercriminals target all sizes of
business
I
n this first chapter, we look at some of the reasons
why businesses are subject to information security
risks – and why it’s unwise to try to sweep those
security issues under the carpet.
Businesses Are Under Attack
In the information age, knowledge is power. The
information your business holds – about its specialist
know-how, its products and its customers – is vital to
your ongoing success. If you were no longer able to
access some of that precious information, it could
affect the day-to-day running of your business. Even
worse, what would be the consequences if that
6
information fell into the wrong hands – a criminal’s
hands? Furthermore, what if a criminal could gain
access to your computers and steal your business’s
online bank account details? Yikes!
Unfortunately, companies of all sizes are attacked by
cybercriminals who use a wide range of methods to
disrupt business operations, access confidential
information and steal money. In many cases, the victim
company may be totally unaware of the attack . . . until
it’s too late.
Cybercrime and cybercriminals
Criminals have always been good at spotting new
opportunities to exploit a weakness and make some
money – at someone else’s expense. Whether it’s a flimsy
lock on an office window or a burglar alarm that’s easy to
overcome, criminals seize any chance to exploit any
weakness. However, in today’s Internet-enabled age, a new
breed of criminal has emerged from the murky depths . . . the
cybercriminal.
Cybercrime covers a vast range of criminal activities that are
carried out via IT systems and / or the Internet. It’s too easy to
dismiss the threat of cybercrime – and that’s one way that
businesses help to make it even easier for cybercriminals to profit.
Cybercriminals are highly organised and very skilled in
developing sophisticated ways to attack business computers,
access confidential information and steal money. Often, the
financial rewards are considerable . . . while the cost of
launching an attack can be very low. This brings a rate of
return that many other types of criminal can only dream of!
So, the volume of cybercrime continues to increase.
7
Smaller Businesses –
Bigger Pressures
In many ways, smaller businesses face virtually all of
the general, day-to-day issues that large businesses
have to tackle . . . plus a whole host of additional
challenges. All businesses have to keep finding ways to
deal with changing market conditions and to respond
to competitors’ activities, while also staying one step
ahead of changes in their customers’ needs and
preferences. However, at the same time as coping with
all of these factors, most growing businesses also have
to deal with a wide range of other issues that keep on
arising as a result of the company’s ongoing growth.
These additional challenges can include:
✓ Finding ways to cope with an increasing number
of customers – and larger revenues.
✓ Regularly recruiting and training additional staff
to handle increasing demands.
✓ Finding larger premises and organising the move,
without disrupting day-to-day operations.
✓ Securing additional funding to grow the business.
✓ Adding new office locations.
✓ Finding time to consider the things large
businesses take in their stride – such as how to
keep customers’ information secure.
All of these tasks are necessary to make sure the
business keeps running efficiently and is ready for the
next steps in its growth.
8
That’s not my job!
Then there’s the range of responsibilities that founders
and employees have to cover. From the outset, as just
a one man (or woman) band or a small group of highly
motivated individuals, working in a smaller business
usually means ‘all hands to the pumps’ – with everyone
having to take care of a much wider variety of tasks
than they may have experienced in their previous
employment. Usually, there are no HR teams, legal
departments or specialist IT personnel to fall back on.
If your business is going to succeed, everyone has to
achieve more than just being a jack of all trades. You
and your colleagues all know that you have to master
everything that goes into running the business.
Yes, specialist skills can be hired in by the hour, but
that costs precious cash. Every dollar, pound, Euro or
yen spent on non-core business activities limits
investment in other vital areas and can even slow down
your business growth.
What’s the big deal with IT?
For most businesses, the idea of trying to function
without even basic IT – such as laptops – is almost
unthinkable. Even if IT is just a means to an end, it’s a
key enabling tool that helps to boost business
efficiency and improve interaction with customers,
employees and suppliers. However, IT has to serve the
business – and that means it needs to be easy to set up
and manage. Similarly, any security software that
protects the business’s computers and confidential
information has to be easy to use.
9
It’s a jungle out there . . . so go armed!
Businesses that regard computing as a necessary evil
are likely to have a very similar view when it comes to
keeping the information stored on those computers
secure. That view is totally understandable if IT isn’t
your strong point.
However, the sad fact is that the security of business
information has never been more important – for all
sizes of business. With today’s high levels of threats –
and cybercriminals regularly using Internet
connections to hack into business computers – no
company can afford to ignore security. Even if your
business only implements a few simple protective
measures, those precautions could be enough to save
you a lot of heartache and a significant amount of money.
It’s perfectly okay to regard IT security and
data security as necessary evils . . . provided
you place strong emphasis on the word
‘necessary’! Then the ‘evil’ part is just a
reminder of the sort of cybercriminals that
launch attacks against innocent businesses.
A retailer wouldn’t dream of leaving its cash
register wide open for any passing felon to grab
a handful of money. Similarly, any business that
uses computers, mobile devices or the Internet
needs to make sure their IT isn’t wide open to
attack. It’s simply too easy to become the
unwitting victim of a cybercriminal who attacks
the hidden security vulnerabilities in your
laptops, tablets and smartphones. So you need
to do all you can to ensure cybercriminals can’t
steal sensitive information or steal from your
online bank accounts.
10
A little security can go a long way
The difference between doing nothing and undertaking some
simple security measures can be massive. At first, if you only
implement a few basic security measures those could be
enough to ensure the average cybercriminal finds it easier to
pick on some other business . . . and leave your business
alone.
In the graph, you see how a little investment in security can
dramatically reduce the likelihood of malware launching a
successful attack.
11
Security shouldn’t slow your business
Time is money! There, we’ve said it. Of course it’s a
cliché, but it’s true. Any non-core activity that takes
you away from your business’s main revenue-generating
activities costs you time, opportunities and money.
Being nimble and focused is what gave you the
opportunity to establish your business in the first
place. So the last thing you need is IT security that gets
in the way of your entrepreneurial spirit – no matter
how important IT security may be.
Anything that slows you down could mean you’re
spending less time on the key activities that give you
an edge over your competitors and help to propel your
business forward. With the wrong approach to
information security and unsuitable protection
technologies, you could find your business hampered
by the very things that are meant to be helping to
defend it.
The low-hanging fruit for cybercriminals
With concerns about complexity and performance, it’s
no wonder so many smaller businesses turn a blind eye
to IT security. However, even though start-ups and
small businesses could just about get away with that
approach a few years ago, today’s levels of cybercrime
mean this is a very ill-advised strategy. Add in the fact
that some cybercriminals regard small businesses as
the low-hanging fruit that’s easier to attack than larger
organisations, and it’s clear that effective IT security is
no longer optional.
12
The good news is that your business can do many
simple things to help protect sensitive information.
Furthermore, some of the latest security software
products have been specifically developed to help
time-poor, smaller companies protect their systems
and information. These security products mean you
don’t have to compromise on protection or waste time
on trying to run complex security software that’s
difficult to manage.
Even massive organisations may not have the
necessary scale and resources to recover from
a damaging security breach. So smaller
companies may find it impossible to carry on
trading after a security incident.
False Sense of Security?
Some businesses lull themselves into a false sense of
security, with the mistaken belief that the cybercriminals
are only after the bigger fish. ‘Yes, that’s it,’ says the
business owner. ‘Who’d want to attack a small
company like mine, when bigger, richer targets are out
there? We’re simply not on any cybercriminal’s radar.’
