Every week is Data Security Week
A recent cyber attack on Melbourne-based domain and hosting wholesaler Distribute.IT left thousands of their clients furious after the data of over 4800 websites was found to be unrecoverable. The fact that the company wasn’t actually responsible for data backups was beside the point - people were upset by the suddenness and severity of the attack on a group of experts that should have known better.
I don't put a lot of blame on the staff at Distribute.IT - a determined attacker can usually get what they want. But there is still plenty we can learn from Distribute.IT's experience; from customer service standards through to infrastructure planning. The main takeaway is that the debacle highlights just how careful we all need to be when dealing with cloud-based services.
The last three weeks have seen a bright, red rash of exploits around the globe:
- MtGox, an exchange agency for the online currency BitCoins (BTC) experienced a price plunge from $17 to nearly $0 in only a few minutes after accounts were breached and a massive amount of the currency sold.
- Meanwhile, Dropbox - the digital locker service - has had to face the fact that it broke its own authentication system for four hours on June 20 and allowed anyone to log in to anyone else's account, which some people did.
- The well publicised theft of 77 million Sony Playstation users' details and credit card numbers.
- Internet giant Google admitted it had been attached by Chinese crackers campaigning to collect user passwords through a phishing attempt.
- A DDoS attack on cia.gov that caused its servers to overload and stop responding.
A survey from security software firm Symantec warns that two-thirds of Australian businesses have experienced some form of cyber attack in the past 12 months, and that 77% of those resulted in a loss for the business.
"The cost of these attacks is significant," says Symantec director of SMB for Asia Pacific, Steve Martin. "One in five of those businesses targeted reported losses in excess of $100,000 combined with lost productivity, revenue, and so on."
People everywhere are talking about cloud-based security, and that's one of the few good things to have come from the stressful, embarrassing and expensive disasters many are facing.
With that in mind, we at Experia would like to contribute five lessons you should learn from the recent scourge.
1) Ask the hard questions
If business owners learn nothing else, then it should be this – you must grill your hosting provider or webdesigner about what exactly is being done to prevent such a situation happening to you.
Many SMEs admittedly don’t have the expertise or the time to learn every little detail about their IT infrastructure, but when attacks can now bring down entire businesses, late is better than never to at least learn the basics:
- Ask for and read Service Level Agreements (SLAs) - providers may give you many sorts of guarantees, but having your data protected by a piece of paper may not be enough. Particularly if that agreement doesn’t turn out to be worth any more than what it’s written on.
- Security hardware and software - such as Firewalls, are a key defence in protecting your data and permitting or denying certain types of access to your website server.
- Service redundancy - essential services like data storage, DNS and network connections must have a fallback option if the primary option fails.
- Backups – if the worst does happen, as it did to 4800 Distribute.IT customers, then you need to have your own backup strategy that not only gives you access to your data but also makes it easy for you to restore.
- Contingency plans - consider and prepare for what you'll need to do in a worst-case scenario so your business can continue trading.
Have your IT managers sit in on calls to your providers to translate jargon, and make sure you question them as well on what would happen if a similar attack occurred to your business.
Distribute.IT was a local Melbourne business, and I knew several people who were affected by the disaster. I've even used Distribute.IT myself in the past. It just goes to show that the size of the Internet does not make you anonymous - it can (and does) happen to you.
2) Think twice about the cloud
Hosting your infrastructure online 'in the cloud' can be attractive, especially if you’re on a budget, want access to your info on the go, and don’t want the burden of managing your own infrastructure. But be careful – putting information online, even securely, can be dangerous, and being custodian to your data using local or on-site resources is not always a bad idea.
We’re in a cloud honeymoon period at the moment. A lot of new services are available online, and mainstream awareness of these options is growing. It's easy to sign up for an account and just start using it for whatever the site suggests.
But not everyone has the vested interest in your business that you do. Not all information should be stored outside the walls of where you conduct business. For example, some of the advantages of using online bookkeeping software may not be worth the risk when equivalent desktop-based software is available.
And on the bright side, if a disaster happens, you won’t need to wait for a third-party to get back to you before you can update your own customers about what is going on with your data.
If you have many gigabytes of data, then putting it up online may not help your ISP data usage, or your web hosts overage fees. It will likely be quicker and more reliable to back up to local media such as tape-drive, or something you can carry with you like a flash drive or RW Optical disk.
3) Don’t skimp on hosting
If you do decide to host data in the cloud, then you should be prepared. And one of the ways you can do this is set aside a significant amount of your technology budget to sign up with a trusted service provider that knows what they are doing.
Distribute.IT was not the most expensive provider around, and as one customer said sadly afterwards “you get what you pay for”. Don’t fall into the same trap – companies like MegaBuy Group can attest to how damaging downtime can be after experiencing a week-long website outage and being unable to get a response from their webhost's tech support. "Don't try to save on the critical parts of your business operations as in the end it costs you more" says Yuri.
Paying more for your hosting services usually means resources are being directed to it; that real people are proactively managing your service, investing in appropriate infrastructure and providing client support where it is needed. It's not very easy to charge low prices and offer top-notch reliability and security, and the hosts that do charge those rates can usually do so because they're justified by consumer demand for quality service.
4) It's not all about technology
One of the scariest aspects of cracking groups like Anonymous, LulzSec and various other attackers is that they seem to target at random; and thousands of small and medium businesses have been caught in the middle.
Your business will suffer a cyber-attack at some point, and perhaps already has. Maybe not from the more prominent groups, but it is highly likely that eventually some outsider or irresponsible, but capable, 12-year-old will try and steal confidential information from your servers – credit card details, login information, admin access and so on. If there is a vulnerability there, somone, sometime, is going to take a peek.
"Make sure you get your own staff up to speed," AVG security export Lloyd Borrett says. "Make sure they are educated, and you have security policies in place."
"Keep in mind it’s not just about the technology, although that’s an important first step. You need to have your staff and people in place, and make sure they report anything suspicious, then make sure it’s addressed.”
The PCI DSS requirements that became mandatory in July last year ensure that you are playing your role to make sure your customers' payment card data is being kept safe throughout every transaction, and that they – and you – can have confidence that they're protected against the pain and cost of data breaches.
5) Stay up to date
For many entrepreneurs technology is exciting, but for others it’s merely an inconvenience. Keeping up to date with the latest news in Trojan bugs and Exchange servers is the last thing on their mind.
Unfortunately for these others, technology is now an everyday part of business. The same types of security attacks will continue to be targeted at hosting companies like Distribute.IT, and as a result, SME owners must keep up to date with the latest news in security. Small merchants are also prime targets for data thieves in their own right.
AVG and Symantec publish regular reports on the latest threats, (AVG’s second quarter threat monitor was just released today), which detail the latest, most popular attacks hackers are using to steal information.
This doesn’t need to be a complicated process. Simply read the news and keep up to date with what types of attacks are occurring, then make sure you’re protected.
Even if this involves simply sitting down with your IT manager or website designer and having them explain all of this to you, such as the latest threats, new technology and so on. But act on this – make sure that same IT manager is doing everything in their power to make sure your business is safe against these attacks.
As LulzSec asked last week via Twitter, "Why do you put such faith in a company that allows itself to become open to these simple attacks?".
Assuming any of this is true, reprehensible as the attacks are, you have to admit the group has a point: why haven't mainstream businesses secured their perimeters company-wide by now?
If you'd like to check if your details have been compromised by any of the breaches mentioned in this article, you can check your email address here: https://shouldichangemypassword.com/
Last modified by Luke Chambers on Jul 2, 01:46 PM | Back to top