Simplifying IT Security Kaspersky Lab Limited Edition Simplifying IT Security Kaspersky Lab Limited Edition By Georgina Gilmore and Peter Beardmore Simplifying IT Security For Dummies®, Kaspersky Lab Limited Edition Published by John Wiley & Sons, Ltd The Atrium Southern Gate Chichester West Sussex PO19 8SQ England For details on how to create a custom For Dummies book for your business or organisation, contact CorporateDevelopment@wiley.com. For information about licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com. Visit our Home Page on www.customdummies.com Copyright © 2014 by John Wiley & Sons Ltd, Chichester, West Sussex, England All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London, W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, England, or emailed to permreq@wiley.com, or faxed to (44) 1243 770620. Trademarks: Wiley, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER, THE AUTHOR, AND ANYONE ELSE INVOLVED IN PREPARING THIS WORK MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. ISBN 978-1-118-84041-2 (pbk); ISBN 978-1-118-84822-7 (ebk) Printed and bound in Great Britain by Page Bros, Norwich Introduction W elcome to Simplifying IT Security For Dummies – your guide to some of the information security challenges that all sizes of business face in today’s Internet-connected world. With valuable tips and pointers, this book aims to help your business ensure that sensitive information remains secure – so you’re less likely to incur regulatory / legal penalties or suffer damage to your business reputation. Although the computing breakthroughs of the past decade have helped business owners to cut costs, boost efficiency and deliver even better levels of customer service, those same new technologies have created opportunities for hackers to attack innocent businesses. More than ever before, all businesses – even those that think they’ve got no confidential information that they need to protect – should be aware of the risks and how to avoid them . . . so that’s why we’ve written this book. About This Book Although it’s small, this book is crammed full of information to help growing businesses work out how best to protect confidential information – including sensitive information about their customers – and how to secure their computers and mobile devices against viruses, malicious attacks and more. 2 From the smallest businesses to the largest corporations, every organisation is at risk from the sophisticated methods that hackers use to access confidential information and steal money from business bank accounts. Whereas large multinationals can afford to employ teams of IT security specialists, smaller businesses are less likely to have in-house IT security expertise. Simplifying IT Security For Dummies sets out to help businesses by raising awareness of: ✓ Why virtually all businesses have sensitive information that they need to protect. ✓ The range and nature of today’s information security risks. ✓ The simple, ‘no-cost’ measures that help businesses to protect confidential information. ✓ The easy-to-use products that can greatly improve information security. Foolish Assumptions To help ensure this book provides the information you need, we’ve made a few assumptions about you: ✓ The business that you own, manage or work for uses laptops, desktops and / or mobile devices. ✓ You need to make sure your business doesn’t fall foul of any information security regulations. ✓ You’re keen to ensure your business’s confidential information remains confidential. ✓ You’d like to learn how to prevent hacker attacks affecting your business’s day-to-day activities. 3 ✓ You may be considering storing some of your business information in ‘the cloud’. ✓ You’d welcome some tips on how to choose IT security software that fits your business. How This Book Is Organised Simplifying IT Security For Dummies is divided into six concise, information-packed chapters: ✓ Chapter 1: Why All Businesses Need to Protect Sensitive Information. We explain the pitfalls of having a false sense of security. ✓ Chapter 2: Working Out What Your Business Needs. Even though all businesses need security, this chapter considers how security requirements can vary. ✓ Chapter 3: Discovering the Truth About Security Threats. Learn why today’s IT is more complex and the threats to businesses more dangerous. ✓ Chapter 4: Planning for Better Information Security. Assess the risks – then make sure your business knows how to avoid them. We also give you some points to consider for securely storing information in ‘the cloud’. ✓ Chapter 5: Choosing Security Software to Suit Your Business. With so many products on the market, we explain the factors that can help you make the right selection. ✓ Chapter 6: Ten Questions to Help Identify How to Protect Your Business. Use these questions as a useful checklist when considering what you need to protect your business. 4 Icons Used in This Book To make it even easier for you to find the information you need, we use these icons to highlight key text: This target icon draws your attention to top-notch advice. The knotted string highlights important information to bear in mind. Watch out for these potential pitfalls! Where to Go from Here This book is a quick and easy read. You can dip in and out of the text as you wish, or you can read the book from cover to cover. Whichever way you choose, we’re sure you’ll find it packed with great advice on how to protect your customers’ information and the other valuable data that your business stores and processes. Chapter 1 Why All Businesses Need to Protect Sensitive Information In This Chapter ▶ Assessing the extra burdens on smaller businesses ▶ Securing precious business information ▶ Avoiding the perils of a false sense of security ▶ Understanding why cybercriminals target all sizes of business I n this first chapter, we look at some of the reasons why businesses are subject to information security risks – and why it’s unwise to try to sweep those security issues under the carpet. Businesses Are Under Attack In the information age, knowledge is power. The information your business holds – about its specialist know-how, its products and its customers – is vital to your ongoing success. If you were no longer able to access some of that precious information, it could affect the day-to-day running of your business. Even worse, what would be the consequences if that 6 information fell into the wrong hands – a criminal’s hands? Furthermore, what if a criminal could gain access to your computers and steal your business’s online bank account details? Yikes! Unfortunately, companies of all sizes are attacked by cybercriminals who use a wide range of methods to disrupt business operations, access confidential information and steal money. In many cases, the victim company may be totally unaware of the attack . . . until it’s too late. Cybercrime and cybercriminals Criminals have always been good at spotting new opportunities to exploit a weakness and make some money – at someone else’s expense. Whether it’s a flimsy lock on an office window or a burglar alarm that’s easy to overcome, criminals seize any chance to exploit any weakness. However, in today’s Internet-enabled age, a new breed of criminal has emerged from the murky depths . . . the cybercriminal. Cybercrime covers a vast range of criminal activities that are carried out via IT systems and / or the Internet. It’s too easy to dismiss the threat of cybercrime – and that’s one way that businesses help to make it even easier for cybercriminals to profit. Cybercriminals are highly organised and very skilled in developing sophisticated ways to attack business computers, access confidential information and steal money. Often, the financial rewards are considerable . . . while the cost of launching an attack can be very low. This brings a rate of return that many other types of criminal can only dream of! So, the volume of cybercrime continues to increase. 7 Smaller Businesses – Bigger Pressures In many ways, smaller businesses face virtually all of the general, day-to-day issues that large businesses have to tackle . . . plus a whole host of additional challenges. All businesses have to keep finding ways to deal with changing market conditions and to respond to competitors’ activities, while also staying one step ahead of changes in their customers’ needs and preferences. However, at the same time as coping with all of these factors, most growing businesses also have to deal with a wide range of other issues that keep on arising as a result of the company’s ongoing growth. These additional challenges can include: ✓ Finding ways to cope with an increasing number of customers – and larger revenues. ✓ Regularly recruiting and training additional staff to handle increasing demands. ✓ Finding larger premises and organising the move, without disrupting day-to-day operations. ✓ Securing additional funding to grow the business. ✓ Adding new office locations. ✓ Finding time to consider the things large businesses take in their stride – such as how to keep customers’ information secure. All of these tasks are necessary to make sure the business keeps running efficiently and is ready for the next steps in its growth. 