Well, it’s true that radar isn’t going to help a
cybercriminal to identify their next business victim.
However, cybercriminals do use all sorts of other
scanning tools to find vulnerable companies – and they
can do it all via the Internet. With these clever scanning
tools, the cybercriminals can identify businesses that
have security gaps within their computers.
In virtually no time, the scanners can find the
cybercriminals’ next business victim – and point out
how the business is vulnerable to attack.
13
This may sound like some elaborate science fiction
plot, but it’s true. Every day, these and other
sophisticated methods are used to attack small
businesses. On an average day, Kaspersky Lab
identifies approximately 12,000 malware (malicious
software) attacks – and that number keeps growing.
Smaller businesses can be
easier targets for crime
Generally, most cybercriminals are looking to maximise
the financial returns from their illegal activities and
minimise the effort and time taken to generate those
returns. So, although tapping into a multinational’s
finances could be very lucrative, it’s a fair bet that the
cybercriminal would have to work quite hard to
overcome the sophisticated security defences that
such a company is likely to have in place.
As an alternative, the cybercriminal could choose to
target a bunch of small companies. Yes, the proceeds
from each individual attack may be much less valuable
but, if the smaller companies have poor or non-existent
defences, it could be very easy money for the
cybercriminal. Launching attacks on ten or twenty
small companies could generate as much money as a
single attack on one larger business – and be much
easier to achieve.
Because many smaller businesses can find it
difficult to set aside any time to think about
security, some cybercriminals deliberately
focus on the easy pickings from smaller
businesses. Don’t let your business be among
their next batch of victims.
14
Cybercriminals can use smaller
businesses as a stepping stone
Cybercriminals recognise that smaller businesses are
often suppliers to large companies – and that’s another
reason for attacks against smaller businesses. An
attack on such a business can help the cybercriminal
to steal information that may prove to be useful in
enabling a subsequent attack against a large
corporation.
The cybercriminal may deliberately pick on the
business because of its relationships with larger
corporations. On the other hand, an opportunist
cybercriminal may simply spot the potential while
they’re stealing customer information from the smaller
business.
Needless to say, if the subsequent attack on the large
organisation is successful and the small business’s role
in the attack becomes apparent, that can result in
severe difficulties for the small business.
Even though the smaller business was innocent of any
direct wrongdoing, its inadequate security allowed its
own systems to be infiltrated – and that helped to
enable an attack against the corporate-sized client. If
the small business’s role in the compromise becomes
known, this is likely to have repercussions – such as
legal action, compensation, fines, the loss of customers
and damage to the small business’s reputation.
15
Losing out . . . at both ends of the business
Imagine the case of a small company that buys raw materials
from a large corporate supplier and then sells its finished
products to a multinational business. In the interests of
efficiency, the supplier may expect its customers – including
the small company – to interact with and place orders via its
own online systems. Similarly, the multinational customer
may expect the small company to submit electronic invoices
directly into its own internal accounts systems.
This means the small company has direct electronic links
with its corporate supplier’s computer systems and its
multinational customer’s computer systems.
If a cybercriminal infiltrates the small company’s computers,
the cybercriminal could gather information that helps it to
attack both the company’s supplier and customer. Even if the
subsequent attacks are unsuccessful, the small company
could have a lot of explaining to do . . . and may be blocked
from electronically interacting with its suppliers and
customers. That could adversely affect the small company’s
efficiency and profit margins – especially if its competitors
are benefiting from closer interaction with the same suppliers
and customers.
16
Chapter 2
Working Out What Your
Business Needs
In This Chapter
▶ Knowing your legal and regulatory obligations
▶ Assessing what’s expected in your industry
▶ Realising today’s threats are more dangerous
than ever
▶ Considering how security needs can vary
I
n this chapter, we take a closer look at how some
security requirements can be similar for different
businesses . . . and also how they can vary.
Some Security Needs Apply
to All Sizes of Business
Many businesses fall into the trap of thinking that they
have no information that could be of any value to a
cybercriminal. Furthermore, the founder may believe
that an information loss incident wouldn’t cause any
major harm to their company. Unfortunately, for any
size of business, these beliefs are rarely true.
18
Even a simple database of customer contact details
has value to a wide range of different people – from
cybercriminals looking to use those details as part of
identity theft scams, through to competitors trying to
steal your clients.
Legal obligations to secure information
In many countries, businesses are subject to strict
regulations on how they should handle information
about individuals. Failure to comply can result in large
fines for the business. In some cases, the business’s
directors or owners can be subject to prosecution –
with some offences even carrying prison sentences.
For some nations, the legislation and compliance
regulations about how personally identifiable information
is processed and stored may place more onerous
obligations on larger organisations. However, even if
the relevant authorities demand that large corporations
implement much more sophisticated security measures,
the law still expects smaller businesses to act
responsibly and to take reasonable steps to secure
all relevant information.
If a business fails to adopt measures that
could reasonably be expected to be undertaken
by that size and type of company, the business
could find itself in serious trouble.
Even greater security expectations
Many jurisdictions compel all companies to exercise a
higher degree of caution in how they handle any
particularly sensitive material or any other information
that could cause significant harm to a third party if that
data was leaked.
19
Furthermore, specific industries and market sectors
may be subject to much more stringent information
security requirements than other industries. For example,
companies operating in the healthcare and legal
sectors are likely to have to take greater care over the
information that they use, store and process.
However, even if none of these ‘extended expectations’
apply to your business, the loss of confidential
information can have dire consequences.
A confidentiality cat-astrophe?
Could there be a less IT-intensive business than running a cat
boarding kennel or cattery? Would IT security really be
necessary for such an operation? Well, yes! Just consider
the information the business holds on the names and
addresses of its clients – plus the business’s electronic diary
of when the furry felines will be staying at the facility.
What if that information fell into the wrong hands? It’s fairly
obvious that no one’s going to be home to look after little
Tiddles and Tiger – and that’s valuable information for
burglars. With that inside knowledge about when the home
owner is going to be away – and how long they’re away
for – burglars could enjoy the luxury of being able to take
their time removing valuables from the cat owner’s property.
20
Different Levels of
Understanding and Resources
Despite the similarities in some of the security
obligations that are placed on all sizes of business,
there are also some clear variations in how different
size organisations view and tackle security issues.
Things ain’t what they used to be
The sophistication and relentless nature of modern IT
security attacks means today’s threats are several
orders of magnitude more dangerous than the threats
of just a few years ago. Failure to realise this can leave
businesses vulnerable.
When it comes to information security, large companies
can afford to employ full-time IT security experts.
However, smaller business owners don’t have that
luxury.
Is size important?
Availability of resources is obviously a factor that
differentiates smaller businesses from larger
corporations. Large businesses have the in-house
experts to make informed decisions about which
defence technologies to invest in. They also have the
necessary finances and support resources to roll out
their chosen solution. Furthermore, their in-house
team is experienced in how to develop and constantly
refine the company’s security plans and security
policies, so that the business remains one step ahead
of the cybercriminals and no gaping holes are left in
the organisation’s defences.
