(Video) Why is Your website a target of hackers

Why your website is a target of hackers. And we’re being very loose with the term hacker, because there are a number of different variations of people out there in the digital world who are deemed as “hackers.”

We’ve got three types really.

  • The main one and probably the most common one is the script kiddy. Now the script kiddy is the wannabe. The 14-year-old teenager who sits in the back room on a computer and thinks he’s a hacker. They download an application from the internet from a very unsavory site. They install it on their computer, which then makes them part of a bigger system to attack other people. And then they quite happily go off and target people on the internet.
  • The second is the hacktivist. Now hacktivists are people who can be the teenager, but they are also interested in pushing their own particular wheelbarrow. They are only interested in defacing websites or compromising people or finding out information about people. They are in a situation where they don’t want to break anything. Some of they do. But they are more interested in raising awareness about what they are interested in.
  • The third one is the true full-blown hacker. Now these are the guys, and there are probably .001% of the people who consider themselves hackers who are actually in it for the money. They are in it to disrupt and compromise things as much as possible.

So what are these people all after? It doesn’t really matter what they are from a script kiddy to a hacker to a hacktivist.

Why do we have websites?

Well, in most people’s eyes, and this is thinking from the last 5 years, a website is somewhere someone can come to your little piece of your digital world and get information about who you are, what you are, what you do, what you have to sell.

The second part of a website is a blogging website, where the content is changing all the time. You are putting videos up, you’re doing blogs. You’re getting your message out to the real world and getting other people to associate with you, join your tribe, get people interested in what you’re doing.

And the last part of having a website is as an e-commerce platform, so you can sell stuff.   You can get people interested in your product through the blogging. They come to your website, and they will then purchase something.

We know what the cost of a website is. The cost of a website is only part of the equation. We are looking at protecting not only the www component of your website, but if you’ve got a hosting platform where you’re using C-panel, then you have to make sure that doesn’t get compromised either.

You’re trying to make sure that logging onto that digital location is really secure.

So what are the bad guys, the hackers after?

Well primarily and only one of the large number of components, they’re after money. They’re after your money, they’re after other people’s money, and they’re access to money. So credit card details is one of their biggest targets. So if you’ve got an e-commerce site that takes credit card details, you have to make sure that they’re not collected in a way that they can be used by other people.

They are also after intellectual property / trade secrets. There was a company in 2010 who made metal detectors, and they used them to detect metal. One of their salesmen went to China, logged onto a free Wi-Fi, and had his laptop compromised, and they stole the blueprints to the metal detector..

The people who stole the blueprints, sold it to another company.   They started building replicated metal detectors, and from there they then undercut the original price. The funny thing was that the original makers of the detectors didn’t realize they’d been compromised until some of the replicas created by other manufacturers started coming in as warranty issues.

But more importantly, the hackers are after your visitors. You’ve done all the hard work, you have used your SEO or payperclick money to attract people and they are quite happily coming to your site regularly.   If your website is infected then they can compromise all those people.

So how do they get access to your website?

Well in the first case, they do a scan of the digital world. Remember those script kiddies, they are going to find out you’ve got a connection to it, whether it’s on your website, your office or your office 365, but they are going to find out what your connection is.

All that information then becomes critical to what they do next. How about a little social engineering? They then associate your website with your Facebook, Twitter, LinkedIn accounts, any of your social media platforms that you’re using. Now they can see exactly what you’re doing, who your people are and what your products are.

So you’re actually doing some of the hard work that the hackers need done by having all of that information out there.

I’m not saying you can’t have it out there. I’m saying you have to be very careful about what you put out there.

And then from that, they see if they can compromise your website.

Now compromising your website is the hard part of the whole process. The above process are all easy, they’re all done automatically. The next step is to come up with a plan of attack. That usually involves cross-site scripting or malware.

How are we going to go about protecting ourselves from these people who are targeting our websites? Well, one of the big things you can do and one of the main things you can do is you have complicated user names and passwords. And they are not only complicated but they are unique. They have to be 9 characters long. They have to have alphanumerical symbols. Everything that you can think of.

When you install a website through some of the hosting platforms, like the WordPress system, the first thing it does when you press the button that says install, it says it needs a username for the admin account. Your admin account is literally the keys to your kingdom. And a lot of people just go admin, password blank. So what you’ve done on the internet is give all of those hackers access to your site without you even doing anything in particular.

The script kiddies don’t have to do anything because they first thing they’re going to do with their automated systems is try admin blank, or admin password, admin 12345.

