Every week there are stories about security breaches and guidelines issued on improving security to avoid breaches; from trade bodies, industry experts, software vendors and the Government. For many SMEs, the whole subject can be confusing. Is this something they should be concerned about? And do you, for example, have to do everything in the guidelines, or just some things? This series of blogs provides an introduction to Information Security and what it means for an SME.
The previous blog looked at what Information Security means https://www.tiptopmedia.co.uk/blog/what-is-information-security This blog starts by looking at some real examples of what can happen, and some of the threats that cause information security breaches.
Twitter account is taken over
On 23 October 2015 the Essex Police Twitter account was taken over http://www.theguardian.com/uk-news/2015/oct/23/essex-police-apologise-after-hackers-hijack-twitter-account There was one unauthorised tweet to an ‘offensive’ picture. The police said ‘our initial assessment of the site hosting the picture is that it is not running any malware, but any users who visited the site are advised to run their security software to ensure their computers have not been infected’.
Websites being hacked
In March 2015 the FBI were investigating the hacking of SME websites in the US and Europe http://www.computerweekly.com/news/2240241903/Group-claiming-links-to-Isis-hacks-small-business-websites Website content was changed.
Second hand mobile phones, flash drives and mechanical hard drives still contained information
Many businesses sell old equipment or pass them to relatives. Between May and August 2015 https://nakedsecurity.sophos.com/2015/10/09/are-you-inadvertently-selling-your-personal-data-on-ebay/ second-hand mobile phones, flash drives and mechanical hard drives were bought. 35% of the phones and 48% of the drives had residual data that was simple to recover, including email, texts, call logs, videos and photos. Business equipment needs to be securely wiped before it is recycled. This usually requires the services of a specialist disposal company.
- Cyber criminals who attack networks, send emails with links to websites that contain malware, or get access to data backed up in the cloud. If they get into a network, they will access or corrupt data. Downloaded malware may contain ransomware that encrypts files or sends them to the criminal. Attacks on cloud storage could expose data to the criminal. The methods criminals use continue to evolve, so defences also need to evolve to stop them.
- Theft of devices or paper records from a break-in at an office or when they are being carried outside of the office.
- Flooding or power failure that means the main working space cannot be used. The April 2015 fire in Holborn (London) left some businesses with no access to their office for over a week.
- Failure of a key supplier. An example could be the website development company. If they failed would it still be possible to update the website?
- Staff not following procedures. They could pass on sensitive data to a third party by not checking who an email is going to, talking about it on their mobile in a public place or falling for a scam where they are tricked into giving information to a criminal. Failure to place confidential papers in the confidential waste bin could result in them falling into the wrong hands.
- Ex-employees having access to sensitive data. The risk of a security breach increases if all access rights are not removed as soon as they leave.
Should my business be concerned about Information Security?
The answer is – almost certainly! Any business that employs staff, relies on IT for some of its core functions, has a website, uses social media or services in the cloud, has to comply with security regulation from their trade body or has to dispose of confidential information on paper, should be concerned. If none of those are relevant, you probably don’t need to be concerned, but the environmental threat could still be an issue.
The next two blogs will look at how to protect physical and electronic assets.
Other blogs in this series
What is ‘Information Security’? https://www.tiptopmedia.co.uk/blog/what-is-information-security
Find out more on how to improve your information security at http://wadiff-consulting.co.uk/first-step-to-improving-information-security/