By Dominic Jones

Surrey based IT support provider Barton Technology has announced its predictions for the top ten SME security threats for 2012. The list has been compiled to help IT managers, and others charged with IT security, defend their organisation against a future onslaught of cyber security menaces.

Companies across the UK, irrespective of their industry sector or size, are increasingly targeted by cyber attacks from criminals and even their own employees. The number of attacks is now so large and their sophistication so great, that many organisations are having trouble determining which new threats and vulnerabilities pose the greatest risk. Furthermore, planning how resources should be allocated, to ensure that the most probable and damaging attacks are dealt with appropriately, is a complex process.

For this reason, IT support provider Barton Technology has compiled these predictions for 2012.

1. Physical security: The least obvious threat comes from the physical location of an organisation’s server. Although not often considered as part of an IT security policy, the server should always be located in a place with controlled access and egress. Making sure the server containing vital information is not easy to reach should be amongst the top priorities for any SME IT manager.

2. Viruses: The most common security threat comes from viruses and malware. Often these are delivered via spam e-mails containing pictures, videos and executable files but they can also be delivered via web sites, USB sticks, mobile phones and other portable memory devices. Just one click can be enough to infect an entire department or company. However, they are relatively easy to protect against, by ensuring that the company firewall and antivirus software is up to date.

3. Phishing attacks: The complexity and increase in frequency of phishing attacks, means that businesses, as well as individuals, are now at risk. There is no such thing as anti-phishing software, so the only way for SMEs to reduce the risk is to train their staff in how to deal with these e-mails. For instance, users can be taught to be more vigilant and aware of the warning signs associated with this kind of message. Banning porn, gambling and illegal downloads can also help reduce the risks associated with phishing.

Unfortunately, this threat has an older and more mischievous brother; spearphishing, which is highly targeted and uses information, gathered from publically available Web and social media profiles to personalise the attack. SME staff have even been known to hand out the company’s out bank account details as the result of particularly focussed phishing attacks.

Again, training is the only solution.

4. Lost or stolen portable devices: Recent news stories about Government officials losing memory sticks and laptops holding the personal details of members of the public have provoked substantial criticism. For an SME, a lost or stolen external hard disk, containing sensitive company information can easily cost five or six figure sums. The best way to ensure data security on external memory devices is encryption and password protection.

5. Spyware: Spyware does not spread directly in the way that a computer virus or worm does; an infected system will not attempt to transmit the infection to other computers. Its objective is normally to obtain micro-information, such as surfing habits or Web history, but other functions such as changing the PC’s homepage are not uncommon. Antispyware software includes programs designed to remove or block the unwelcome software but the best cure is preventative; not downloading unauthorized software and avoiding disreputable Web sites.

6. Internal hacking: Although external hackers consistently grab the headlines, surveys show that the biggest threat to a company’s data security is its own employees. While there may be workers with a clear malicious intent, there are also cases in which employees unknowingly contribute to security lapses. In this situation, the best way to alleviate the risk of company computers being hacked is proper training.

Furthermore, to minimise internal malicious hacking, companies can reduce the attractiveness of the information and data stored on their servers. For example, making CRM, financial and marketing databases secure is a good step towards reducing internal hacking.

7. Lack of appropriate company policies: Unfortunately, many SMEs who fall victim to hacking, phishing and spyware have brought their problems on themselves. Failing to create IT, internet, e-mail and social media procedures and proper employee handbooks is often the deep root cause of security problems. The remedial action to counter this problem is obvious, but when writing the documents it may well be worth taking the advice of your IT consultant to ensure that the measures you suggest are appropriate.

8. Cyber crime: Recognised as one of the fastest growing IT security threats of 2011, the profile of cyber theft will only increase in 2012. Inappropriate use of company data, internal hacking, inappropriate use of social media, e-mail or Web publishing and planting illegal documents in a company’s IT system all fall into this category.

Although it’s very tricky to deal with, cyber crime can be avoided by making sure security procedures are in place and employees follow them accordingly. Furthermore, a strong organisational culture, based on honesty and rewarding professionalism could also help.

9. Lack of deep understanding: One of the key problems in SME security is actually a lack of understanding of the minutia of the industry and technology. The root cause of this problem is often that the person responsible for IT is rarely a specialist IT professional. It’s normally just someone with a high level of working knowledge; sometimes a financial director as the result of their expertise with SAGE and similar database driven software.

For example, a non IT professional will often choose a software based firewall instead of a hardware based system. This means that the firewall is dependent on software updates and, if it’s the integral Windows firewall, dependent on the integrity of the Windows operating system. A hardware based system is completely independent of these factors and thus more reliable. There are examples like this littered across the IT security industry and there is no reason to expect someone without a specialist background to know about them.

10. Website and networking hacks: More and more businesses are using social media in their marketing campaigns. However, this leaves them open to attacks. Hackers can take over a company’s Twitter or Facebook account, and then use it to discredit the company or SPAM its followers. Similarly, websites can be hijacked, and unwanted content can be uploaded, which can seriously damage an organisation’s image. In order to protect themselves from such reputation spoilers, SME managers need to implement robust password protection policies. I believe that prevention is far better than cure when it comes to IT security. This is why our tips are aimed at educating SME managers and making them aware of the IT dangers their organization may be vulnerable to in advance. It is important to be prepared for things like cyber attacks, phishing and data loss. The damage they can do could amount to millions, as we’ve seen in some very public cases in 2011.

About the author

Dominic Jones is managing director of Barton Technology. Established in April 2000, Barton Technology is a privately owned company, specialised in providing IT support and business telephone services to customers in the construction, not for profit, retail, finance, legal and insurance SME sectors and who are located in London, Surrey and Kent.

Barton Technology’s has been nominated as Security Reseller of the Year at the 2011 Computing Security Awards. To celebrate, the team is offering to conduct a free initial consultancy visit and security audit, followed by security recommendations. Those who are interested in taking advantage of this service can contact Barton Technology directly on 0845 180 0000.