So instead of using admin, you use _29_admin41.

Yes, you have to remember that’s the name of it. But, and then you use a complicated password, a really complicated password, 9 characters long, to make sure that people cannot get in there.

The next thing you have to do for your website, and one of the most important things is you have to make sure that all of the small applications on the website are up to date. If they plug into j-script, or they have a Java component, they need to be updated and patched to make sure that a) they’ve got the most secure version and b) they’ve got the newest version.

You know that your passwords are in place, and all your systems including the actual underlining system like C-Panel itself, or WordPress are all updated.

Getting down to the nitty gritty of the website, most people have comments automatically enabled. If you want comments coming through, or if you flip the comments through to your social media, but if you want comments on your blog site, then you have to make sure that people who are coming to your site to put on the comments are leaving their username, creating a username, creating a password, and leaving an email address that you can then verify.

The fourth component of what you need to do is if you are logging on to your system, you have to make sure that you’re logging on through a secure connection. Used to be SSL. It’s now TSL. SSL is a method of encryption, which is not as secure as TSL, but it still works.

The fifth thing you need to do is no matter what happens, you need to back it up. You never know when your hosting platform is going to have a fire and burn to the ground. What are you going to do if that happens? Are you in a situation where you can build your website straight up and down on another platform?

Or if you don’t like the platform you’re on, and you want to move it to another place. You have to have a backup of it. Otherwise there’s a lot of work involved.

One thing that people don’t do is they don’t visit their site regularly. And I’m talking 1-2x a week, 1-2x a day, but no less than 1x a fortnight. Because you never know when these have to be applied. You never know whether someone’s left a comment, unless it’s emailing you as well. But if you’re visiting it regularly, and you can see what is happening, then you know that the look and feel of the website that you’ve produced is going to stay the same. And it’s very important you see it as regular as possible.

Getting down to the security component of what we’re talking about, most websites do not have a way of informing you that people have logged on or that something has happened or there’s no regular scan of PHP or of SQL. Now this is a module that goes onto WordPress. I’ll talk about WordPress here, but they have got modules that work with HTML and a number of the others CMS systems.

This module is very important. For one, it tells you when people log on, from where they’re logging on and if people have failed to log on. So if these people are trying admin, you’re going to get a message, or a consolidated message every day about these people who have been trying to access your site.

But Securi has two more things. They have a one-click secure system. So you install this plug-in on your website, and when you hit the secure one-click, it locks all of the PHP down, it changes some of the permissions to a level where things are still going to work, but they’re a lot more secure.

And if you really want to be secure, and you start to look at other components like e-commerce and gateways, then you need to start looking at a proxy gateway. Now a proxy gateway will cost $20-$40-$60 a month. If you’ve got a regular website that is getting accessed every 2-3 hours, 10-20-30x a day, as a small business, you need to start thinking about what these people are doing and how they’re getting to your website.

A proxy gateway creates your www request coming into the gateway and then getting physical forwarded to your hosting site. Now, what that does is it makes this part of your website very secure. Because they’ve got to come through this gateway before they can get to your site.

This site if it gets compromised, not a big deal, because there’s no information on that site or that area of the gateway. But is it going to allow the system to be compromised?

So instead of affecting this, trying to affect that, nothing happens. So they’re always in the situation where this information is going backwards and forward, and that is under SSL or TSL. So it’s all secure. And you then know that your site is going to be relatively secure. And that makes it a lot better for your website itself and for your own peace of mind.

So as I said, they are out there. The cyber criminals are targeting you not because you have something they want, but because you are connected to the internet, and that is really important. It’s a big message to get across. The fact that although you may think you don’t have anything worth stealing, or you’re too small to be a target, or it’ll never happen to us, with the script keys and the hacktivists and the real life hackers targeting your website just because you are on the internet makes you a target.

So you have to make sure that although you are a target, you try to take yourself away by putting in a few initial systems that will protect you.

Now if you go to our website at the bottom of this page, there is a security website checklist. Just download it, leave your first name and your email address, and you can see – and this will give you an idea of where your website is and what you need to do to protect it.

If you have any problems, please drop me an email at support@RNIConsulting.com.au.

Thank you very much for your time.

Digital security – why is it so bloody difficult?

10% of the global population that use the Internet have more than a basic understanding of the digital world.   There is a severe disconnect between what is done and what needs to be done when protecting an organisation from cybercrime.