8 That’s not my job! Then there’s the range of responsibilities that founders and employees have to cover. From the outset, as just a one man (or woman) band or a small group of highly motivated individuals, working in a smaller business usually means ‘all hands to the pumps’ – with everyone having to take care of a much wider variety of tasks than they may have experienced in their previous employment. Usually, there are no HR teams, legal departments or specialist IT personnel to fall back on. If your business is going to succeed, everyone has to achieve more than just being a jack of all trades. You and your colleagues all know that you have to master everything that goes into running the business. Yes, specialist skills can be hired in by the hour, but that costs precious cash. Every dollar, pound, Euro or yen spent on non-core business activities limits investment in other vital areas and can even slow down your business growth. What’s the big deal with IT? For most businesses, the idea of trying to function without even basic IT – such as laptops – is almost unthinkable. Even if IT is just a means to an end, it’s a key enabling tool that helps to boost business efficiency and improve interaction with customers, employees and suppliers. However, IT has to serve the business – and that means it needs to be easy to set up and manage. Similarly, any security software that protects the business’s computers and confidential information has to be easy to use. 9 It’s a jungle out there . . . so go armed! Businesses that regard computing as a necessary evil are likely to have a very similar view when it comes to keeping the information stored on those computers secure. That view is totally understandable if IT isn’t your strong point. However, the sad fact is that the security of business information has never been more important – for all sizes of business. With today’s high levels of threats – and cybercriminals regularly using Internet connections to hack into business computers – no company can afford to ignore security. Even if your business only implements a few simple protective measures, those precautions could be enough to save you a lot of heartache and a significant amount of money. It’s perfectly okay to regard IT security and data security as necessary evils . . . provided you place strong emphasis on the word ‘necessary’! Then the ‘evil’ part is just a reminder of the sort of cybercriminals that launch attacks against innocent businesses. A retailer wouldn’t dream of leaving its cash register wide open for any passing felon to grab a handful of money. Similarly, any business that uses computers, mobile devices or the Internet needs to make sure their IT isn’t wide open to attack. It’s simply too easy to become the unwitting victim of a cybercriminal who attacks the hidden security vulnerabilities in your laptops, tablets and smartphones. So you need to do all you can to ensure cybercriminals can’t steal sensitive information or steal from your online bank accounts. 10 A little security can go a long way The difference between doing nothing and undertaking some simple security measures can be massive. At first, if you only implement a few basic security measures those could be enough to ensure the average cybercriminal finds it easier to pick on some other business . . . and leave your business alone. In the graph, you see how a little investment in security can dramatically reduce the likelihood of malware launching a successful attack. 11 Security shouldn’t slow your business Time is money! There, we’ve said it. Of course it’s a cliché, but it’s true. Any non-core activity that takes you away from your business’s main revenue-generating activities costs you time, opportunities and money. Being nimble and focused is what gave you the opportunity to establish your business in the first place. So the last thing you need is IT security that gets in the way of your entrepreneurial spirit – no matter how important IT security may be. Anything that slows you down could mean you’re spending less time on the key activities that give you an edge over your competitors and help to propel your business forward. With the wrong approach to information security and unsuitable protection technologies, you could find your business hampered by the very things that are meant to be helping to defend it. The low-hanging fruit for cybercriminals With concerns about complexity and performance, it’s no wonder so many smaller businesses turn a blind eye to IT security. However, even though start-ups and small businesses could just about get away with that approach a few years ago, today’s levels of cybercrime mean this is a very ill-advised strategy. Add in the fact that some cybercriminals regard small businesses as the low-hanging fruit that’s easier to attack than larger organisations, and it’s clear that effective IT security is no longer optional. 12 The good news is that your business can do many simple things to help protect sensitive information. Furthermore, some of the latest security software products have been specifically developed to help time-poor, smaller companies protect their systems and information. These security products mean you don’t have to compromise on protection or waste time on trying to run complex security software that’s difficult to manage. Even massive organisations may not have the necessary scale and resources to recover from a damaging security breach. So smaller companies may find it impossible to carry on trading after a security incident. False Sense of Security? Some businesses lull themselves into a false sense of security, with the mistaken belief that the cybercriminals are only after the bigger fish. ‘Yes, that’s it,’ says the business owner. ‘Who’d want to attack a small company like mine, when bigger, richer targets are out there? We’re simply not on any cybercriminal’s radar.’ Well, it’s true that radar isn’t going to help a cybercriminal to identify their next business victim. However, cybercriminals do use all sorts of other scanning tools to find vulnerable companies – and they can do it all via the Internet. With these clever scanning tools, the cybercriminals can identify businesses that have security gaps within their computers. In virtually no time, the scanners can find the cybercriminals’ next business victim – and point out how the business is vulnerable to attack. 13 This may sound like some elaborate science fiction plot, but it’s true. Every day, these and other sophisticated methods are used to attack small businesses. On an average day, Kaspersky Lab identifies approximately 12,000 malware (malicious software) attacks – and that number keeps growing. Smaller businesses can be easier targets for crime Generally, most cybercriminals are looking to maximise the financial returns from their illegal activities and minimise the effort and time taken to generate those returns. So, although tapping into a multinational’s finances could be very lucrative, it’s a fair bet that the cybercriminal would have to work quite hard to overcome the sophisticated security defences that such a company is likely to have in place. As an alternative, the cybercriminal could choose to target a bunch of small companies. Yes, the proceeds from each individual attack may be much less valuable but, if the smaller companies have poor or non-existent defences, it could be very easy money for the cybercriminal. Launching attacks on ten or twenty small companies could generate as much money as a single attack on one larger business – and be much easier to achieve. Because many smaller businesses can find it difficult to set aside any time to think about security, some cybercriminals deliberately focus on the easy pickings from smaller businesses. Don’t let your business be among their next batch of victims. 14 Cybercriminals can use smaller businesses as a stepping stone Cybercriminals recognise that smaller businesses are often suppliers to large companies – and that’s another reason for attacks against smaller businesses. An attack on such a business can help the cybercriminal to steal information that may prove to be useful in enabling a subsequent attack against a large corporation. The cybercriminal may deliberately pick on the business because of its relationships with larger corporations. On the other hand, an opportunist cybercriminal may simply spot the potential while they’re stealing customer information from the smaller business. Needless to say, if the subsequent attack on the large organisation is successful and the small business’s role in the attack becomes apparent, that can result in severe difficulties for the small business. Even though the smaller business was innocent of any direct wrongdoing, its inadequate security allowed its own systems to be infiltrated – and that helped to enable an attack against the corporate-sized client. If the small business’s role in the compromise becomes known, this is likely to have repercussions – such as legal action, compensation, fines, the loss of customers and damage to the small business’s reputation. 15 Losing out . . . at both ends of the business Imagine the case of a small company that buys raw materials from a large corporate supplier and then sells its finished products to a multinational business. In the interests of efficiency, the supplier may expect its customers – including the small company – to interact with and place orders via its own online systems. Similarly, the multinational customer may expect the small company to submit electronic invoices directly into its own internal accounts systems. This means the small company has direct electronic links with its corporate supplier’s computer systems and its multinational customer’s computer systems. If a cybercriminal infiltrates the small company’s computers, the cybercriminal could gather information that helps it to attack both the company’s supplier and customer. Even if the subsequent attacks are unsuccessful, the small company could have a lot of explaining to do . . . and may be blocked from electronically interacting with its suppliers and customers. That could adversely affect the small company’s efficiency and profit margins – especially if its competitors are benefiting from closer interaction with the same suppliers and customers. 