Do you want to access the full text of articles?

Please see our digital edition archive for the full text of articles.

Alternatively:

If you are a Chartered Accountants Ireland member, please visit the RIS service where Accountancy Ireland is available free of charge via the EBSCO databases.

If you are an Accountancy Ireland subscriber (i.e. you pay each year to receive your copy of Accountancy Ireland) please contact our Subscriptions Department quoting your subscription number and include details of the article you want.

All other users should enquire from their local public or college library about accessing full text Accountancy Ireland articles.

Home / ... / When bad things happen to good companies

Unless you've actually suffered a security breach yourself, it's difficult to imagine what the implications can be. Mike Hughes reviews some actual examples of incidents that have happened in locally in Ireland over the last two years and offers some practical advice on the measures you can take to protect your company.

It seems as if computer security is never out of the news these days: a new virus has been released on the Internet; a new 'phishing' scam has been discovered; a criminal gang has launched a 'denial of service' attack against an eCommerce firm.

The incidents appear suddenly and vanish just as quickly. However unless you've actually suffered a security breach yourself, it's difficult to imagine what the implications can be.

I recently had a discussion with a local security consultant to try to find what the actual impact is to a company that suffers a security incident.

The following are some actual examples of incidents that have happened in locally in Ireland over the last two years. Needless to say, the identities of the individuals and organisations involved have been kept confidential.

VIRUS INFECTION As mobile working becomes more popular, a lot of organisations are issuing their staff with laptops so that they can work from home or at a customer's or business partner's site. Often the laptop is simply connected back onto the network when the employee returns to the office. While mobile working makes employees more productive, it can be a risky practice if you have not put the correct security measures in place.

One large Irish educational institution found this out to their cost when one of their student's laptops was connected to the network after being infected with the Blaster virus.

Unfortunately, the college had not updated their operating systems or implemented strong anti-virus defences. The infection spread quickly. The college's entire network was disabled for over three days while the virus was cleansed from their systems and their operating systems were brought up to date. During this period of downtime, over one thousand students college staff were unable to access their data or applications.

'PHISHING' SCAMS A recent Gartner report on 'phishing' put the average cost of the fraud to an individual victim at over €900. It is hard to know how many Irish people have become victims of the fraud but both major Irish banks had to issues warnings to their customers this year (as recently as late July 2005). Given this one would assume that the term 'phishing' would now be well know among online users, however, a recent survey by Amarach Consulting on behalf of the makeITsecure coalition found that only 10% of Internet users in Ireland recognised the term.

The scam itself is straightforward: - a virus infected machine will generate a fictitious pop-up screen when the user accesses their online banking portal; - the pop-up will be designed to mimic the look and feel of the financial institutions portal and will request the users credit card number, pin number or other personal details; - these details will then be sent to the scammer’s site where they will be collected along with thousands of other users' details to be used as the scammer sees fit.

DENIAL OF SERVICE A local company who relied on eCommerce as their main transaction method with their customers was recently targeted by a criminal gang from Eastern Europe. The gang had previously infected thousands of PCs with a virus that allowed them to control the PCs (without their owners' knowledge) and to bombard the company's site with so much data traffic that the company's legitimate customers had no chance of accessing its services. Two days after the denial of service attack was launched, the gang contacted the company and demanded a large sum of money to stop the attack.

Wisely, the company decided to hire its own experts to stop the attack. Unfortunately, this was incredibly difficult to do and involved the security experts having put sophisticated and expensive filtering technology into the company's telecom provider. Overall the attack lasted for eight days, costing the company an estimated €50k per day in lost business.

Denial of service attacks on individual companies are rare. However, it is much more common that un-patched and unprotected systems could be enlisted as 'zombie' PCs and you unwittingly become an accomplice to another's security attack.

DATA BACKUP It's not just the security threat itself that can be the problem. Having the correct processes in place is also critical. Last year, a large Irish company managed to lose over 2 weeks of data when their network crashed and data became corrupted. They did have a policy of regularly backing up their data but had failed to implement any testing of the backups. When the catastrophic failure happened and the data backup was required, they found that they could not restore the data properly to the system. The loss of the data had potentially cost the company hundreds of thousands of euro.