Throw terms like dark net, cloud technologies, IOT (internet of things) or BYOD and most managers, board members and owners shrug, glaze over and say that it is an IT problem.

In today’s threat landscape, cybercrime, is a business risk.   Probably one of the biggest risks a business will face.   Like all business risks it has to be addressed as soon as possible.   But what are you addressing?

In most cases management teams, board members and owners consider cyber and digital protection an unreasonable and unjustifiable expense for the organisation (until it’s too late that is).   In most cases they under invest in Digital Security, for no other reason than they do not understand the problem.

From a business perspective, of the thousands of attacks on most business systems, mobile devices and other devices that are connected to the digital world every year only one has to succeed.   As an organisation, we have to stop them all.   That compromised system is the Trojan horse to get into your organisation.

We have all experienced a virus and how hard it is to stop and clean up.   Image if that virus was just the scout of a more costly attack.   You don’t have to image it, in most cases it is the vanguard of your worst nightmare!

The recently discovered attack on 100 worldwide banks that netted the criminals around $1 billion was done through a very sophisticated process that included boutique malware (undetectable by the best AV), social engineering, bad work practices, substandard policies and procedures and a lack of auditing.

The perfect storm that netted the bad guys all of that money over a 2 year period.

Compared to walking into a bank with a gun, or blowing the safe, this theft is relatively painless.   It is very profitable! Very profitable and relatively safe!   Catching the bad guys is remote, difficult and the criminals that do get caught show Darwinism at its best.

These 3 factors make the management of cybercrime difficult:

The cost of Digital Security technology!

Walk into any office, locks on the doors, motion detectors in the rooms, alarms on the windows, possibly biometric locks and access and in some cases bollards out front.   These are known protections that have come about in the last 100 years.   Costly but important protection.

Protecting the Organisations digital assets is a little harder.

If an organisation does not understand the WHY of cybercrime and Digital Security the protection requirements are often underestimated.

The business management’s attitude that free or cheap is the solution reigns supreme.

  • Free anti-virus must be better than having to pay a monthly or annual subscription for a managed end point protection system!   The fact that it only captures 90% of the known problems is irrelevant.
  • Or purchasing the inexpensive router from the local retail shop will do the job of a router with UTM (unified threat management).   The attitude that we just need a device that connects to the Internet is often heard.

There are thousands of other examples where free or cheap is the solution that is taken by SME’s and even larger Organisations.

When it comes to technology – you pay for what you get and scrimping on Digital Security by buying the cheapest means you are exposing your business to unnecessary risk.

The cost of protection can be exceedingly high and that is the main reason that risk management and risk assessment is paramount in those decisions.   Throw away lines like “we are too small to be a target” and “it will never happen to us”.   These are based on myth and legend.   Like a normal risk factors, understanding and then mitigating the risk has to be front of mind and in Digital Security, mitigating those risk comes at a cost.

The Digital Security jargon (non jargon) is hard to understand!Businessman

There are times when the discussion around cybercrime and Digital Security  is difficult.   I will even admit that at times I have trouble understanding what sales and technical people are saying, and I have been in the industry for more than 30 years.

One of the reasons for this disconnect is jargon.   Each manufacturer has a new word, new catch phrase, new product name or new operating system, that someone somewhere in the purchasing organisation has to now learn, understand and manage.

Getting straight and understandable answers to basic questions in the digital space can also be difficult. The answers are made more difficult if you cannot understand them or worse still have not asked the right questions.

Paramount to protecting business information is to understand what information needs to be protected.

This communication disconnect also happens when describing the criminal element.   Malware, zombies, botnets are the tools of the digital criminal, but most businesses do not understand the impact that they have on the protection paradigm.

In most cases businesses do not understand why they are being targeted with viruses or malware.

“Why did we get a virus, we have nothing worth stealing” is a cry we get regularly!   Everyone has something worth stealing even if it is just the storage and cycles used by the system itself to become a zombie or to join a botnet.

Digital Security Protection is difficult to manage!

The next problem with Digital Security is the management of all of those digital components.   Organisations believe that digital protection is “set and forget”.   A couple of years ago this might have been true.

Thinking that once it is in place you don’t have to worry about in today’s digital world is a bad idea and can have devastating consequences.   Not updating a device for 12 months or in some cases 3 years is definitely not best practice.

All of the components that protect the business have to be updated regularly, checked regularly and most importantly tested to ensure that they are working to design specifics.   Once again Jargon is a problem.