16 Chapter 2 Working Out What Your Business Needs In This Chapter ▶ Knowing your legal and regulatory obligations ▶ Assessing what’s expected in your industry ▶ Realising today’s threats are more dangerous than ever ▶ Considering how security needs can vary I n this chapter, we take a closer look at how some security requirements can be similar for different businesses . . . and also how they can vary. Some Security Needs Apply to All Sizes of Business Many businesses fall into the trap of thinking that they have no information that could be of any value to a cybercriminal. Furthermore, the founder may believe that an information loss incident wouldn’t cause any major harm to their company. Unfortunately, for any size of business, these beliefs are rarely true. 18 Even a simple database of customer contact details has value to a wide range of different people – from cybercriminals looking to use those details as part of identity theft scams, through to competitors trying to steal your clients. Legal obligations to secure information In many countries, businesses are subject to strict regulations on how they should handle information about individuals. Failure to comply can result in large fines for the business. In some cases, the business’s directors or owners can be subject to prosecution – with some offences even carrying prison sentences. For some nations, the legislation and compliance regulations about how personally identifiable information is processed and stored may place more onerous obligations on larger organisations. However, even if the relevant authorities demand that large corporations implement much more sophisticated security measures, the law still expects smaller businesses to act responsibly and to take reasonable steps to secure all relevant information. If a business fails to adopt measures that could reasonably be expected to be undertaken by that size and type of company, the business could find itself in serious trouble. Even greater security expectations Many jurisdictions compel all companies to exercise a higher degree of caution in how they handle any particularly sensitive material or any other information that could cause significant harm to a third party if that data was leaked. 19 Furthermore, specific industries and market sectors may be subject to much more stringent information security requirements than other industries. For example, companies operating in the healthcare and legal sectors are likely to have to take greater care over the information that they use, store and process. However, even if none of these ‘extended expectations’ apply to your business, the loss of confidential information can have dire consequences. A confidentiality cat-astrophe? Could there be a less IT-intensive business than running a cat boarding kennel or cattery? Would IT security really be necessary for such an operation? Well, yes! Just consider the information the business holds on the names and addresses of its clients – plus the business’s electronic diary of when the furry felines will be staying at the facility. What if that information fell into the wrong hands? It’s fairly obvious that no one’s going to be home to look after little Tiddles and Tiger – and that’s valuable information for burglars. With that inside knowledge about when the home owner is going to be away – and how long they’re away for – burglars could enjoy the luxury of being able to take their time removing valuables from the cat owner’s property. 20 Different Levels of Understanding and Resources Despite the similarities in some of the security obligations that are placed on all sizes of business, there are also some clear variations in how different size organisations view and tackle security issues. Things ain’t what they used to be The sophistication and relentless nature of modern IT security attacks means today’s threats are several orders of magnitude more dangerous than the threats of just a few years ago. Failure to realise this can leave businesses vulnerable. When it comes to information security, large companies can afford to employ full-time IT security experts. However, smaller business owners don’t have that luxury. Is size important? Availability of resources is obviously a factor that differentiates smaller businesses from larger corporations. Large businesses have the in-house experts to make informed decisions about which defence technologies to invest in. They also have the necessary finances and support resources to roll out their chosen solution. Furthermore, their in-house team is experienced in how to develop and constantly refine the company’s security plans and security policies, so that the business remains one step ahead of the cybercriminals and no gaping holes are left in the organisation’s defences. 21 By contrast, smaller businesses may lack any in-house security expertise. In addition, for a growing business, a host of competing demands clamours for any cash that’s going spare (hmm, spare cash is an interesting concept, but not one the authors can recall ever experiencing). So computer security has to take its place in the queue and fully justify the necessary expenditure. Understanding Different Security Requirements Even though there’s a lot of common ground, different types of business are likely to have some differences in their IT security requirements . . . and can also have differing views on what level of security is necessary. In addition, as a business grows, its information security needs can change. Do you recognise any of the following business profiles and their views on IT security? The start-up business At the age of 36, ‘Start-up Serge’ is leaving a large, city-based operation and setting up a new firm of lawyers with two of his colleagues. How the business plans to use IT: ✓ Serge and his colleagues are heavily dependent on the laptops, tablets and smartphones that give them the flexibility to work almost anywhere. ✓ The team will make heavy use of email to communicate with clients and will use its computers for generating letters, proposals and notes. 22 The business’s attitude to security: ✓ The highly confidential nature of the client information that will be handled – including financial data – means the protection of all sensitive information is vitally important. ✓ Any information leak or loss would be hugely embarrassing and could have big repercussions in terms of Serge’s personal reputation and the firm’s reputation. It could even result in Serge being sued. ✓ Safeguarding the business is vitally important and Serge understands that standard antivirus software doesn’t offer adequate protection. Serge says: ‘We’ve got to buy new IT kit and set it all up. At the same time, we need to be able to start generating revenues as soon as possible – so the security software that we choose has to provide the right level of protection, while also being easy to set up, manage and maintain. Furthermore, the security software supplier has to provide the support we need, when we need it – so we can concentrate on serving our clients. Then, as our business grows, our security solution must be capable of adapting to meet new demands.’ The expanding business ‘Ambitious Ahmed’ has achieved a lot in his 48 years. He’s the owner of a chain of men’s tailors that employs eighteen people – and the business is expanding. How the business plans to use IT: ✓ As well as opening another new shop, the business is venturing into online retailing – selling suits via its website. 23 ✓ With the expansion, the business has to buy a lot more technology – including more Point of Sale (PoS) terminals, more PCs, Wi-Fi networking routers and a new server. ✓ Although Ahmed isn’t focused on IT, he finds his new smartphone useful for accessing his emails. The business’s attitude to security: ✓ The business uses an antivirus software product that Ahmed’s ‘technology-savvy’ nephew purchased from the high street PC store. However, Ahmed knows this product isn’t enough to keep his business’s information safe – especially as the business is expanding so rapidly. Ahmed would hate to see his local competitor getting hold of Ahmed’s regular client list and pricing model. ✓ Owing to Payment Card Industry (PCI) Data Security Standard compliance requirements, Ahmed knows the business needs to deploy security software and keep it up-to-date in order to manage vulnerabilities. Ahmed says: ‘Tailoring – and not IT – is my passion. However, it’s the right time to invest in some more professional IT security software – if only for my own peace of mind. We need IT security that gives us the protection we need, but is easy to install and manage. I’m looking for a package that gets on with its job and leaves me to get on with mine. Since I took over the business from my father, we’ve achieved impressive growth. We’re about to open our fifth shop and we’re building our web-based sales – so we need an IT security solution that can grow with us.’ 24 The business that’s switching its security Dr ‘Irritated Ivana’, 40, is a Senior Partner in a local medical practice that includes two other doctors, a physiotherapist and three part-time receptionist / administration staff. How the business plans to use IT: ✓ Each doctor has a desktop PC and a PC is in the room that the physiotherapist uses. Two other PCs are at the reception desk and one more is in the administration office. ✓ The Internet and the PCs have changed the way the practice works – making it far easier to keep track of patient records, find out about new medicines and procedures and generally keep up to date. The practice’s attitude to security: ✓ Given the practice’s reliance on IT and the sensitive nature of the files and information that are handled, Dr Ivana has never hesitated to buy IT security software. ✓ However, the current security software is irritating all of the staff. The PCs take ages to start up – and then, when the security software scans for malware, the PCs seem to grind to a halt. Dr Ivana says: ‘Patient confidentiality is of paramount importance. That’s why we never hesitated to install security software. However, our current software has had a noticeable and very negative effect on the performance of our PCs. With the licence up for renewal, now’s the perfect time to move to a security software product that doesn’t affect the performance 25 of our computers, so we can be more efficient in how we deal with patients. We just want something that secures highly sensitive information without getting in the way of our efforts to deliver the best in patient care.’ The business that’s had its fingers burnt ‘Suffering Suzie’ is the 32-year-old owner of a successful marketing agency that employs 22 people. Suzie’s business has grown rapidly; her sales and marketing skills have ensured that she’s easily won new clients. How the business plans to use IT: ✓ Suzie’s core team is based in the office. However, many of her account managers visit client sites. ✓ Although her design team runs Apple Macs, the rest of the business uses a combination of desktop and laptop PCs, plus smartphones. ✓ Many of the team also use tablets. Because the tablets are owned by the staff, they’re not official work kit. However, Suzie’s happy for the staff to use the devices – especially as she thinks it makes the agency look cutting-edge. The business’s attitude to security: ✓ Unfortunately, the agency recently suffered a major security incident. After a meeting with a client, one of Suzie’s account directors took their laptop to a bar and the laptop was stolen. The laptop had some very sensitive files on it – including confidential plans for a new product launch that would give the client a real edge in the market. 26 ✓ Suzie had to inform the client, who was extremely angry. The incident has been escalated to the client’s legal team. It also looks like the client is going to sever the relationship with the agency. So Suzie’s agency is about to lose a significant piece of business . . . and there could also be legal implications. Suzie says: ‘We’re still adding up the cost of that security incident. Now my first priority is to make sure there’s absolutely no chance of that sort of security headache happening again. We need to get a comprehensive protection solution in place as soon as possible. However, we also need to make sure it’s simple to manage – so that one of our designers, who has an amazing talent for all things technical, can manage and maintain it.’ The business that keeps its fingers crossed ‘Risky Raul’ is 53 and owns a five-person accountancy firm. It’s an established business that has never taken security threats seriously. Raul has always hoped that ‘it won’t happen to me’. How the business plans to use IT: ✓ Raul and two other accountancy advisors spend a lot of time with clients. Using laptops gives the advisors the flexibility to work offsite. ✓ The business’s two administration staff use desktop PCs. ✓ The business also has a file server that runs its customer relationship management (CRM) software. 27 The business’s attitude to security: ✓ Raul recently read an article, in a trade magazine, about a rival firm that suffered a very serious IT security breach. An administrator had downloaded a file attachment which contained some malware that accessed confidential client files. The security breach was only discovered when a client found their own confidential data being sold on the Internet. ✓ The news article made Raul extremely nervous about his own firm’s IT security. Raul now recognises that the free security software that the firm has been using is probably inadequate. Raul says: ‘The industry has changed a lot in recent years. There’s a lot more regulation now. At the same time, the nature of the security threats that are lying in wait means we have to implement much more robust IT security.’ Diverse needs call for diverse solutions Even though all of the businesses we reference in this chapter are in different markets and each has different expectations for its IT, they all have one thing in common: the need to protect precious information. However, with each business having different levels of computer systems and IT expertise, they have different security needs. The example companies are obviously based on generalisations about how a few different types of business can have varying IT security needs. However, just as the variations in business models and sizes of business are virtually endless, so too are the variations in IT requirements. 28 It’s perfectly possible for a small company – with, say, three to five people – to run massively compute-intensive processes. In such cases, the business is likely to have a much more extensive and diverse IT network than other businesses of a similar size. So this type of business requires a security solution that can cover all of the complexities of their IT environment – including Internet gateways, proxy servers and virtual systems. Chapter 3 Discovering the Truth About Security Threats In This Chapter ▶ Understanding how IT complexity adds new burdens ▶ Knowing why antivirus protection isn’t enough ▶ Learning about the online threats ▶ Protecting your online banking transactions I n this chapter, we consider how the growing complexity of typical business computing solutions and the sophistication of computer viruses, malware and cybercrime attacks are making life that much more difficult for all businesses. IT’s All Got More Complex Only a few years ago, any business leader could simply reach out and touch every IT device that needed to be protected within their organisation. It was also simple to think about drawing an imaginary ring around the business’s computing network. If you wrapped a firewall around everything within that ring – and made 30 sure you had suitable security software running on all computers – you were untouchable. But that was back in the days of limited mobility and not being able to access business information whenever you were away from the office. It was also long before business became so heavily reliant on IT. Business can’t do without IT Today, could you even consider running a company without all those vital business applications and without mobile, ‘anywhere access’ to essential business information? Well, no . . . because your competitors would be laughing all the way to the bank. However, these technological advances have had consequences. The convenience of anywhere access has greatly increased IT complexity. If you and your employees are going to be accessing information by using laptops, smartphones and tablets, where’s that imaginary ring within which you have to apply your security measures? BYOD adds another layer of complexity To make things even more complex, Bring Your Own Device (BYOD) initiatives – that let employees use their own devices to access business information and systems – are adding to the complexity. With BYOD, your security now has to cope with ‘anywhere – from any device – access’. Businesses have been quick to recognise the potential cost and operational benefits that a BYOD initiative can offer. However, BYOD also means you’re faced with applying security across an almost limitless range of mobile devices – including a vast array of Android, 31 iPhone, BlackBerry, Symbian, Windows Mobile and Windows Phone devices that may not even belong to the business. Fortunately, some security suppliers have recognised that increasingly complex IT adds to security nightmares. So they’ve kindly developed innovative new security solutions that greatly simplify the task of securing complex IT – including mobile devices and BYOD. For more information on mobile security issues and solutions, Mobile Security & BYOD For Dummies is available at all good booksellers. Well, actually, it’s not in any shops, but you can get a free copy at www.kaspersky.com/ business. Antivirus or anti-malware? Some businesses fall into the trap of thinking viruses and malware are the same thing – and that leads them to believe there’s no difference between antivirus and anti-malware products. However, that’s simply not true, and in fact it’s a mistake that could prove to be costly. Most people are familiar with the types of computer viruses that can spread from computer to computer. However, malware – which is short for malicious software – is the name given to a much wider range of hostile software. Malware includes computer viruses, worms, Trojan horses, ransomware, keyloggers, spyware and many other threats. So a software product that offers anti-malware capabilities protects your computers and information from much more than just viruses. 32 Today’s Threats Are Increasingly Dangerous Virtually everyone has some level of understanding of computer viruses. Most people have been either subject to a nasty virus infection (we mean on your PC – we’re not getting personal) or know someone who’s suffered such an attack in the past. However, much of this experience – and the anecdotes that friends and family recall – may date from the era of cyber vandalism, when malware development was for fun. Today, cybercriminals use malware for financial gain. The low-risk years are over Years ago, cyber vandals were often students and school children looking to show off their computing and hacking skills. They created and distributed viruses that caused a level of disruption on infected machines. Perhaps the virus would delete a few files or make the victim’s computer ‘hang up’. Even though it was largely a matter of mischief-making on the part of the virus developers, their programs could cause some inconvenience. However, these viruses rarely caused significant ongoing issues for businesses and they didn’t try to steal funds from individuals’ or businesses’ bank accounts. In addition, basic antivirus software was often enough to repel most of these attacks. 33 Simple vandalism makes way for serious cybercrime In recent years, young computer geeks have turned their attention to online games that give them an opportunity to show off their prowess. At the same time – and more importantly – with the relentless rise in the use of Internet-based business processes and online financial transactions, we’re all a lot more dependent on the Internet and e-commerce. This has attracted the attention of criminals. The age of relatively innocent cyber vandalism has passed and a much more menacing presence lurks on the Internet. Cybercriminals have been quick to recognise the opportunities to develop malware and Internet-based scams that do much more harm than old-fashioned viruses. Instead, these new attacks are focused on stealing information, money and anything else of value to the cybercriminal. Make no mistake, these are no mere amateurs. Cybercriminals with considerable technical skills are constantly developing new methods of attacking businesses. In most cases, they’re motivated by financial gain – either directly stealing money from a business’s bank account, stealing sensitive business data to sell on the black market, or extorting payments from the company through other means. In addition, by ‘harvesting’ personal information from a company’s laptops, servers and mobile devices, cybercriminals can perform identity theft scams and steal money from individuals associated with the business. 