21
By contrast, smaller businesses may lack any in-house
security expertise. In addition, for a growing business,
a host of competing demands clamours for any cash
that’s going spare (hmm, spare cash is an interesting
concept, but not one the authors can recall ever
experiencing). So computer security has to take its
place in the queue and fully justify the necessary
expenditure.
Understanding Different
Security Requirements
Even though there’s a lot of common ground, different
types of business are likely to have some differences in
their IT security requirements . . . and can also have
differing views on what level of security is necessary. In
addition, as a business grows, its information security
needs can change.
Do you recognise any of the following business profiles
and their views on IT security?
The start-up business
At the age of 36, ‘Start-up Serge’ is leaving a large,
city-based operation and setting up a new firm of
lawyers with two of his colleagues.
How the business plans to use IT:
✓ Serge and his colleagues are heavily dependent on
the laptops, tablets and smartphones that give
them the flexibility to work almost anywhere.
✓ The team will make heavy use of email to
communicate with clients and will use its computers
for generating letters, proposals and notes.
22
The business’s attitude to security:
✓ The highly confidential nature of the client
information that will be handled – including financial
data – means the protection of all sensitive
information is vitally important.
✓ Any information leak or loss would be hugely
embarrassing and could have big repercussions in
terms of Serge’s personal reputation and the
firm’s reputation. It could even result in Serge
being sued.
✓ Safeguarding the business is vitally important
and Serge understands that standard antivirus
software doesn’t offer adequate protection.
Serge says: ‘We’ve got to buy new IT kit and set it all
up. At the same time, we need to be able to start
generating revenues as soon as possible – so the security
software that we choose has to provide the right level
of protection, while also being easy to set up, manage
and maintain. Furthermore, the security software supplier
has to provide the support we need, when we need it – so
we can concentrate on serving our clients. Then, as our
business grows, our security solution must be capable of
adapting to meet new demands.’
The expanding business
‘Ambitious Ahmed’ has achieved a lot in his 48 years.
He’s the owner of a chain of men’s tailors that employs
eighteen people – and the business is expanding.
How the business plans to use IT:
✓ As well as opening another new shop, the business
is venturing into online retailing – selling suits via
its website.
23
✓ With the expansion, the business has to buy a lot
more technology – including more Point of Sale
(PoS) terminals, more PCs, Wi-Fi networking
routers and a new server.
✓ Although Ahmed isn’t focused on IT, he finds his
new smartphone useful for accessing his emails.
The business’s attitude to security:
✓ The business uses an antivirus software product
that Ahmed’s ‘technology-savvy’ nephew purchased
from the high street PC store. However, Ahmed
knows this product isn’t enough to keep his
business’s information safe – especially as the
business is expanding so rapidly. Ahmed would
hate to see his local competitor getting hold of
Ahmed’s regular client list and pricing model.
✓ Owing to Payment Card Industry (PCI) Data
Security Standard compliance requirements,
Ahmed knows the business needs to deploy
security software and keep it up-to-date in order
to manage vulnerabilities.
Ahmed says: ‘Tailoring – and not IT – is my passion.
However, it’s the right time to invest in some more
professional IT security software – if only for my own
peace of mind. We need IT security that gives us the
protection we need, but is easy to install and manage.
I’m looking for a package that gets on with its job and
leaves me to get on with mine. Since I took over the
business from my father, we’ve achieved impressive
growth. We’re about to open our fifth shop and
we’re building our web-based sales – so we need an
IT security solution that can grow with us.’
24
The business that’s switching its security
Dr ‘Irritated Ivana’, 40, is a Senior Partner in a local
medical practice that includes two other doctors, a
physiotherapist and three part-time receptionist /
administration staff.
How the business plans to use IT:
✓ Each doctor has a desktop PC and a PC is in the
room that the physiotherapist uses. Two other
PCs are at the reception desk and one more is in
the administration office.
✓ The Internet and the PCs have changed the way
the practice works – making it far easier to keep
track of patient records, find out about new
medicines and procedures and generally keep up
to date.
The practice’s attitude to security:
✓ Given the practice’s reliance on IT and the
sensitive nature of the files and information that
are handled, Dr Ivana has never hesitated to buy
IT security software.
✓ However, the current security software is irritating
all of the staff. The PCs take ages to start up – and
then, when the security software scans for malware,
the PCs seem to grind to a halt.
Dr Ivana says: ‘Patient confidentiality is of paramount
importance. That’s why we never hesitated to install
security software. However, our current software has
had a noticeable and very negative effect on the
performance of our PCs. With the licence up for
renewal, now’s the perfect time to move to a security
software product that doesn’t affect the performance
25
of our computers, so we can be more efficient in how
we deal with patients. We just want something that
secures highly sensitive information without getting in
the way of our efforts to deliver the best in patient
care.’
The business that’s had its fingers burnt
‘Suffering Suzie’ is the 32-year-old owner of a successful
marketing agency that employs 22 people. Suzie’s
business has grown rapidly; her sales and marketing
skills have ensured that she’s easily won new clients.
How the business plans to use IT:
✓ Suzie’s core team is based in the office. However,
many of her account managers visit client sites.
✓ Although her design team runs Apple Macs, the
rest of the business uses a combination of
desktop and laptop PCs, plus smartphones.
✓ Many of the team also use tablets. Because the
tablets are owned by the staff, they’re not official
work kit. However, Suzie’s happy for the staff to
use the devices – especially as she thinks it makes
the agency look cutting-edge.
The business’s attitude to security:
✓ Unfortunately, the agency recently suffered a
major security incident. After a meeting with a
client, one of Suzie’s account directors took their
laptop to a bar and the laptop was stolen. The
laptop had some very sensitive files on it –
including confidential plans for a new product
launch that would give the client a real edge in the
market.
26
✓ Suzie had to inform the client, who was extremely
angry. The incident has been escalated to the
client’s legal team. It also looks like the client is
going to sever the relationship with the agency. So
Suzie’s agency is about to lose a significant piece
of business . . . and there could also be legal
implications.
Suzie says: ‘We’re still adding up the cost of that
security incident. Now my first priority is to make sure
there’s absolutely no chance of that sort of security
headache happening again. We need to get a
comprehensive protection solution in place as soon
as possible. However, we also need to make sure it’s
simple to manage – so that one of our designers, who
has an amazing talent for all things technical, can
manage and maintain it.’
The business that keeps
its fingers crossed
‘Risky Raul’ is 53 and owns a five-person accountancy
firm. It’s an established business that has never taken
security threats seriously. Raul has always hoped that
‘it won’t happen to me’.
How the business plans to use IT:
✓ Raul and two other accountancy advisors spend a
lot of time with clients. Using laptops gives the
advisors the flexibility to work offsite.
✓ The business’s two administration staff use
desktop PCs.
✓ The business also has a file server that runs its
customer relationship management (CRM)
software.
27
The business’s attitude to security:
✓ Raul recently read an article, in a trade magazine,
about a rival firm that suffered a very serious IT
security breach. An administrator had downloaded
a file attachment which contained some malware
that accessed confidential client files. The
security breach was only discovered when a
client found their own confidential data being
sold on the Internet.
✓ The news article made Raul extremely nervous
about his own firm’s IT security. Raul now
recognises that the free security software that the
firm has been using is probably inadequate.