The digital threat landscape is constantly changing.   The bad guys know this because in most situations they are behind the changes.

Conclusion

Digital Security is a holistic process. Once again jargon impacts the Organisations decisions.   To make a correct risk assessment on the organisation you need to know:

  1. What needs to be protected?
  • Intellectual property
  • Financial information
  • Client information
  • Digital assets
  1. How will it be protected – this is the technical component of the risk analysis process
  • Separate network
  • Restricted access
  • Encryption
  • User access
  1. Who needs access to it?
  • Does everyone in the organisation need access to all information?
  • Can components of the information be separated?

You have to have a basic understanding of the required components that are protecting that information before you can make decisions.

Convenience is usually the primary driving force for business.   It is also the driving force with applications and systems.   Security should be more important than convenience, most of the time it is further down the list.

This article first appeared on LinkedIn

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

A one man band, why you should worry about cybercrime?

3D Small People - AngryThis post is addressed to all of those small business, the businesses who have an email account, a laptop, an accounting package, a couple of smart phones and tablets and a desire to utilise them to their best.   So I am talking to Tradies, Mom and Pop businesses, small sub-contracting businesses and micro businesses.

Welcome to the digital world and it is nothing like the real world.   The digital world can be and is a very dangerous place.   The criminals only have to get their attack right once to win.   We have to protect ourselves and your information all the time.

Most cybercrime attacks in the digital world use malware to target all connections to the internet through automated systems.   These automated systems make up 85% of attacks and they are happening all of the time.     18 computers/devices get compromised every second through these automated systems and although they may not have anything of importance on them the actual hardware can be used to target others on the Internet.   This in the long run costs you money in traffic or reputation.

Here is the best way to protect yourself:

 Passwords

Every password that you use has to have the following features.

  • They have to be more than 8 characters long,
  • use numbers, letters and symbols and
  • have to be unique for every web site or location that you need a password.
  • Your email account is the keys to your kingdom, if you lose access to it then you are in very big trouble.

Using cloud technology

Cloud technology has come a long way in the last 3 years.   In a business sense we can now do a large amount, if not all, of our business in the cloud.   From cloud based CRM for client management to accounting software for billing and invoicing.   From web based email to project management for managing projects they are all there in the cloud.

The good thing about the cloud is that most of the products are accessed through a web browser and can be accesses from any system that has browser capability.   Although the underlying platforms security is managed by the vendor it is the user’s responsibility to have a secure password to ensure that no one else can access the information.

Bank accounts and credit cards.

There are so many ways that a criminal can gain access to your bank accounts.   A key logger through a virus or malware.   A RAT (remote access Trojan) that can actually take over your digital device and do whatever it is programmed to do.

But the bank accounts are not the only problem.   Pay wave is becoming a target for criminals, to a level where an RFID scanner can access your credit card, in your wallet, from 30 feet away.

End point protection

All devices that have a connection to the Internet have to have some sort of personal protection.   You can go with a licensed copy of an anti-virus or you can go with a free system, no matter what they have to be protected at all times.   We recommend the free AV – Forticlient as it does most of things that you need.

In addition to real time protection you also need to to a regular scan of the whole system.

Patching

How annoying is it when the system comes up and tells you that it has updates to apply.   This is a good thing.   The systems are updating code that has been found to have errors or inaccuracies in it that will allow an attacker to gain full control of your machine, phone or tablet.   These errors are what malicious code targets through viruses and worms.

All systems use subsystems like Java and Adobe and these are also regularly updated by their manufacturers.

Backing up / business continuity

Even when you think that nothing can go wrong, that when something does.   Having all your information in the cloud, email, accounts, CRM or project management, what happens if you can no longer access your information?   How long will your business last without email, or the ability to invoice clients.

This is why some level of backup, disaster recovery and business continuity is required.   Thinking through to a point where if this happened what will my business look like, how will it work is very important for the everyday operations of the business.

When it comes to cyber and digital security, what happens if you get a virus from an email on your laptop, or visit a website and get a malware infection on your smart device?   Where is a copy of your schedule, or your contacts?   This is why you need some level of backup.

Paranoia and awareness

Have I instilled a little bit of paranoia in you yet.   To tell you the truth, that is good.   On the Internet everyone is targeting you, so in fact you are not actually paranoid, just being very aware.