34 Our dependence on computers has also made it easier for attackers to disrupt business systems, as a form of social or political protest (so-called ‘hacktivism’). Know the Enemy and Know Their Methods Malware and IT security threats can have a damaging effect on any business’s bottom line. For smaller businesses, the results can be terminal. While the following isn’t an exhaustive list of all types of threats, this section gives an indication of some of the security risks that businesses have to tackle . . . Viruses, worms and Trojans Computer viruses and worms are malicious programs that can self-replicate on computers without the victim being aware that their device has become infected. Trojans perform malicious actions that haven’t been authorised by the user. Trojans are unable to selfreplicate, but the connectivity provided by the Internet has made it easy for cybercriminals to spread them. If these malicious programs attack your network, they can delete, modify or block access to data, disrupt the performance of your computers and steal confidential information. Backdoor Trojans Backdoors are used by cybercriminals for remotely controlling machines that they’ve infected. Typically, compromised computers become part of a malicious network – known as a botnet – that can be used for a wide variety of cybercriminal purposes. 35 Keyloggers Keyloggers are malicious programs that record the keys that you press on your computer keyboard. Cybercriminals use keyloggers to capture confidential data – including passwords, bank account numbers and access codes, credit card details and more. Keyloggers often work in tandem with backdoor Trojans. Spam At its least harmful, spam is simply an electronic version of junk mail. However, spam can be very dangerous if it’s used as part of a phishing campaign or if it includes links to infected websites that download viruses, worms or Trojans onto the victim’s computer. Phishing Phishing is a sophisticated form of malicious attack, whereby cybercriminals create a fake version of a genuine website such as an online banking service or a social networking site. When the victim visits the fake site, the site uses social engineering methods in order to obtain valuable information from the victim. Phishing is often used for identity theft scams and to steal money from bank accounts and credit cards. Ransomware Ransomware Trojans are designed to extort money. Typically, the Trojan either encrypts data on the victim’s computer hard drive – so the victim can’t access their data – or totally blocks all access to the computer. The ransomware Trojan then demands payment for undoing these changes. 36 Ransomware Trojan infections can spread via phishing emails or can occur if a user simply visits a website that contains a malicious program. Because the infected websites can include legitimate sites that have been infiltrated by cybercriminals, the risks of picking up a ransomware infection are by no means limited to visits to suspicious websites. Distributed Denial of Service Attacks (DDoS) Cybercriminals use Distributed Denial of Service Attacks in order to make a computer or network unavailable for its intended use. The targets for these attacks can vary. However, a business’s website is often the prime focus for an attack. With most businesses depending on their website to attract and interact with customers, anything that makes the site malfunction, run slowly or fail to let customers access it can be very damaging to the business. There are many different forms of DDoS attack. For example, cybercriminals can infect vast quantities of innocent users’ computers and then use them to bombard the target business’s website with a massive volume of useless traffic. This can overwhelm the computers that run the victim business’s website and cause the site to run slowly or totally fail. 37 What’s bugging business? Virtually every software application and operating system that your business runs is likely to contain ‘bugs’. Often these errors in the computer code may not cause any direct damage. However, some create vulnerabilities that cybercriminals can exploit in order to gain unauthorised access to your computers. These vulnerabilities act a little like leaving your office door open – except the cybercriminals don’t just march into your reception area, they get right into the heart of your computer. The use of such vulnerabilities to install malware is now widespread, so it’s important to keep applications updated or patched (don’t ignore those software update reminders and postpone them as a nuisance). Some security software solutions include ‘vulnerability scanning’ features – to identify any application or operating system vulnerabilities on your business’s IT network – and can help you to apply ‘patches’ that fix the vulnerabilities so cybercriminals can’t exploit them. Understanding Other Security Risks In addition to the specific types of attack we explain in the previous section, your business needs to guard against other dangers. 38 Risks from using public Wi-Fi With hotels, airports and restaurants offering customers free access to a public Wi-Fi connection, it’s easy for you to check email and access business information when you’re out and about. However, it’s also very easy for cybercriminals to spy on public Wi-Fi networks and capture information that you send or access. This could mean cybercriminals gain direct access to your business email accounts, your business IT network and your passwords for financial transactions. Online banking and the need for additional security Online banking has become a critically important facility for so many businesses. It’s convenient and time-saving. However, whenever you’re conducting any online financial transactions, you could be at your most vulnerable. Cybercriminals want to monitor their victims’ computers and mobile devices in order to work out when the victim is visiting a banking website or online payment service. Then special keylogger programs can capture the information you enter. That means the cybercriminal can stealthily steal your password – so they can access your account and drain it of funds, without you knowing. Thankfully, some security software products include technologies that provide additional layers of protection when you’re conducting online financial transactions. 39 Spear phishing Spear phishing is another sophisticated form of attack. The cybercriminal seeks to capture personal information – perhaps by spying on a public Wi-Fi connection. Later, the cybercriminal uses that personal information to add a veneer of credibility to a phishing email that targets a business. For example, if the cybercriminal manages to access one of your employee’s entries on a social networking site and learns some details about the employee’s recent holiday, the cybercriminal can later use that information in a phishing email. When the employee receives an email from someone pretending to be a colleague – and that email mentions some details about the employee’s holiday – it’s more likely to look like a genuine email. And, if the message asks the employee to click and confirm access to the business network, the cybercriminal can capture the necessary access passwords. Lost laptops We’ve all read about those unfortunate individuals who’ve left their laptops in taxis, trains or restaurants. The potential for highly sensitive business information falling into the wrong hands is alarming. When this happens, it can severely damage an organisation’s business reputation and result in heavy fines. One remedy is to choose a security solution that encrypts your business information so, even if a laptop is lost or stolen, it’s virtually impossible for cybercriminals to access the information on the laptop’s hard drive. 40 Understanding encryption Encryption is a particularly cunning way of beating cybercriminals at their own game. Just like spies in the latest cinema release encode messages so that only their intended recipients can understand them, encryption enables you to encode your business’s sensitive information – so your information can’t be decoded without the necessary decryption key. This means that if any of your business’s confidential information is accessed by cybercriminals, they won’t be able to see it in its readable form – unless they have your secret decryption key. In the event that one of your staff loses their laptop or mislays a USB memory stick full of confidential information, if the data on the laptop or memory stick has already been encrypted, you can avoid the embarrassment of information leakage. Mobile threats Individuals and businesses can both fall into the trap of thinking their smartphones and iPhones are just phones. They aren’t: they’re powerful computers that can store a lot of confidential business information – so loss or theft of a mobile device can cause serious security breaches. If a lost or stolen smartphone isn’t protected using a PIN (or, even better, a longer passcode), whoever accesses it can simply login to any online account used on the device. 