Raul says: ‘The industry has changed a lot in recent
years. There’s a lot more regulation now. At the same
time, the nature of the security threats that are lying in
wait means we have to implement much more robust
IT security.’
Diverse needs call for diverse solutions
Even though all of the businesses we reference in this
chapter are in different markets and each has different
expectations for its IT, they all have one thing in
common: the need to protect precious information.
However, with each business having different levels of
computer systems and IT expertise, they have different
security needs.
The example companies are obviously based on
generalisations about how a few different types of
business can have varying IT security needs. However,
just as the variations in business models and sizes of
business are virtually endless, so too are the variations
in IT requirements.
28
It’s perfectly possible for a small company – with, say,
three to five people – to run massively compute-intensive
processes. In such cases, the business is likely to have
a much more extensive and diverse IT network than
other businesses of a similar size. So this type of
business requires a security solution that can cover all
of the complexities of their IT environment – including
Internet gateways, proxy servers and virtual systems.
Chapter 3
Discovering the Truth About
Security Threats
In This Chapter
▶ Understanding how IT complexity adds new burdens
▶ Knowing why antivirus protection isn’t enough
▶ Learning about the online threats
▶ Protecting your online banking transactions
I
n this chapter, we consider how the growing
complexity of typical business computing solutions
and the sophistication of computer viruses, malware
and cybercrime attacks are making life that much more
difficult for all businesses.
IT’s All Got More Complex
Only a few years ago, any business leader could simply
reach out and touch every IT device that needed to be
protected within their organisation. It was also simple
to think about drawing an imaginary ring around the
business’s computing network. If you wrapped a
firewall around everything within that ring – and made
30
sure you had suitable security software running on all
computers – you were untouchable.
But that was back in the days of limited mobility and
not being able to access business information whenever
you were away from the office. It was also long before
business became so heavily reliant on IT.
Business can’t do without IT
Today, could you even consider running a company
without all those vital business applications and
without mobile, ‘anywhere access’ to essential business
information? Well, no . . . because your competitors
would be laughing all the way to the bank.
However, these technological advances have had
consequences. The convenience of anywhere access
has greatly increased IT complexity. If you and your
employees are going to be accessing information by
using laptops, smartphones and tablets, where’s that
imaginary ring within which you have to apply your
security measures?
BYOD adds another layer of complexity
To make things even more complex, Bring Your Own
Device (BYOD) initiatives – that let employees use
their own devices to access business information and
systems – are adding to the complexity. With BYOD,
your security now has to cope with ‘anywhere – from
any device – access’.
Businesses have been quick to recognise the potential
cost and operational benefits that a BYOD initiative can
offer. However, BYOD also means you’re faced with
applying security across an almost limitless range of
mobile devices – including a vast array of Android,
31
iPhone, BlackBerry, Symbian, Windows Mobile and
Windows Phone devices that may not even belong to
the business.
Fortunately, some security suppliers have recognised
that increasingly complex IT adds to security nightmares.
So they’ve kindly developed innovative new security
solutions that greatly simplify the task of securing
complex IT – including mobile devices and BYOD.
For more information on mobile security
issues and solutions, Mobile Security & BYOD
For Dummies is available at all good booksellers.
Well, actually, it’s not in any shops, but you
can get a free copy at www.kaspersky.com/
business.
Antivirus or anti-malware?
Some businesses fall into the trap of thinking viruses and
malware are the same thing – and that leads them to believe
there’s no difference between antivirus and anti-malware
products. However, that’s simply not true, and in fact it’s a
mistake that could prove to be costly.
Most people are familiar with the types of computer viruses
that can spread from computer to computer. However,
malware – which is short for malicious software – is the
name given to a much wider range of hostile software.
Malware includes computer viruses, worms, Trojan horses,
ransomware, keyloggers, spyware and many other threats.
So a software product that offers anti-malware capabilities
protects your computers and information from much more
than just viruses.
32
Today’s Threats Are Increasingly
Dangerous
Virtually everyone has some level of understanding of
computer viruses. Most people have been either subject
to a nasty virus infection (we mean on your PC – we’re
not getting personal) or know someone who’s suffered
such an attack in the past. However, much of this
experience – and the anecdotes that friends and family
recall – may date from the era of cyber vandalism,
when malware development was for fun. Today,
cybercriminals use malware for financial gain.
The low-risk years are over
Years ago, cyber vandals were often students and
school children looking to show off their computing
and hacking skills. They created and distributed
viruses that caused a level of disruption on infected
machines. Perhaps the virus would delete a few files or
make the victim’s computer ‘hang up’. Even though it
was largely a matter of mischief-making on the part of
the virus developers, their programs could cause some
inconvenience.
However, these viruses rarely caused significant
ongoing issues for businesses and they didn’t try to
steal funds from individuals’ or businesses’ bank
accounts. In addition, basic antivirus software was
often enough to repel most of these attacks.
33
Simple vandalism makes way
for serious cybercrime
In recent years, young computer geeks have turned
their attention to online games that give them an
opportunity to show off their prowess. At the same
time – and more importantly – with the relentless rise
in the use of Internet-based business processes and
online financial transactions, we’re all a lot more
dependent on the Internet and e-commerce. This has
attracted the attention of criminals. The age of relatively
innocent cyber vandalism has passed and a much more
menacing presence lurks on the Internet.
Cybercriminals have been quick to recognise
the opportunities to develop malware and
Internet-based scams that do much more
harm than old-fashioned viruses. Instead,
these new attacks are focused on stealing
information, money and anything else of value
to the cybercriminal. Make no mistake, these
are no mere amateurs. Cybercriminals with
considerable technical skills are constantly
developing new methods of attacking
businesses. In most cases, they’re motivated
by financial gain – either directly stealing
money from a business’s bank account,
stealing sensitive business data to sell on the
black market, or extorting payments from the
company through other means.
In addition, by ‘harvesting’ personal information from a
company’s laptops, servers and mobile devices,
cybercriminals can perform identity theft scams and
steal money from individuals associated with the
business.
34
Our dependence on computers has also made it easier
for attackers to disrupt business systems, as a form of
social or political protest (so-called ‘hacktivism’).
Know the Enemy and
Know Their Methods
Malware and IT security threats can have a damaging
effect on any business’s bottom line. For smaller
businesses, the results can be terminal. While the
following isn’t an exhaustive list of all types of threats,
this section gives an indication of some of the security
risks that businesses have to tackle . . .
Viruses, worms and Trojans
Computer viruses and worms are malicious programs
that can self-replicate on computers without the victim
being aware that their device has become infected.
Trojans perform malicious actions that haven’t been
authorised by the user. Trojans are unable to selfreplicate, but the connectivity provided by the Internet
has made it easy for cybercriminals to spread them.
If these malicious programs attack your network, they
can delete, modify or block access to data, disrupt the
performance of your computers and steal confidential
information.
Backdoor Trojans
Backdoors are used by cybercriminals for remotely
controlling machines that they’ve infected. Typically,
compromised computers become part of a malicious
network – known as a botnet – that can be used for a
wide variety of cybercriminal purposes.
35
Keyloggers
Keyloggers are malicious programs that record the
keys that you press on your computer keyboard.
Cybercriminals use keyloggers to capture confidential
data – including passwords, bank account numbers and
access codes, credit card details and more. Keyloggers
often work in tandem with backdoor Trojans.