Small operations have enough to worry about when it comes to business.   By being aware that cybercrime is a legitimate threat to that business is important.   Being aware of the problem means you will make additional decisions based on those threats.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

The benefits of an ethical hacker

ethical hacker with keys to your dataI have a friend, who over the last couple of years has become an expert in the ethical hacking arena.   He is well thought of in the white hat communities and relatedly feared in the black areas.   He can put together malware, do a little social engineering and infect a business, in most cases easily, within a couple of hours.

That is what an ethical hacker does.   He test defences of Organisations with the same tools and attack vectors that the cybercriminal uses.   In most cases they have a better understanding of the criminal mind than most law enforcement.   They also have a better understanding of the technology than 99% of the supposed bad guys of the digital world.

They are legally allowed to say, if I want to steal data from you how I would do it, mainly because they have asked your permission to do it.   That is one of the keys to a successful ethical hacker.   They ask permission, and get paid, to attack you organisation.

These attacks can be aimed at your main data system, your web site, your ecommerce site or any other technology that is attached to the Internet.   That also includes your users and their devices.

Once a ethical hacker has completed his assessment he will come back with a report to the company on what was attacked, in most cases how they got in and the most important component, how you can stop a real hacker from attacking your business.

A complete tactical ethical hacker attack can cost a couple of thousand dollars.    A compromised business can lose that amount of money in minutes and can continue to lose it for hours, days or even weeks after a real attack.

To me, ethical hacking is a science, but it is something that even the smallest of Organisations needs to consider.

TLR Communications

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

How to make your organisation a smaller target of cybercrime

bigstock-Tight-Rope-Walk-1226218To most small and medium business and non-profit organisations the idea that they are a target of cybercrime is farcical.   I constantly hear “we are too small to be a target” even from organisations that have predicted revenue in the millions of dollars per year.

Cybercrime targets everyone who has a digital footprint.   That includes computers and laptops as well as mobile phones and tablets. It doesn’t matter if it is for work or for home you are still a target.

The problem is “script kiddies”. These are the hacker wanna be’s.   They have downloaded a hacking tool, infecting their own computer in the process, and are ready to look for people to hack.   Script kiddies make up 80% of the noise on the Internet.

How do you make that target smaller?

There are a number of free and low cost strategies SME’s can employ that improve your security posture dramatically.

Train and educate your staff.

Everyone in the business should also realize that they could be targeted by a cyber-criminal.   Could they recognise a spear phishing email?   Or being targeted in a social engineering attack. Do they know not to use an unsecured WI-Fi connection when away from the office?   They won’t know these rules unless you tell them.

This knowledge comes from training.   Your awareness training should not be a one off indoctrination session.   It should be augmented with additional training throughout the year.

There are other things that can be done to increase awareness:

  • Run a daily security email question – first person to answer it gets a prize.   Increase it to a monthly competition and have a substantial prize.   Before you balk at the cost, $200 for a weekend away per month is much cheaper than cleaning up a computer or worse a network after a malware attack.
  • Have posters about basic security principle around the office.   They are available from the Internet at a relatively low cost.

Patch everything

How annoying are those update prompts from Microsoft or Apple?   You haven’t got time for that, there is work to do or you have to go home.

Updates are very important to the operating system and applications that you use in your business. Updates are important; they fix problems that have been discovered.   These problems allow specific malware to target your computer, tablet or phone, and the download (patch) fixes it.   Without the patch you are vulnerable, with the patch you are safe from that attack.   Remember the script kiddies – this is what they target.

Paranoia and common sense are your friend

It may seem silly but everyone on the Internet is not your friend.   In fact there are a huge number of people out there who want to do you harm.

There are too things that everyone on the Internet need to realize – nothing is for free and see above.   So when you see that search article about some celebrity with no clothes on, remember the bad guys are out there and they are after you.

Social media (twitter, Facebook, YouTube and LinkedIn) can be a major problem in this area.   You need social media to get your message out there, but how do you know who to protect against.

Making your organisation a smaller target against cybercrime can be relatively cheap and easy.   Yes you still need to invest in front line internet facing systems and the like.   The difference is the bad guys can lose millions of times and not worry about it, but the good guys need to lose only once.

If it gets through the expensive second generation firewall, it would be a good idea to have your staff on the inside saying – “How come this weird email got through and why are the links pointing to a site in Romania” and delete it instead of clicking on it.

How to increase your business protection by educating your staff against cybercrime

bigstock-Infected-By-Virus-Cartoon-Ser-6361614Staff education seems to be one of the strategies that is missing in most businesses when it comes to digital protection.   Education can have one of the biggest impacts on the digital security of any business / organisation.