41 However, some security solutions include remotely operated security features – such as giving you the ability to contact your missing phone and ‘wipe’ all data from it. If your chosen security solution also includes a data encryption capability, this can add a further layer of protection. Even if a criminal finds the phone before you’ve realised it’s missing – and you’ve not yet had a chance to wipe its data – the fact that the information on the phone has been encrypted ensures the criminal can’t read that data. Furthermore, because today’s smartphones and tablets are really computers, they’re vulnerable to a growing volume of malware and attacks that have become common on desktops and laptops – including viruses, worms, Trojans, spam and phishing. So it’s essential to use security software to protect mobile devices (to find out more, get your free copy of Mobile Security & BYOD For Dummies from www.kaspersky.com/business). 42 Chapter 4 Planning for Better Information Security In This Chapter ▶ Benefiting from a simple assessment of your business risks ▶ Improving your staff’s awareness of security issues ▶ Understanding how cloud computing can affect security ▶ Assessing cloud computing service providers W hen it comes to IT security, some people think: ‘It’s all too overwhelming. I’m going to cross my fingers and hope for the best.’ We wish them good luck with that approach. However, when their customers and business partners start suing the business as a result of a data loss incident, the company hasn’t really given its defence attorney much to work with. So, in this chapter, we look at some simple security measures that you can introduce without spending anything on software or hardware – and we consider how cloud computing can affect a business’s security strategy. 44 Risky Business? Conducting a risk assessment might sound like an onerous task that’s best undertaken by a team of boffins with white coats and clipboards. However, if you’re keen to improve information security, in this section we share some simple concepts that form the foundation of a worthwhile assessment of the risks that your business faces. Start by asking yourself a few basic questions: ✓ Where is my business’s information stored? ✓ What is the value of that information – to my business and to a potential attacker? • What would the consequences be for my business if any confidential information fell into the wrong hands? • How would a leakage of information affect my business’s relationships with customers, employees and business partners? • What would be the likely cost – in terms of financial loss / penalties and damaged business reputation? ✓ What is my business doing to protect confidential information? ✓ Are my business’s information security provisions adequate? • How do those security provisions compare with the expected norm within my market sector and for my size of business? (Don’t forget, as your business grows, you’ll probably need to implement higher levels of information security.) 45 • Would a court of law agree that my business’s security is sufficient? (An honest answer to this question can flush out any business that’s trying to sweep the whole issue under the carpet by kidding itself that inadequate security is okay!) ✓ What’s the probability of my business suffering a leakage of confidential information? (Remember, this could result from a simple event such as the loss of a laptop or smartphone. No matter how diligent you are, how careful are your employees?) Your answers will be useful in helping you to decide on how to go about improving information security. Educating Employees in the Art of Security When it comes to protecting valuable information, ‘forewarned is forearmed’ (‘four-armed’ would also help you get more out of your working day – but, unless your business is in the bionics industry, that’s never going to happen!). So, making sure that you and your employees are aware of the wide range of security risks – and how to avoid them – is essential. It’s surprising how many companies fail to devote enough effort to spreading the news about security best practice among their staff – even though educating employees on security risks and how to avoid them can be one of the most cost-effective ways of making life more difficult for cybercriminals. Getting employees on side in the battle for better security needn’t be difficult: 46 ✓ Consider all of the potential malware and cybercrime risks that could affect your business and decide on how your employees can help to avoid these risks. Notwithstanding the sophisticated nature of today’s threats, many attacks start by simply tricking someone into doing something that jeopardises the business’s security, such as clicking on a link in a spear phishing email. ✓ Draw up and share a security policy that clearly defines how you expect your staff to behave with regard to maintaining security and eliminating unnecessary risks. ✓ Conduct staff awareness sessions on a regular basis. Aim to raise awareness of key issues, such as: • The need to use different passwords for each application and account. • The dangers of public Wi-Fi and how to avoid them. • How to spot spear phishing attempts. • The security consequences of losing a mobile device. ✓ Enforce your company’s security policy – for example, ensuring everyone uses strong passwords to protect access to business information, bank accounts and more (see the nearby sidebar ‘What makes a password stronger?’ for tips on this). ✓ Revise your security policy as and when new risks emerge or you adopt new work processes. ✓ Run refresher courses to keep security issues ‘front of mind’ for your employees. ✓ Make sure new staff receive security awareness sessions as part of their induction. 47 What makes a password stronger? If one of your employees sets up a password based on an easily remembered word or a simple sequence of numbers, a cybercriminal may easily guess that password. Strong passwords use a combination of uppercase and lowercase letters, numbers and special symbols. They should be eight characters in length, at the very least. Make sure none of your employees use the same password for several different applications and / or web accounts. If a cybercriminal manages to discover an employee’s Facebook password, that shouldn’t be the very same password that gives the cybercriminal access to the business email system. Up in the Clouds In recent years, a buzz has been growing around cloud computing. Businesses of every shape and size have been assessing the cloud’s potential to simplify the storage of information and cut operating costs. In many cases, small and medium size businesses have been at the forefront of the move to the cloud. Sometimes smaller organisations can be quicker than larger companies to adopt new business strategies. At the same time, smaller businesses are often more acutely aware of the need to focus on their core business activities. So anything that enables the business to subcontract non-core IT activities to a third party can be seen as beneficial. 48 Cloud or no cloud, your information is your responsibility If you’re considering using cloud computing, be aware that farming out the storage of your business information – and the delivery of some or all of your applications – doesn’t absolve your business of its security responsibilities. Nor does it automatically ensure that your confidential business information is totally protected. It’s still your company’s information, regardless of where it’s stored. So the protection of that information is still your responsibility – and that’s exactly how the law views your obligations. Also consider how you’re going to access that information on a day-to-day basis. Even if your cloud services supplier has impeccable credentials and rigorous security, you still have to make sure that every device your business uses to access the information has suitable security. You need to run a local security solution that protects every desktop, laptop, server and mobile device that your business uses. An ongoing need to be ‘security aware’ With a cloud solution, you still need to make sure that you and your employees adhere to all the security best practices that you defined in your security policy. For example, strong passwords are still required to help prevent unauthorised access to your information and your employees need to continue to guard against losing mobile devices. You also need to assess all the potential information security risks and ensure your staff are aware of simple 49 security precautions. In fact, the only thing the cloud changes is that your information is stored off-site by a third-party supplier. Caution over cloud contract catches The cloud computing market is reasonably established with some very capable cloud services providers. However, many cloud storage solutions have been developed for consumers. In some cases, security may have been little more than an afterthought and could be insufficient for business users. Consider the following questions when you’re selecting a supplier: ✓ Who will own my business information when it’s being stored in the cloud? ✓ What happens if the cloud services provider ceases to trade? • Will I still be able to access my information? • Will there be a period of downtime, while my information is being moved to another service provider for storage? • Will the original supplier still have copies of my information – and is there some way of ensuring these copies are deleted? ✓ How do I terminate my contract? • If I terminate, how do I transfer my business information? • Is there a simple and quick process for moving my stored information to a new supplier? 