Data protection and what to do about it

“As a small and medium business and not for profit organisation why is my business data being attacked and what are the attackers after.”  

This question has many answers, it could be kids who want to see if they can access your data just for the sheer hell of it or it could be something a lot more sinister.   If an internal or external attacker gains access to your data and information then you could be in for a very hard time that could also cost you a lot of money.

SME’s are easier targets for criminals, they lack the internal training and knowledge required to protect their sensitive data.   They use the same operating systems and technology that the enterprise systems use but do not have the resources to protect them.   They have limited access to high end and costly security features and resources.

Most of the time, SME’s do not realise how vulnerable they are to both internal and external attacks.   When an SME is attacked or compromised, the repercussions and effects of that compromise are all mechanisms of having a decent security strategy.   The framework created by a business security strategy can have ongoing benefits for a SME.   The resilience of the business will ensure that if something does happen that the business is in a better position than previously thought.

What can be damaged?

In the event that your business is attacked there are 6 points that will create havoc if the attacker gains access to your data and information:

One of the most devastating repercussions of an internal or external attack is the Destruction and loss of Intellectual property.   Most SME’s have significant money tied up in what they do and how they do it.   This information is critical to the viability of the business.    If your competition had access to this information then your business could take a significant financial hit.

Another area of damage that an internal and external attacker can visit on your business is Vandalism.   This sounds pretty strange but one of the most psychologically damaging things that can happen to a business, the owners or management and also the staff is to have their web site changed, or even worse changed in such a way that it is infected with malware so all of their visitors become infected.    There is nothing worse than going to your web site and finding that the content has been changed.   It may be just a prank but the repercussions can be pretty overwhelming.

An internal or external attacker can do a great deal of damage to a business’s reputation.   This can be achieved in a number of ways.   The most prevalent is the fact that you have been compromised and you don’t inform your clients, or you have been compromised and the internet finds out about it.   What happens if an attacker gains access to your client file list and sends each of your clients an invoice.    In another situation is if your internal memos, where a comment about a client can be taken out of context or misconstrued were released to the outside world.   That would have a significant impact on your reputation, Think WikiLeaks.

Internal or external attackers can use information that they have gained for fraud and theft.    They can sell or give away the information on the internet to the highest bidder through notice boards and chat rooms and depending on the information – credit card details – they can gain access to your client’s money and steal it.

A security breach doesn’t always include the loss of information, if your data becomes unavailable through an internal or external attack then you will have the additional problem of Lost Revenue.   If the information and data for your business is off line due to an attack then your business will start to loose income.   Depending on the length of time that your data is unavailable will have a significant impact on your business.

All of the information that you have on your business system is your responsibility to protect.   If you fail to protect that information then you may be legally liable to your clients in regards to breaching their privacy and personal information.   This liability can take on many forms and could include compensating your clients for the loss of their personal information.

The responsibility to protect your business data and information falls squarely on the shoulders of management and owners when it comes to protecting the business.   Implementation of a security strategy will allow the business to be in a better situation to protect the business, react if the business is attacked or recover when something does happen.

So what do you need to do?  You need to be able to restrict system access, you need to be able to track access and you need to ensure that you are in a position to shake off the problem and then proceed with normal business.   Business as normal has a nice ring to it especially if it is true and no matter what the situation.

To make sure that your business is in a position where these 6 points cannot happen then the security strategy needs to reflect the business requirements.    To protect the business from both internal and external vectors let’s look at each section again

If your business has operations and systems that differentiate you from your competition then you need to be able to protect your Intellectual Property    The way you do business is distinctive and
the reliance on protecting your IP is as unique as you are.   You need to have systems in place that ensure that the IP cannot be copied, moved or deleted without some level of information being conveyed to management.    If a disgruntled employee deleted everything that was critical to your business would you know and can you recover from it?

In today’s world your website is the shop window of your business.   If someone changed the contents of that window either by mistake or on purpose you need to understand the reasoning behind it and also get back to the correct content as soon as possible.   Wanton Vandalism or accidental erasure can have major consequences on your business viability.

How do you protect your Reputation?   Your reputation takes a long time to create but can be damaged in a heartbeat.   A security strategy or blueprint can help to ensure your reputation is intact.   It allows your business to use your business security as a marketing tactic and component.   Would you like to be known, as a business, that you protect your client’s and staff information like a catholic confessional, what a marketing coup!

Fraud and theft are not only an information and data problem.   It can happen in any situation – shop lifting, pilfering and break and enter – are major problems for retail business and with the changing economy are becoming more prevalent.   In regards to Information and data, selling stolen IP can be a lucrative business for some people whether they are internal or external.   Protecting that information is just as important as putting in glass breakage alarms.

A security blueprint that takes into account business continuity (BC) and disaster recovery (DR) will ensure that there a reduced chance of lost revenue.   If something does happen then the culture of the business, with additional support from DR and BC will be up and running in minimal time.

Your compliance systems as a component of the security blueprint will reduce your Legal liability by ensuring that there are processes, policies and procedures in place for internal compliance.   It will also reduce the compliance requirements for industry standards and government departments by ensuring that you use “best practice” to protect your business.

By building resilience, compliance and technology into your business environment your security is boosted and will ensure that an attack will be harder to perpetrate against you, will be harder to remain undetected if it does get through the security levels and is easier and quicker to recover from a breach or situation.    You may never be in the position where your business is totally secure but an adaptable security framework and blueprint will make it harder for you to loose information, your reputation or money.  That means an external attack will target easier businesses and internal attacks know they will be discovered in minimal time so it will reduce the chance of it happening.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.