I periodically battle with SME clients who argue that no one really would want to “hack” their organisation – they are simply too small or too insignificant to warrant the effort. I suspect I am not alone and that many other advisers on IT have the same trouble persuading their clients of the very real risks they face.
The argument that is often recited is that when the partner or director was employed elsewhere, their previous firm was much slacker with their IT security and had no problems whatsoever. The issue, of course, is that the goal in hacking has changed from destruction to utilisation. The aim is to take unseen control of the computing resources of an organisation and to use those resources for crime. It simply doesn’t surprise me that there never are any signs of compromise!
The BBC recently reported that security firm Finjan had tracked down a botnet with over two million machines under its control to a group of criminals working in the Ukraine. This particular botnet had even ensnared computing resources inside both the UK and US governments, which in itself raises concerns.
I suspect that firms that take few steps to lock down their workstations will have background malware undertaking all sorts of malicious activities. These infections will probably have managed to enter their sites via the web or email, which is increasingly carrying malicious content.
The so-called drive-by attacks using infected third party web sites is particularly worrying. Few organisations seem to scan inbound data over the web for vulnerabilities, partly because of the impact on browsing speeds that this would have. Those organisations that then don’t lock down their desktops so users cannot install software run very real risks of users innocently and unknowingly installing something they really don’t want. Once such software is on the inside of the firewall, most SME organisations simply have little or no defence, especially if the software is not strictly considered a “virus” and ignored by their anti-virus product.
A technical colleague in another firm drew my attention recently to Sophos’ Security Threat Report 2009, which provides examples of firms that have suffered attacks on their web sites. Some of these web sites would have posed risks to casual browsers of those sites as well as to those who had previously provided them with confidential information.
The list included such well-known names as ITV, a site selling Euro 2008 football championship tickets, the anti-virus firm Trend Micro, Cambridge University Press, Sony’s US Playstation site, the Association of Tennis Professionals’ web site as Wimbledon opened in the UK in June 2008 and the Business Week web site.
Unfortunately, I doubt few SME business leaders that have small (if any) indigenous IT staff will actually ever get to read it.
However, the difficulty simply persists that many SME organisations believe that no symptoms means no underlying problems. I can see their dilemma – a bunch of (often external) IT professionals becoming excited about dangerous threats and advocating the spending of money in a recession is far from appealing, especially when the risks from a naïve perspective seems minimal.
I was recently a guest at The Institution of Analysts and Programmers Spring Seminar in the London Docklands at which Microsoft’s Chief Security Advisor in the United Kingdom, Ed Gibson, spoke. He is an engaging speaker, an attorney in the United States and a practising solicitor in England and Wales, as well as a former FBI agent. He has for sometime been trying to raise awareness of these issues in the United Kingdom.
While listening to him and while mulling over his thoughts at the (excellent) lunch that followed, I believe that we really do need some form of reliable reporting mechanism for attacks of the sort documented by Sophos and these need to become highly publicised, even if in an anonymous form.
SME business leaders need to have independently verified facts about the IT security risks they face that are both readily available and easily digested; and in a form that brings the message home.