50 ✓ How robust are the computers that the supplier uses to store my information and the communications systems that the supplier uses to make my information accessible when I need it? • Does the supplier guarantee continuous accessibility for my information (so I can access important information when I need to and not be affected by the supplier constantly claiming their ‘system is down’)? • Does the supplier have suitable technology to ensure a swift recovery from a major failure or an attack on their computing systems – without it affecting the security and accessibility of my information? • What level of security does the supplier offer to protect my information against loss and unauthorised access? (Remembering that I also still need to run security software on all of the computers and mobile devices I use to access that information.) ✓ Where will my information be stored? • Will offshore storage cause any legal or compliance issues for my business? You’d never contemplate leaving your child in the care of someone that you hadn’t checked out and didn’t totally trust. Similarly, if your business is your ‘baby’, you need to invest a little time in assessing any potential cloud services provider in order to ensure your business’s confidential and sensitive information will be safe in their care. 51 There can be some very compelling arguments for moving information storage – and some software applications – to the cloud. However, you need to go into it with your eyes wide open. Even though cloud computing may help to simplify some aspects of your computing, the cloud can also add a new layer of complexity when it comes to selecting and managing your cloud services provider. Cloud computing doesn’t diminish your obligations to protect sensitive information. It’s your responsibility to protect confidential information – and it’s your responsibility if you choose a supplier that lets you down through inadequate security. 52 Chapter 5 Choosing Security Software to Suit Your Business In This Chapter ▶ Selecting the right security software supplier for you ▶ Ensuring you get the support you need ▶ Thinking about how your information security needs may change ▶ Deciding on the ideal level of security software S o you’ve assessed the security risks for your business and educated your staff about the importance of information security (of course, if you’re the sum total of the staff, that could be a pretty short training course). Now’s the time to choose the security software solution that’s best placed to help protect your business. Selecting the Right Supplier When you’re trying to choose from the various commercially available IT security software products, aim to select one that’s capable of adapting to how your needs may change when your business grows. 54 Show some support! Question suppliers about what level of support you’ll get if any issues arise when you’re operating the software or if your business suffers an attack or security breach. Being able to pick up the phone and have someone guide you through any tricky issues isn’t just convenient and reassuring – it could also save you a lot of time and help you to get your computers and business processes up and running again as rapidly as possible. On the other hand, if a supplier expects you to trawl through their online knowledgebase and find your own solution to the difficulty, that could take you away from important business activities for a significant amount of time. And isn’t it amazing how these types of incidents seem to save themselves up until you’re at your busiest – with a tight deadline to complete that detailed proposal for the business deal of a lifetime?! Try to select a supplier that offers local support . . . in your local language . . . in your local time zone. Choosing a supportive security supplier is a major part of the selection process. While the market includes some excellent packaged security software products that provide a host of anti-malware and Internet security technologies, consider what could happen when your business outgrows the package that you purchased: ✓ Will your chosen supplier be able to offer other, more comprehensive packages that you can migrate to? 55 ✓ Does the product allow you to add extra features so you can protect new additions to your IT, such as virtualised servers, without changing your security product or having to get expert help to tackle any time-consuming integration issues? These questions may not appear vital now. However, when your business grows, they could help you to avoid the disruption and costs associated with having to change from one security supplier to another. Achieving more – in less time For any business, it’s important to identify software solutions that are easy to use. After all, who wants to spend endless hours setting up and managing security software, when a superior solution can automate many security processes and leave you with more time for other business activities? Ease of use is vital – especially if you have no in-house IT security experts. However, even as your business grows and you potentially take on specialist IT and security staff, easy-to-use security software helps to boost their productivity. Simplifying security management The user interface for most security software is often referred to as a management console. Rather like the various dials, lights and switches on the dashboard of a car, the console should give you an at-a-glance overview of how the product’s working, indicate any issues you need to be aware of and enable you to make adjustments. Sounds simple enough – but some software suppliers don’t make things as easy as they could be. 56 Some security software suppliers expect their customers to use several different management consoles in order to control the various different protection technologies within the supplier’s product package. Sometimes this is because the security supplier has acquired different technologies, as and when they’ve purchased other security companies. Whatever the reason, the need to use multiple consoles can be time-consuming and potentially very confusing for the operator. By contrast, some security solutions enable you to view, control and set policies for all of the package’s security technologies – via a single, unified management console. This can mean you only have to become familiar with one, intuitive-to-use interface that gives you a clear view of all of the supplier’s protection technologies that are running on your computing network. If you’re personally responsible for managing your business’s security software, this level of usability and manageability means you have more time for all those other much more important aspects of running your business. However, even if you’re using an external or internal IT expert to keep your security software running as it ought to, if you have one easy-to-use management console that can help to control costs and boost efficiency. Reporting back to you Any security product that offers you the flexibility to generate a wide range of reports on the security status and security vulnerabilities across all of your IT – including mobile devices and BYOD – can help to give you far greater visibility of any issues. 57 High Flyer or Lifestyle Business: Identifying Your Security Needs Taking a little time out to have an honest look at your business and its aspirations is really worthwhile. It may be tempting to take a gung-ho, swashbuckling view and get carried away with imagining that one day your business will be a multinational capable of rivalling the largest conglomerates. However, not every owner wants that for their business. Of course, plenty of companies have grown from humble beginnings on the kitchen table or in the garage and gone on to become world beaters. However, if yours is a ‘lifestyle business’ – whereby your prime aim is to grow your business revenue to a level where it funds a good lifestyle for you and your family – there’s definitely no shame in that. Recognising that’s what you want can help you to make the optimum choices when it comes to investing in IT and security. The trick is working out: ✓ What type of business you have now. ✓ What your business could be like in a year’s time . . . and beyond. Armed with this information, you’ll be in a far better position to decide how your information security needs may change. Then you can focus on choosing a security software product that’s right for your business now, and has sufficient flexibility and scalability to adapt as your business needs change. Choosing the wrong security solution may not be catastrophic – but it could cost you time and money, either now or in the future. 58 From Home-User Security to Business-Level Protection Security software products are available for all sizes of business. The right solution for you depends on a number of things. Home user security products If your business’s IT started as just your own personal laptop, the chances are you were already running one of the many security solutions aimed at home users. Some excellent consumer-focused packages combine anti-malware and innovative Internet security technologies. Some even offer additional layers of protection for online banking and other web-based financial transactions. For businesses with just a few employees, a home user product could be the ideal solution. However, with no shortage of consumer products on the market, you need to spend a little time assessing the features and functions that each product offers. A solution that only delivers antivirus protection isn’t really going to cut it in today’s high-threat environment. Typically, security software that’s aimed at the home user may be fine for businesses of one to four people – provided that the software licence allows commercial entities to use the software. However, most home user packages can be difficult to manage when five or more people use them within the business. These types of packages often don’t make it easy – or quick – to apply the same security set-up and options across all the laptops, desktops and mobile devices that the business uses. 59 If you’re aiming to grow your business significantly, you could soon end up with an extensive and complex IT infrastructure. So choosing a home user security product – that can’t grow with your business – could lead to a costly and disruptive move to a new solution at a critical stage in your company’s growth. Free-of-charge antivirus software If you’re using free antivirus software you may want to carry on using that same security software when your business starts to expand. While this could be a reasonable solution to some security requirements, it’s worth considering exactly what the free software provides – and what it doesn’t. Does it offer all of the necessary technologies to defend against the latest security threats and the sophisticated new ways that cybercriminals try to steal valuable information? If it only includes antivirus capabilities and a few Internet security add-ons, it may not be suitable to protect against the full range of threats. Many free-of-charge software packages aren’t intended for use by businesses. The terms and conditions of the free licence often preclude use by any commercial organisation. So using some free software may be illegal. In other cases, the supplier of the free software will levy a charge when that software is used by a business. 