Spam
At its least harmful, spam is simply an electronic
version of junk mail. However, spam can be very
dangerous if it’s used as part of a phishing campaign or
if it includes links to infected websites that download
viruses, worms or Trojans onto the victim’s computer.
Phishing
Phishing is a sophisticated form of malicious attack,
whereby cybercriminals create a fake version of a
genuine website such as an online banking service or a
social networking site. When the victim visits the fake
site, the site uses social engineering methods in order
to obtain valuable information from the victim.
Phishing is often used for identity theft scams and to
steal money from bank accounts and credit cards.
Ransomware
Ransomware Trojans are designed to extort money.
Typically, the Trojan either encrypts data on the
victim’s computer hard drive – so the victim can’t
access their data – or totally blocks all access to the
computer. The ransomware Trojan then demands
payment for undoing these changes.
36
Ransomware Trojan infections can spread via phishing
emails or can occur if a user simply visits a website
that contains a malicious program. Because the
infected websites can include legitimate sites that have
been infiltrated by cybercriminals, the risks of picking
up a ransomware infection are by no means limited to
visits to suspicious websites.
Distributed Denial of Service
Attacks (DDoS)
Cybercriminals use Distributed Denial of Service
Attacks in order to make a computer or network
unavailable for its intended use. The targets for these
attacks can vary. However, a business’s website is
often the prime focus for an attack.
With most businesses depending on their website to
attract and interact with customers, anything that
makes the site malfunction, run slowly or fail to let
customers access it can be very damaging to the
business.
There are many different forms of DDoS attack. For
example, cybercriminals can infect vast quantities of
innocent users’ computers and then use them to
bombard the target business’s website with a massive
volume of useless traffic. This can overwhelm the
computers that run the victim business’s website and
cause the site to run slowly or totally fail.
37
What’s bugging business?
Virtually every software application and operating system
that your business runs is likely to contain ‘bugs’. Often these
errors in the computer code may not cause any direct
damage. However, some create vulnerabilities that
cybercriminals can exploit in order to gain unauthorised
access to your computers.
These vulnerabilities act a little like leaving your office door
open – except the cybercriminals don’t just march into your
reception area, they get right into the heart of your computer.
The use of such vulnerabilities to install malware is now
widespread, so it’s important to keep applications updated or
patched (don’t ignore those software update reminders and
postpone them as a nuisance).
Some security software solutions include ‘vulnerability
scanning’ features – to identify any application or operating
system vulnerabilities on your business’s IT network – and
can help you to apply ‘patches’ that fix the vulnerabilities so
cybercriminals can’t exploit them.
Understanding Other
Security Risks
In addition to the specific types of attack we explain in
the previous section, your business needs to guard
against other dangers.
38
Risks from using public Wi-Fi
With hotels, airports and restaurants offering
customers free access to a public Wi-Fi connection, it’s
easy for you to check email and access business
information when you’re out and about. However, it’s
also very easy for cybercriminals to spy on public Wi-Fi
networks and capture information that you send or
access. This could mean cybercriminals gain direct
access to your business email accounts, your business
IT network and your passwords for financial
transactions.
Online banking and the need
for additional security
Online banking has become a critically important facility for
so many businesses. It’s convenient and time-saving.
However, whenever you’re conducting any online financial
transactions, you could be at your most vulnerable.
Cybercriminals want to monitor their victims’ computers and
mobile devices in order to work out when the victim is visiting
a banking website or online payment service. Then special
keylogger programs can capture the information you enter.
That means the cybercriminal can stealthily steal your
password – so they can access your account and drain it of
funds, without you knowing.
Thankfully, some security software products include
technologies that provide additional layers of protection
when you’re conducting online financial transactions.
39
Spear phishing
Spear phishing is another sophisticated form of
attack. The cybercriminal seeks to capture personal
information – perhaps by spying on a public Wi-Fi
connection. Later, the cybercriminal uses that personal
information to add a veneer of credibility to a phishing
email that targets a business.
For example, if the cybercriminal manages to access
one of your employee’s entries on a social networking
site and learns some details about the employee’s
recent holiday, the cybercriminal can later use that
information in a phishing email. When the employee
receives an email from someone pretending to be a
colleague – and that email mentions some details about
the employee’s holiday – it’s more likely to look like a
genuine email. And, if the message asks the employee
to click and confirm access to the business network,
the cybercriminal can capture the necessary access
passwords.
Lost laptops
We’ve all read about those unfortunate individuals
who’ve left their laptops in taxis, trains or restaurants.
The potential for highly sensitive business information
falling into the wrong hands is alarming. When this
happens, it can severely damage an organisation’s
business reputation and result in heavy fines.
One remedy is to choose a security solution that
encrypts your business information so, even if a
laptop is lost or stolen, it’s virtually impossible for
cybercriminals to access the information on the
laptop’s hard drive.
40
Understanding encryption
Encryption is a particularly cunning way of beating
cybercriminals at their own game. Just like spies in the latest
cinema release encode messages so that only their intended
recipients can understand them, encryption enables you to
encode your business’s sensitive information – so your
information can’t be decoded without the necessary
decryption key.
This means that if any of your business’s confidential
information is accessed by cybercriminals, they won’t be
able to see it in its readable form – unless they have your
secret decryption key.
In the event that one of your staff loses their laptop or mislays
a USB memory stick full of confidential information, if the
data on the laptop or memory stick has already been
encrypted, you can avoid the embarrassment of information
leakage.
Mobile threats
Individuals and businesses can both fall into the trap
of thinking their smartphones and iPhones are just
phones. They aren’t: they’re powerful computers that
can store a lot of confidential business information –
so loss or theft of a mobile device can cause serious
security breaches. If a lost or stolen smartphone
isn’t protected using a PIN (or, even better, a longer
passcode), whoever accesses it can simply login to
any online account used on the device.
41
However, some security solutions include remotely
operated security features – such as giving you the
ability to contact your missing phone and ‘wipe’ all
data from it.
If your chosen security solution also includes
a data encryption capability, this can add a
further layer of protection. Even if a criminal
finds the phone before you’ve realised it’s
missing – and you’ve not yet had a chance to
wipe its data – the fact that the information on
the phone has been encrypted ensures the
criminal can’t read that data.
Furthermore, because today’s smartphones and tablets
are really computers, they’re vulnerable to a growing
volume of malware and attacks that have become
common on desktops and laptops – including viruses,
worms, Trojans, spam and phishing. So it’s essential to
use security software to protect mobile devices (to find
out more, get your free copy of Mobile Security & BYOD
For Dummies from www.kaspersky.com/business).
42
Chapter 4
Planning for Better
Information Security
In This Chapter
▶ Benefiting from a simple assessment of your
business risks
▶ Improving your staff’s awareness of security issues
▶ Understanding how cloud computing can affect
security
▶ Assessing cloud computing service providers
W
hen it comes to IT security, some people think:
‘It’s all too overwhelming. I’m going to cross my
fingers and hope for the best.’ We wish them good luck
with that approach. However, when their customers
and business partners start suing the business as a
result of a data loss incident, the company hasn’t really
given its defence attorney much to work with. So, in
this chapter, we look at some simple security measures
that you can introduce without spending anything on
software or hardware – and we consider how cloud
computing can affect a business’s security strategy.