When it comes to protecting your organisation against cybercrime you will always need the basics.

  • A decent second generation firewall (not something supplied by your ISP or bought from a local retail shop),
  • a centrally managed AV
  • a secure off site backup service and
  • Numerous other management components for protecting the organisation

But one of your best defences against cybercrime is making your staff are more aware of the dangers.   Technology and management can only go so far, no matter how good or expensive they are.

There is always a chance that the newest threat makes it through all that new technology and then all you have is a human to protect your business.   That staff member is in a position to either question the attack or just follow the normal process and “click on the link” for instance.   By having an educated user in place increases your protection level substantially because they will be more readily able to question the attack.

Your business induction process is a great place to start.   Included in that induction process should your Organisations cybercrime and digital education process.   The process should look at the basics of digital protection and why cybercrime is a problem.

Those basics being:

  • Passwords – using complicated ones, what is a complicated password, how to create them and why they are so important as a first level of protection for your organisation
  • Basics about the Internet and email including SPAM, Phishing and social engineering
  • Social media and its role in the Organisations profile and what can be posted and to where
  • Understanding WiFi and VPN and working in the cloud
  • BYOD and the Organisations digital policy

Like all education processes, cyber security education, is an ongoing process.   You need to ensure that staff and users are not forgetting the lessons learned.   To do that you need to have refresher information, reminders, that will allow the lessons to be remembered at all times.   These can include additional education courses, competitions, posters and anything else that you can think of that will make security front of mind by all users.

Education is also one of the cheapest ways to protect your organisation.   A second generation firewall can set you back thousands of dollars whereas a basic digital education course can cost as little at $50 per user.

Remember, the bad guys attack you thousands of times but all it takes is one to get through and your digital system is no longer yours.   When that happens I hope you have an educated user at the other end to question the attack!

Taking Back the Digital Streets – Cybercrime now and the future

Woman looking through dirty broken glassIn the 70’s and 80’s, there was a fight in cities worldwide to take back the streets and make it safe for normal people to walk in their neighbourhoods without fear.   Those efforts paid off—murders, muggings and other urban crimes have dropped dramatically since then. The internet badly needs a similar intervention.

The internet may be the last bastion of free speech, but it’s also the most dangerous place on the planet.   You can lose everything—your money, information and identity—before you even realise that you have been attacked.   At least if you get mugged in a dark alley you have the bruises to prove that you have been robbed.   Have you ever tried to convince the bank that you did NOT purchase that top-of-the-line snow mobile, considering you live in the tropics?   It is not a fun conversation.

But the current level of crime isn’t inevitable. I have been reading some articles on how New York City citizens took back control of their streets.   Their efforts involved forming neighbourhood watches, cooperating with police. There were also a huge number of court cases there concerning a citizen’s right to free speech and free movement. All of these solutions started with citizens demanding a safer environment.

The “citizens” of the digital world should do the same. We, the people, are the ones using the internet for practically everything, and we have to take control.   With the help of law enforcement and politicians, we can do, it but it has to start with us.

Of course, there are huge problems to overcome. I like to call them challenges.   Here are a few.

Too Many Criminals

How do we reduce the number of cyber criminals?   Well, in most cases, the neighbourhood solutions that worked were not high-tech stuff.   And the answer wasn’t more arrests— in some cases it was less, but the arrests they did make were those that had the biggest impact.   By removing the people on the lower rungs of the ladder, they left the ones on the higher rungs without their support. The ones higher up had to come down, and they were also caught in the net.

Hacker programing in technology enviroment with cyber icons andThe internet has its own forms of small-time crime.   Web site graffiti, using an exploit kit, ripping movies and music, and creating a phishing email are all at the lowest level of the badness scale.   If the people who were doing this were the targets of law enforcement, starting with an escalating fine system, then these people would quickly drop out of the cybercrime arena.   It would no longer be a cool and easy thing to do; it could get you a criminal record.   Yes, these people can be caught—the problem is that they are so numerous that it will take a concerted effort at all levels.

Look at web site graffiti: It is either done on a dare, or it is done as a political attack.   Let’s look at as a dare: When the perpetrator is caught then he is fined; if he is underage then his parents are fined.

If it is political, then there is another problem.   I can hear the cry from here—what about free speech?   Well, you can still say what you like. You have the right to go down to the street corner and shout your views from a soapbox.   Or upgrade to the digital version—get a domain name and a web site, and you can say and do whatever you like.   But law enforcement has to make clear that the moment you graffiti a website, you are defacing someone else’s property. Just like spray-painting your tag on the front of someone’s office, you are crossing the proverbial line and will get fined or arrested.