60 Free puppy to a good home . . . What a great deal! You always wanted a faithful hound at your side – and this way you’ve avoided the fees that the dog breeders command. Okay, it’s a mongrel, but it’s your mongrel and, best of all, he was totally free. Free . . . apart from the work, the mess (sorry to bring that up, but it’s your dog – so you’re going to have to clean it up!) and all those expenses. Yes, you’d factored in the cost of the inoculations and the routine visits to the vet, but did you ever think he’d chew his way through so much of your fine furniture? In reality, not a lot in life is truly free. Much like your free puppy, free security software can have hidden costs. It might be that the free version of the software keeps flashing up adverts for third-party products or spends time trying to sell you the virtues of its ‘paid for’ premium version. Either way, whether it’s a set of banner adverts or the package’s efforts to upsell you to the upgraded version of the software, those distractions could affect the productivity of your employees. Even if the software does neither of these things, you may find that when you need any support from the software provider it could be expensive. Security solutions for large businesses Having gained an understanding of the threats out there, you may decide to cut to the chase and buy the most comprehensive security solution on the market. 61 However, that can really backfire for a smaller business. Many businesses fail to realise that, for most software products, there’s an inverse relationship between functionality and ease of use. Products that include functions that only large-scale companies would need, may be much more difficult to configure and manage when compared with products that have been developed with smaller businesses in mind. So the smaller business that decides to simplify the selection process – by just choosing the most comprehensive software product – may be making life difficult until some point in the distant future . . . when the business eventually grows into its chosen security software! On the other hand, you also need to know that, as your business grows, your chosen security vendor can help you manage your new security needs – without having to rip out your existing product and start all over again. Security solutions for large businesses may include advanced technologies that protect complex environments. However, if your IT network is relatively simple – and is likely to stay that way – you could be paying for capabilities that you’ll never use. Furthermore, an overly complex security solution can be much more complex to run . . . at every stage of its life. From initial configuration, through to ongoing management, a corporate-level solution can take skills and time that a smaller business may not have to spare. Put simply, corporate-level solutions often assume that corporate-level resources and corporate-level IT expertise are available on tap. 62 Prosumer-level security Prosumer security? Yes, it’s one of those terms dreamt up by sharp-suited marketing types – but what does it actually mean? (By the way, if you’re running a marketing agency . . . just wanted to say how good you look in that suit!) At their most effective and useful, prosumer security solutions bridge the gap between user-friendly products that have been developed for home users and those corporate-level products that can deliver extra functionality but may be more complex to set up and manage. So prosumer products aim to combine the extended capabilities that businesses require, plus the ease of use that’s necessary when the business doesn’t have a team of in-house IT security experts. When security suppliers get this balance right, prosumer products offer an irresistible combination for many businesses. There’s a marked difference between a security product that’s been developed ‘from the ground up’ to satisfy the needs of smaller businesses versus a corporate-level product that’s simply been repackaged for the smaller business market. If a supplier is merely dressing up their corporate-level product and passing it off as a prosumer product, you could find yourself with security that’s too complex and too time-consuming to run. 63 Whatever the size of your business, make sure you choose a supplier that has invested time in considering the unique challenges that your scale of organisation faces, and has developed a software solution that’s optimised for businesses like yours. When corporate meets prosumer Just to confuse the issue even further, not all large business security products are unsuitable for smaller businesses. It’s true that products that have been developed without a thought for the particular challenges that smaller businesses face are unlikely to be suitable for organisations that don’t have in-house IT security support resources. However, there’s also a class of business security product that’s based on a simple, modular architecture. Here the supplier may offer several tiers of software packages, with each tier providing a different combination of protection technologies. The lowest tier may offer basic-level protection that’s well suited to the simple IT networks that smaller companies operate. Then higher tiers add further protection technologies, with the supplier’s ultimate product tier delivering security across the most complex IT environments – including support for multiple operating systems and multiple mobile device platforms, tailored security for virtualised environments and special technologies for protecting Internet gateways, mail servers and more. 64 With these modular products, ambitious businesses can benefit from a security solution that readily scales as they grow – without the business having to manage the disruption of migrating from a relatively small security solution to a corporate-level solution. If it seems as if you have too many choices, remember that the range of different businesses is almost limitless – and they all have different security requirements. So choice is a good thing. Even if it takes a bit of time to get your head around the pros and cons of the various options, doing so means you’re more likely to be able to select the security solution that matches your requirements. Chapter 6 Ten Questions to Help Identify How to Protect Your Business In This Chapter ▶ Evaluating what your business needs ▶ Assessing your legal obligations ▶ Deciding on your security policy H ere are ten simple questions to help you work out what’s necessary to protect your business against cybercrime, malware and other security risks: ✓ Have you assessed the potential security risks for your business and identified what information and computers need to be protected? ✓ In addition to protecting computers, do you also need to protect mobile devices and a BYOD programme? ✓ Are you aware of the legal and regulatory obligations that apply to your business with regard to the security of confidential information? 66 ✓ Have you defined some basic security policies that the business can use to keep information, computers and other devices secure? ✓ Have you set up a simple education programme to help improve awareness of security issues and motivate employees to avoid security breaches? ✓ Have you evaluated the commercially available security software products – based on ease of use, the levels of protection they deliver and their ability to accommodate changing needs? ✓ Does your chosen security software supplier offer the level of support you need – in your language and your time zone? ✓ Would you benefit from additional security features that provide a further layer of protection for online banking and financial transactions? ✓ If you’re adopting cloud computing, have you checked the suitability of your chosen cloud services provider’s security and contract terms? ✓ Have you chosen a security software product capable of protecting all of the computers and mobile devices that your business uses to access the information that’s stored in the cloud? The consequences of information security breaches and cybercriminal attacks can be devastating – so make sure your business IT systems are protected by a rigorous security software product. Turn the page for more details . . . Security Your Business Can Depend On With Kaspersky Lab’s award-winning security technologies protecting your computers, business information and mobile devices, you can spend more time on your core business activities . . . and less time worrying about malware and cybercriminals. Security Solutions for Growing Businesses Kaspersky Endpoint Security for Business offers a tailored product to meet your business’s unique needs. Simply choose the tier that suits your business requirements. As your business grows and your IT network becomes more complex, you can move to the next tier . . . all the way to our ultimate security solution – Kaspersky Total Security for Business. Kaspersky Total Security for Business combines comprehensive security and essential systems management functions to help you manage and protect all your endpoints: ✓ Windows PCs, Macs and Linux computers ✓ Physical and virtual machines ✓ Mobile devices – Android, iOS, Windows Phone, Windows Mobile, BlackBerry and Symbian ✓ File, mail, Internet and collaboration servers To find out more about Kaspersky Endpoint Security for Business and Kaspersky Total Security for Business, please visit www.kaspersky.com/business-security