44
Risky Business?
Conducting a risk assessment might sound like an
onerous task that’s best undertaken by a team of
boffins with white coats and clipboards. However, if
you’re keen to improve information security, in this
section we share some simple concepts that form the
foundation of a worthwhile assessment of the risks that
your business faces.
Start by asking yourself a few basic questions:
✓ Where is my business’s information stored?
✓ What is the value of that information – to my
business and to a potential attacker?
• What would the consequences be for my
business if any confidential information fell
into the wrong hands?
• How would a leakage of information affect my
business’s relationships with customers,
employees and business partners?
• What would be the likely cost – in terms of
financial loss / penalties and damaged business
reputation?
✓ What is my business doing to protect confidential
information?
✓ Are my business’s information security provisions
adequate?
• How do those security provisions compare with
the expected norm within my market sector and
for my size of business? (Don’t forget, as your
business grows, you’ll probably need to
implement higher levels of information security.)
45
• Would a court of law agree that my business’s
security is sufficient? (An honest answer to this
question can flush out any business that’s
trying to sweep the whole issue under the
carpet by kidding itself that inadequate security
is okay!)
✓ What’s the probability of my business suffering a
leakage of confidential information? (Remember,
this could result from a simple event such as the
loss of a laptop or smartphone. No matter how
diligent you are, how careful are your employees?)
Your answers will be useful in helping you to decide on
how to go about improving information security.
Educating Employees
in the Art of Security
When it comes to protecting valuable information,
‘forewarned is forearmed’ (‘four-armed’ would also
help you get more out of your working day – but,
unless your business is in the bionics industry, that’s
never going to happen!). So, making sure that you and
your employees are aware of the wide range of security
risks – and how to avoid them – is essential.
It’s surprising how many companies fail to devote
enough effort to spreading the news about security
best practice among their staff – even though educating
employees on security risks and how to avoid them can
be one of the most cost-effective ways of making life
more difficult for cybercriminals.
Getting employees on side in the battle for better
security needn’t be difficult:
46
✓ Consider all of the potential malware and
cybercrime risks that could affect your business
and decide on how your employees can help to
avoid these risks. Notwithstanding the sophisticated
nature of today’s threats, many attacks start by
simply tricking someone into doing something
that jeopardises the business’s security, such as
clicking on a link in a spear phishing email.
✓ Draw up and share a security policy that clearly
defines how you expect your staff to behave with
regard to maintaining security and eliminating
unnecessary risks.
✓ Conduct staff awareness sessions on a regular
basis. Aim to raise awareness of key issues, such as:
• The need to use different passwords for each
application and account.
• The dangers of public Wi-Fi and how to avoid
them.
• How to spot spear phishing attempts.
• The security consequences of losing a mobile
device.
✓ Enforce your company’s security policy – for
example, ensuring everyone uses strong passwords
to protect access to business information, bank
accounts and more (see the nearby sidebar ‘What
makes a password stronger?’ for tips on this).
✓ Revise your security policy as and when new risks
emerge or you adopt new work processes.
✓ Run refresher courses to keep security issues
‘front of mind’ for your employees.
✓ Make sure new staff receive security awareness
sessions as part of their induction.
47
What makes a password stronger?
If one of your employees sets up a password based on an
easily remembered word or a simple sequence of numbers,
a cybercriminal may easily guess that password. Strong
passwords use a combination of uppercase and lowercase
letters, numbers and special symbols. They should be eight
characters in length, at the very least.
Make sure none of your employees use the same password
for several different applications and / or web accounts. If a
cybercriminal manages to discover an employee’s Facebook
password, that shouldn’t be the very same password that
gives the cybercriminal access to the business email system.
Up in the Clouds
In recent years, a buzz has been growing around cloud
computing. Businesses of every shape and size have
been assessing the cloud’s potential to simplify the
storage of information and cut operating costs. In many
cases, small and medium size businesses have been at
the forefront of the move to the cloud.
Sometimes smaller organisations can be quicker than
larger companies to adopt new business strategies. At
the same time, smaller businesses are often more
acutely aware of the need to focus on their core business
activities. So anything that enables the business to
subcontract non-core IT activities to a third party can
be seen as beneficial.
48
Cloud or no cloud, your information
is your responsibility
If you’re considering using cloud computing, be
aware that farming out the storage of your business
information – and the delivery of some or all of your
applications – doesn’t absolve your business of its
security responsibilities. Nor does it automatically
ensure that your confidential business information is
totally protected. It’s still your company’s information,
regardless of where it’s stored. So the protection of that
information is still your responsibility – and that’s
exactly how the law views your obligations.
Also consider how you’re going to access that
information on a day-to-day basis. Even if your cloud
services supplier has impeccable credentials and
rigorous security, you still have to make sure that
every device your business uses to access the
information has suitable security. You need to run a
local security solution that protects every desktop,
laptop, server and mobile device that your business
uses.
An ongoing need to be ‘security aware’
With a cloud solution, you still need to make sure that
you and your employees adhere to all the security best
practices that you defined in your security policy. For
example, strong passwords are still required to help
prevent unauthorised access to your information and
your employees need to continue to guard against
losing mobile devices.
You also need to assess all the potential information
security risks and ensure your staff are aware of simple
49
security precautions. In fact, the only thing the cloud
changes is that your information is stored off-site by a
third-party supplier.
Caution over cloud contract catches
The cloud computing market is reasonably established
with some very capable cloud services providers.
However, many cloud storage solutions have been
developed for consumers. In some cases, security may
have been little more than an afterthought and could
be insufficient for business users.
Consider the following questions when you’re selecting
a supplier:
✓ Who will own my business information when it’s
being stored in the cloud?
✓ What happens if the cloud services provider
ceases to trade?
• Will I still be able to access my information?
• Will there be a period of downtime, while my
information is being moved to another service
provider for storage?
• Will the original supplier still have copies of
my information – and is there some way of
ensuring these copies are deleted?
✓ How do I terminate my contract?
• If I terminate, how do I transfer my business
information?
• Is there a simple and quick process for moving
my stored information to a new supplier?
50
✓ How robust are the computers that the supplier
uses to store my information and the
communications systems that the supplier uses to
make my information accessible when I need it?
• Does the supplier guarantee continuous
accessibility for my information (so I can
access important information when I need to
and not be affected by the supplier constantly
claiming their ‘system is down’)?
• Does the supplier have suitable technology to
ensure a swift recovery from a major failure or
an attack on their computing systems – without
it affecting the security and accessibility of my
information?
• What level of security does the supplier offer
to protect my information against loss and
unauthorised access? (Remembering that I also
still need to run security software on all of the
computers and mobile devices I use to access
that information.)
✓ Where will my information be stored?
• Will offshore storage cause any legal or
compliance issues for my business?
You’d never contemplate leaving your child in
the care of someone that you hadn’t checked
out and didn’t totally trust. Similarly, if your
business is your ‘baby’, you need to invest a
little time in assessing any potential cloud
services provider in order to ensure your
business’s confidential and sensitive
information will be safe in their care.
51
There can be some very compelling arguments for
moving information storage – and some software
applications – to the cloud. However, you need to go
into it with your eyes wide open. Even though cloud
computing may help to simplify some aspects of
your computing, the cloud can also add a new layer of
complexity when it comes to selecting and managing
your cloud services provider.