STOLEN HARDWARE Hundreds of laptops are lost or stolen in Ireland every year, yet a recent survey by Imation in February discovered that less than half of all companies who rely on their employees use of laptops have a formal data protection procedure.

This is a risk not only that important data may be irretrievable if the laptop is lost or stolen, but also that potentially confidential data may end up in criminal hands.

The stolen laptop may be worth 30% of what you paid for it but the data it contains could be invaluable.

In a well-publicised case in the US this year, two laptops from a HR service provider were found to contain the personal details, including the social security numbers of thousands of US citizens. The solution is of course to encrypt your data on the laptop or at least use strong passwords to reduce the threat of casual data theft.

WARDRIVING On March 5th 2005, Red brick, a DCU student society organised a competition event called Wavehunt. The aim of the competition was to use laptops to locate a moving wireless access point as it was carried through Dublin city centre.

While the competition tested the IT skills of the competitors, it also highlighted the practice of wardriving.

Wardriving is the term used to describe how anyone with a wireless enabled laptop can find an unprotected wireless router and use the bandwidth to connect to the Internet; without the owner even suspecting that it's happening!

Even a wireless router that's designed for home can transmit over a radius greater than 45m. A wardriver could simply park outside your front door and access your wireless network.

While stealing bandwidth is relatively painless to the owner of the network, the wardriver can potentially now access and steal data as well. Many wireless networks are completely unsecured. Indeed, many manufacturers of wireless devices leave encryption turned off by default.

Users often don't enable wireless encryption or use any other added security measures, making it a pretty easy task for anyone with a wireless setup to find and exploit the connection.

PROTECTING YOUR BUSINESS While the threats are worrying, protecting your business from the vast majority of attacks is quite straightforward and does not require substantial technical resources or cash. Microsoft recommends this seven step checklist.

- Protect Your Desktops and Laptops If you are serious about security, there are three things you must do: 1) keep your software up to date; 2) protect against viruses, and 3) set up a firewall.

- Keep Your Data Safe Implementing a regular backup procedure is a simple way to safeguard critical business data. Setting permissions and using encryption will also help.

- Use the Internet Safely Unscrupulous Web sites, as well as pop-ups and animations, can be dangerous. Set rules about Internet usage to protect your business - and your employees.

- Protect Your Network Remote access to your network may be a business necessity, but it is also a security risk you need to closely monitor. Use strong passwords and be especially cautious about wireless networks.

- Protect Your Servers Your servers are your network's command Centre. If they become compromised, your entire network is at risk. To protect your business, protect your servers. Servers should be locked away in a special server room with restricted access granted only to certain employees. In addition, servers should be configured with least privilege settings that allow users only to access those programmes that they actually require.

- Secure Your Line of Business Applications Make sure that software critical to your business operations is fully secure around the clock.

Internal and external vulnerabilities can lead to lost productivity - or worse.

Apart from covering the basics outlined in Step 1, it is important to regulate access to confidential data saved in your databases, by creating and assigning the correct data access privileges to the correct groups of employees.

Additionally, special attention needs to be paid to the database servers including physically and logically isolating this server from the rest of your network.

- Manage Desktops and Laptops from the Server Without stringent administrative procedures in place, the security measures you take to safeguard your business may be unintentionally jeopardised by users. Using a server as a core management tool in your security efforts and allows you to ensure that the correct versions of operating systems and applications are installed, that patches and operating system updates are deployed in a timely manner.

SECURITY SPENDING IN CONTEXT In 2004, a PricewaterhouseCoopers survey estimated that on average companies spent $17,000 on their worst security incident in that year. For companies at the large end of the scale the spend rose to $210,000. The costs were due not only to the fixes that the company had to put in place but to a greater extent in the disruption of their business.

The old adage about prevention being better than cure holds true with IT security: The next time your IT guy wants to spend €5000 to secure your infrastructure, perhaps you should think twice before showing him the door.