Draconian? Maybe.   But the focus of this policy wouldn’t be to ruin lives forever. Instead, it would provide small-time hackers with an incentive to stop before they have the chance to hone their skills.

Broken Windows

The victims of petty crime can also play a role in keeping the internet safe. The owner of a web site that has been defaced has an obligation to remove the graffiti and tighten up security.   In a normal business situation— the front of a building, for instance—the clean-up is usually almost instantaneous.   But I have seen defaced websites that haven’t been fixed in months.

Why does it matter? The New York mayor of the late 90’s, Rudy Guilani, had the right idea.   He called it the “broken windows” theory. ( http://en.wikipedia.org/wiki/Broken_windows_theory) If there are broken windows in an area, that sends the message that no one values property and no one is in charge. Then more windows will get broken, more crime takes place, and the neighbourhood turns into a scary place. But the moment you start to replace them (or remove other signs of vandalism), everyone in the neighbourhood senses that the rules are being enforced. The whole community starts to get involved in maintaining their space, and normal people start to move back in.

Not Enough Cops

Another deterrent of crime is for law enforcement to have a presence in the area.   In New York today you cannot go two blocks without seeing a cop car or an officer on foot. That’s harder to achieve in the online world. How do we put digital cops on every corner?

Yes, police departments can hire specially trained cyber cops. But they can only see a small fraction of what takes place. To be effective, they will need to interact with normal users.

In south Los Angeles, in innovative inner-city police department devised an effective approach to gang violence: The Community Safety Partnership. (http://www.nytimes.com/2013/07/14/magazine/what-does-it-take-to-stop-crips-and-bloods-from-killing-each-other.html) The police had a need for streetwise people who understood the neighbourhood. These people are the honest, law-abiding citizens who have close ties to gang members and are a little savvier than the rest of the community.   They inform the police when a high-risk situation is developing—for instance, when the Crips or Bloods are plotting a revenge killing. This inside information helps cops prevent crime before it happens.

It works because streetwise citizens are the best source of information on crime. So let’s create more streetwise digital users.   Let’s increase the awareness of the innocent, the uneducated and the ill-informed so they can recognize cybercrime when they see it.   If users know when a crime or scam is taking place, they can report it to law enforcement, their antivirus software provider, or a criminal’s IP.   This is a win-win situation for everyone.

Stop Hunting for Scapegoats

We have a tendency to assign blame and search for scapegoats. The solution I’m proposing is the opposite of that. We need to shift our focus away from the big crimes that grab headlines.   It’s easy to be angry at Target for letting customer credit card information get leaked, but punishing one company won’t prevent the next attack.

Law enforcement, too, needs to change their mindset, from one of confrontation to one of prevention.   Too often, cops swoop in to bust a big cybercrime ring (like the underground drug marketplace Silk Road) after monitoring it secretly for months. To prevent crime, law enforcement has to be more visible.   Bank robberies would probably be a lot more common if there were no security guards or patrol cars for miles around.

If we get the small problems sorted out, we can then put in check and balances that will allow the digital world to flourish. As with any process, we have to walk before we can run.   We have to start with the small wins and build on them.   From Twitter stalkers to Facebook trolls, from 12-year-old script kiddies to targeted phishing attacks, from malicious insiders to the dedicated hackers, we have to send a message that crime has consequences.

I know that changing the digital world will take a little time.   It took 20 to 30 years to sort out the problems in New York and L.A., and they’re still not perfect. But we have to do something about the dangers of the digital world before it really does become a broken communication device.

The golden rules for BYOD in the workplace

BYOD is huge, it is one of the up and coming technologies that SME’s either embrace or totally hate. Either way it is something that is going to become more prominent over the coming years.

Gone are the days where a business gives you a laptop and mobile phone when you start, in today’s business world the reality is that your staff would rather bring their own device than be controlled by your requirements. So not only do you have to protect your information and critical data but you need to understand how to manage the BYOD revolution.

Here are a couple of ideas that could help.

Make sure that all devices have a Personal Identification Number (PIN) or password. This is the first and only level of protection for a stolen or misplaced device. All BYODs need to have a PIN. The attitude of no PIN no device is a good stand to have.

If data is to be downloaded to the device then all that information needs to be encrypted, so that anything at rest of the device cannot be casually read or used.