Cloud computing doesn’t diminish your
obligations to protect sensitive information.
It’s your responsibility to protect confidential
information – and it’s your responsibility if
you choose a supplier that lets you down
through inadequate security.
52
Chapter 5
Choosing Security Software
to Suit Your Business
In This Chapter
▶ Selecting the right security software supplier for you
▶ Ensuring you get the support you need
▶ Thinking about how your information security needs
may change
▶ Deciding on the ideal level of security software
S
o you’ve assessed the security risks for your
business and educated your staff about the
importance of information security (of course, if you’re
the sum total of the staff, that could be a pretty short
training course). Now’s the time to choose the security
software solution that’s best placed to help protect
your business.
Selecting the Right Supplier
When you’re trying to choose from the various
commercially available IT security software products,
aim to select one that’s capable of adapting to how
your needs may change when your business grows.
54
Show some support!
Question suppliers about what level of support you’ll get if
any issues arise when you’re operating the software or if
your business suffers an attack or security breach. Being
able to pick up the phone and have someone guide you
through any tricky issues isn’t just convenient and reassuring –
it could also save you a lot of time and help you to get your
computers and business processes up and running again as
rapidly as possible.
On the other hand, if a supplier expects you to trawl through
their online knowledgebase and find your own solution to the
difficulty, that could take you away from important business
activities for a significant amount of time. And isn’t it amazing
how these types of incidents seem to save themselves up
until you’re at your busiest – with a tight deadline to complete
that detailed proposal for the business deal of a lifetime?!
Try to select a supplier that offers local support . . . in your
local language . . . in your local time zone.
Choosing a supportive security supplier is a major part
of the selection process. While the market includes
some excellent packaged security software products
that provide a host of anti-malware and Internet security
technologies, consider what could happen when your
business outgrows the package that you purchased:
✓ Will your chosen supplier be able to offer other,
more comprehensive packages that you can
migrate to?
55
✓ Does the product allow you to add extra features
so you can protect new additions to your IT, such
as virtualised servers, without changing your
security product or having to get expert help to
tackle any time-consuming integration issues?
These questions may not appear vital now. However,
when your business grows, they could help you to
avoid the disruption and costs associated with having
to change from one security supplier to another.
Achieving more – in less time
For any business, it’s important to identify software
solutions that are easy to use. After all, who wants to
spend endless hours setting up and managing security
software, when a superior solution can automate many
security processes and leave you with more time for
other business activities?
Ease of use is vital – especially if you have no in-house
IT security experts. However, even as your business
grows and you potentially take on specialist IT and
security staff, easy-to-use security software helps to
boost their productivity.
Simplifying security management
The user interface for most security software is often
referred to as a management console. Rather like the
various dials, lights and switches on the dashboard of a
car, the console should give you an at-a-glance overview
of how the product’s working, indicate any issues you
need to be aware of and enable you to make adjustments.
Sounds simple enough – but some software suppliers
don’t make things as easy as they could be.
56
Some security software suppliers expect their
customers to use several different management
consoles in order to control the various
different protection technologies within the
supplier’s product package. Sometimes this is
because the security supplier has acquired
different technologies, as and when they’ve
purchased other security companies.
Whatever the reason, the need to use multiple
consoles can be time-consuming and potentially
very confusing for the operator.
By contrast, some security solutions enable you to view,
control and set policies for all of the package’s security
technologies – via a single, unified management console.
This can mean you only have to become familiar with
one, intuitive-to-use interface that gives you a clear view
of all of the supplier’s protection technologies that are
running on your computing network.
If you’re personally responsible for managing your
business’s security software, this level of usability and
manageability means you have more time for all those
other much more important aspects of running your
business. However, even if you’re using an external or
internal IT expert to keep your security software
running as it ought to, if you have one easy-to-use
management console that can help to control costs and
boost efficiency.
Reporting back to you
Any security product that offers you the flexibility to
generate a wide range of reports on the security status
and security vulnerabilities across all of your IT –
including mobile devices and BYOD – can help to give
you far greater visibility of any issues.
57
High Flyer or Lifestyle Business:
Identifying Your Security Needs
Taking a little time out to have an honest look at your
business and its aspirations is really worthwhile. It may
be tempting to take a gung-ho, swashbuckling view and
get carried away with imagining that one day your
business will be a multinational capable of rivalling the
largest conglomerates. However, not every owner
wants that for their business.
Of course, plenty of companies have grown from
humble beginnings on the kitchen table or in the
garage and gone on to become world beaters.
However, if yours is a ‘lifestyle business’ – whereby
your prime aim is to grow your business revenue to a
level where it funds a good lifestyle for you and your
family – there’s definitely no shame in that. Recognising
that’s what you want can help you to make the optimum
choices when it comes to investing in IT and security.
The trick is working out:
✓ What type of business you have now.
✓ What your business could be like in a year’s
time . . . and beyond.
Armed with this information, you’ll be in a far better
position to decide how your information security needs
may change. Then you can focus on choosing a security
software product that’s right for your business now,
and has sufficient flexibility and scalability to adapt as
your business needs change.
Choosing the wrong security solution may not
be catastrophic – but it could cost you time
and money, either now or in the future.
58
From Home-User Security to
Business-Level Protection
Security software products are available for all sizes of
business. The right solution for you depends on a
number of things.
Home user security products
If your business’s IT started as just your own personal
laptop, the chances are you were already running one
of the many security solutions aimed at home users.
Some excellent consumer-focused packages combine
anti-malware and innovative Internet security
technologies. Some even offer additional layers of
protection for online banking and other web-based
financial transactions.
For businesses with just a few employees, a home user
product could be the ideal solution. However, with no
shortage of consumer products on the market, you
need to spend a little time assessing the features and
functions that each product offers. A solution that only
delivers antivirus protection isn’t really going to cut it
in today’s high-threat environment.
Typically, security software that’s aimed at the home
user may be fine for businesses of one to four people –
provided that the software licence allows commercial
entities to use the software. However, most home user
packages can be difficult to manage when five or more
people use them within the business. These types of
packages often don’t make it easy – or quick – to apply
the same security set-up and options across all the
laptops, desktops and mobile devices that the business
uses.
59
If you’re aiming to grow your business
significantly, you could soon end up with an
extensive and complex IT infrastructure. So
choosing a home user security product – that
can’t grow with your business – could lead to
a costly and disruptive move to a new solution
at a critical stage in your company’s growth.
Free-of-charge antivirus software
If you’re using free antivirus software you may want to
carry on using that same security software when your
business starts to expand. While this could be a
reasonable solution to some security requirements,
it’s worth considering exactly what the free software
provides – and what it doesn’t.
Does it offer all of the necessary technologies to defend
against the latest security threats and the sophisticated
new ways that cybercriminals try to steal valuable
information? If it only includes antivirus capabilities
and a few Internet security add-ons, it may not be
suitable to protect against the full range of threats.
Many free-of-charge software packages aren’t intended
for use by businesses. The terms and conditions of the
free licence often preclude use by any commercial
organisation. So using some free software may be
illegal. In other cases, the supplier of the free software
will levy a charge when that software is used by a
business.
60
Free puppy to a good home . . .
What a great deal! You always wanted a faithful hound at
your side – and this way you’ve avoided the fees that the dog
breeders command. Okay, it’s a mongrel, but it’s your mongrel
and, best of all, he was totally free.
Free . . . apart from the work, the mess (sorry to bring that up,
but it’s your dog – so you’re going to have to clean it up!) and
all those expenses. Yes, you’d factored in the cost of the
inoculations and the routine visits to the vet, but did you ever
think he’d chew his way through so much of your fine
furniture?
In reality, not a lot in life is truly free. Much like your free
puppy, free security software can have hidden costs. It might
be that the free version of the software keeps flashing up
adverts for third-party products or spends time trying to sell
you the virtues of its ‘paid for’ premium version. Either way,
whether it’s a set of banner adverts or the package’s efforts
to upsell you to the upgraded version of the software, those
distractions could affect the productivity of your employees.
Even if the software does neither of these things, you may
find that when you need any support from the software
provider it could be expensive.
Security solutions for large businesses
Having gained an understanding of the threats out
there, you may decide to cut to the chase and buy the
most comprehensive security solution on the market.
61
However, that can really backfire for a smaller
business.
Many businesses fail to realise that, for most software
products, there’s an inverse relationship between
functionality and ease of use. Products that include
functions that only large-scale companies would need,
may be much more difficult to configure and manage
when compared with products that have been developed
with smaller businesses in mind.
So the smaller business that decides to simplify
the selection process – by just choosing the most
comprehensive software product – may be making life
difficult until some point in the distant future . . . when
the business eventually grows into its chosen security
software! On the other hand, you also need to know
that, as your business grows, your chosen security
vendor can help you manage your new security needs –
without having to rip out your existing product and
start all over again.
Security solutions for large businesses may
include advanced technologies that protect
complex environments. However, if your IT
network is relatively simple – and is likely
to stay that way – you could be paying for
capabilities that you’ll never use. Furthermore,
an overly complex security solution can be
much more complex to run . . . at every stage
of its life. From initial configuration, through
to ongoing management, a corporate-level
solution can take skills and time that a smaller
business may not have to spare. Put simply,
corporate-level solutions often assume that
corporate-level resources and corporate-level
IT expertise are available on tap.
62
Prosumer-level security
Prosumer security? Yes, it’s one of those terms dreamt
up by sharp-suited marketing types – but what does it
actually mean? (By the way, if you’re running a marketing
agency . . . just wanted to say how good you look in
that suit!)
At their most effective and useful, prosumer security
solutions bridge the gap between user-friendly products
that have been developed for home users and those
corporate-level products that can deliver extra
functionality but may be more complex to set up and
manage.
So prosumer products aim to combine the extended
capabilities that businesses require, plus the ease of
use that’s necessary when the business doesn’t have a
team of in-house IT security experts. When security
suppliers get this balance right, prosumer products
offer an irresistible combination for many businesses.
There’s a marked difference between a security
product that’s been developed ‘from the
ground up’ to satisfy the needs of smaller
businesses versus a corporate-level product
that’s simply been repackaged for the smaller
business market. If a supplier is merely
dressing up their corporate-level product and
passing it off as a prosumer product, you
could find yourself with security that’s too
complex and too time-consuming to run.
63
Whatever the size of your business, make sure you
choose a supplier that has invested time in considering
the unique challenges that your scale of organisation
faces, and has developed a software solution that’s
optimised for businesses like yours.
When corporate meets prosumer
Just to confuse the issue even further, not all large
business security products are unsuitable for smaller
businesses. It’s true that products that have been
developed without a thought for the particular challenges
that smaller businesses face are unlikely to be suitable
for organisations that don’t have in-house IT security
support resources. However, there’s also a class of
business security product that’s based on a simple,
modular architecture.
Here the supplier may offer several tiers of software
packages, with each tier providing a different
combination of protection technologies. The lowest
tier may offer basic-level protection that’s well suited
to the simple IT networks that smaller companies
operate. Then higher tiers add further protection
technologies, with the supplier’s ultimate product
tier delivering security across the most complex IT
environments – including support for multiple operating
systems and multiple mobile device platforms, tailored
security for virtualised environments and special
technologies for protecting Internet gateways, mail
servers and more.
64
With these modular products, ambitious businesses
can benefit from a security solution that readily scales
as they grow – without the business having to manage
the disruption of migrating from a relatively small
security solution to a corporate-level solution.
If it seems as if you have too many choices,
remember that the range of different businesses
is almost limitless – and they all have different
security requirements. So choice is a good
thing. Even if it takes a bit of time to get your
head around the pros and cons of the various
options, doing so means you’re more likely to
be able to select the security solution that
matches your requirements.
Chapter 6
Ten Questions to Help Identify
How to Protect Your Business
In This Chapter
▶ Evaluating what your business needs
▶ Assessing your legal obligations
▶ Deciding on your security policy
H
ere are ten simple questions to help you work
out what’s necessary to protect your business
against cybercrime, malware and other security risks:
✓ Have you assessed the potential security risks for
your business and identified what information and
computers need to be protected?
✓ In addition to protecting computers, do you also
need to protect mobile devices and a BYOD
programme?
✓ Are you aware of the legal and regulatory
obligations that apply to your business with
regard to the security of confidential information?
66
✓ Have you defined some basic security policies
that the business can use to keep information,
computers and other devices secure?
✓ Have you set up a simple education programme to
help improve awareness of security issues and
motivate employees to avoid security breaches?
✓ Have you evaluated the commercially available
security software products – based on ease of use,
the levels of protection they deliver and their
ability to accommodate changing needs?
✓ Does your chosen security software supplier offer
the level of support you need – in your language
and your time zone?
✓ Would you benefit from additional security features
that provide a further layer of protection for
online banking and financial transactions?
✓ If you’re adopting cloud computing, have you
checked the suitability of your chosen cloud
services provider’s security and contract terms?
✓ Have you chosen a security software product
capable of protecting all of the computers and
mobile devices that your business uses to access
the information that’s stored in the cloud?
The consequences of information security breaches
and cybercriminal attacks can be devastating – so
make sure your business IT systems are protected by a
rigorous security software product. Turn the page for
more details . . .
Security Your Business Can Depend On
With Kaspersky Lab’s award-winning security technologies
protecting your computers, business information and mobile
devices, you can spend more time on your core business
activities . . . and less time worrying about malware and
cybercriminals.
Security Solutions for Growing
Businesses
Kaspersky Endpoint Security for Business offers a tailored
product to meet your business’s unique needs. Simply choose
the tier that suits your business requirements. As your business
grows and your IT network becomes more complex, you can
move to the next tier . . . all the way to our ultimate security
solution – Kaspersky Total Security for Business.
Kaspersky Total Security for Business combines comprehensive
security and essential systems management functions to help
you manage and protect all your endpoints:
✓ Windows PCs, Macs and Linux computers
✓ Physical and virtual machines
✓ Mobile devices – Android, iOS, Windows Phone, Windows
Mobile, BlackBerry and Symbian
✓ File, mail, Internet and collaboration servers
To find out more about Kaspersky Endpoint Security for
Business and Kaspersky Total Security for Business, please visit
www.kaspersky.com/business-security