Applications that bypass security and get to the heart of your business should be tempered with paranoia. File sharing like drop box need to be weighed with benefits.

Have a BYOD policy, this protects your business but it also explains what your business expectations are of the device. If staff fail to sign that policy then they have no expectation of being supported by the business. This policy will also include what rights your business has to the unit, Including auditing, management and remote wiping of the unit.

Define the devices you will support, with minimum operating systems requirements, versions of android or IOS have to be stipulated.

Finally make sure that the devices do not have apps installed that can or will compromise your business security.

Although BYOD is the up and coming technology your business needs to be wise enough to manage it correctly. It is a disruptive technology, but it can be used for good. It is also here for a while so you have to get use to it but you can do it on your own terms.

Communication is the key to Cyber Security

Communication inside a business is not a 140 character tweet, or a comment on Facebook.  Communication is what you do within your business to make it work better.

One thing I have noticed in my role to educate the public in business security and the framework needed to be secure, is the fact that ICT and business do not talk.   Not at the level that is needed to create a secure business.

Sounds like a broad statement but in most cases it is very true.   The more I look after my clients, as well as doing contract work with larger departments and organisations, the more this reality is noticeable.   There is a fine line between over commitment and generating a constant barrage of information and no information at all.   Most businesses are at the no information at all stage.

I have some thoughts on what both an IT manager, CIO, CEO and a managed services provider can do.

For a small or medium business and not for profit organisation employing an external source to manage their system is becoming the norm.   These suppliers can do so much for their clients as part of their business model.

I believe that communication is the best way to build the culture within a business and it always has to come from the top, whether it is management or owner.

Most businesses and organisations do not have regular meetings or a regular email / letter update within the business.   This is an opportunity lost.   Whether it is keeping the staff informed, talking to shareholders and stakeholders through external means or talking to prospects in general on the website there is so much that business can talk about.

I know one of the major problems is that people do not know or want to write things down.   It is very hard to put information into some form of written process, I have this problem with getting people to produce content for web sites so I can understand how difficult it can be.

Once started it is relatively easy to keep going, like most things you just have to have a will to START.  An internal email to your staff every Friday, praising an employee, setting internal goals, discussing problems and informing them of progress is a very good place to start.   The next question is where do you incorporate the security information.

As a start, look at your internal security policy, start a discussion on social media, teach people how to create complicated passwords.   Explaining how and why something is working is also of great business to your organisation.   You can even make it competitive, award prizes, look at increasing the knowledge within the business.

The good thing about security information is that it can be recycled.   Not too regularly but within reason, once every 10 or 15 comments interspace with new information is good.

You can also beg borrow and steal from the Internet, improve on others information, make it better to suit your industry or business.   All relatively easy to do but it will have a marked effect on your business.

So there you have it, communication, a way to keep your universe in touch.   In some cases you may even find it easy to do.   The interaction between communication and internal security cannot be over emphasised.   The important fact is that you are educating your staff which will make them mode secure but will carry through to your business making it more secure as well.

Build a ICT support package for your business

Business technical support, whether it is in house or outsourced, is a management headache.   Today’s business and tomorrow’s future business is all based on digital information.   That is not the problem, the problem lies in all of the systems that your business requires to do business.

From producing documents and spreadsheets to contact information for clients to sales information all the way through to management and protection, you have systems that have to be managed by someone.   That management and how you pay for it is going to be critical to your future and the future of the business.

I could throw a large amount of buzz words around here, cloud, virtualisation, BYOD, and the like but these are just the technology.   They are the media for you to do business.

The most important components of your ICT are resilience – the ability to react to change, culture – the get up and go of your business and finally management – how you get things done and why you do it that way.   The only way to protect this Intellectual Property is with a management and ICT system that is transparent to your business.

To make management decisions you need to see what is happening with the technology, your business has to be transparent to you.     You can do this in house with your own ICT support team and the inherent cost that come with it or you can out source it.   By outsourcing your ICT, two things happen, you get better trained IT technicians and you get a flat monthly management fee with no hidden or unforeseen costs.

You also reduce your ancillary costs within the business.   No more super, no more extra desks, seating and offices, no more replacing staff after you have trained them up because they have had better offers.   What you do get is trained ICT people, access to knowledge that your business needs to compete in your business environment and NO ADDITIONAL COSTS.

If you want some information, talk to a ICT outsource company, a Managed Services Provider and get the correct information concerning your business.    Their MSP plans should deliver Trouble Free Technology to your business.