For those of you who missed this in our last BYOD post, feel free to download and share this. 

Ever increasing use of mobile devices at workplaces, especially small and medium sized businesses can be greatly beneficial but it also poses potential risks. A policy that clearly enumerates scope and accountability would significantly reduce threats and provide a range of long-term benefits.

This checklist, while not all encompassing, is meant to be a starting point.

No matter what they say, no matter how well encrypted your network is, no matter how many firewalls and anti-virus software you have, there is no such thing as truly secure network.

On a regular basis we hear a number of organisations being ‘hacked’. Think of NASA, Pentagon, Target, Adobe, Facebook, Forbes.com, US Navy and the list goes on. They are all large and high-profile organisations with seemingly unlimited resources at their disposal to protect themselves against these attacks. Yet they find themselves among many that suffer ongoing security breaches.

Interestingly, at least 4 of the organisations mentioned, have verified the cause of the breach was a form of ‘Social Engineering’ technique. According to Wikipedia, in the context of information security, it refers to psychological manipulation of people into performing actions or divulging confidential information. So metaphorically speaking, one does not need to disarm the alarm or break through doors or windows to get into your home if one can simply talk you into opening the door for them. The techniques employed are only limited by one’s own imagination.

The good news though is that you don’t need to spend big bucks to avoid such attacks. The following tips may not eliminate the threat but it will greatly minimise your company’s susceptibility to it.

You and your team are the weakest link
It all starts with awareness. Social engineers are relentless and often quite talented at their art. Knowing you and your team are the biggest threats to your IT, unintentional of course, is the first step. We humans are surprisingly easy to manipulate.

Rewrite your IT policy
If your current IT policy is more than 6 months old, it is time to re-write. Do not amend, just re-write. Technology and its usage is changing rapidly. Having an updated, all-encompassing policy is not just to scare employees into compliance but it is to educate them.

Control all mobile phones that access the business network
If you and/or your team use personal mobile phones for anything related to the business viz. phone calls, SMS, emails, apps and documents, you need to control it. Mobile phones connecting to multiple Wi-Fi access points, especially free public ones, are most vulnerable. There are free Mobile Device Management (MDM) tools that are easy to manage, are low cost cloud based solutions and can be easily deployed to manage these mobile devices.

Ban all external storage devices
The fastest way to break into a network would be to have a USB drive seemingly empty but loaded with a rootkit that unleashes itself the moment the drive is plugged in. Files can be transferred over your network’s storage or simply use services such as Dropbox, iCloud, Google Drive, OneDrive etc.

Emails are for correspondence not collaboration
This cannot be emphasised enough. Forbes.com was hacked and defaced by Syrian Electronic Army using a simple email phishing attack. Cultivate a culture and policy where basic text emails are only used to correspond and to collaborate you can use anyone of these free collaboration tools. Most importantly, seriously consider before opening email attachments or clicking on links in an email.

Reconfigure Router and Wi-Fi
Your router is the gateway to your network and if there is a Wi-Fi access point attached, it becomes very visible and hence very vulnerable. With the help of your IT support provider reconfigure your router to best practice standards.

Passwords and 2-Step Verifications
Google, Apple, Microsoft, Twitter, Facebook and a host of other service providers offer 2-Step Verification/Authentication, which once set up, you will need to enter your password and the 4-8 digit code sent to your mobile via SMS to access your account. This may sound painful but it would be nothing as compared to pain highlighted in Mat Honan’s case. So wherever possible, set-up this 2-step verification and change all passwords at least once every 1-2 months.

Trust NOBODY
Even seemingly unimportant information such as IT hosted in-house or cloud-based is valuable information to anyone interested. While sharing Wi-Fi passwords and other such security information can obviously be detrimental, create a culture of zero trust when it comes IT. Include a broad IT policy compliance clause in every contract and agreement with external suppliers.

Designate specific IT people
This one applies to businesses using external IT support providers. Designate no more than 2 staff, one primary and the other secondary, to act as liaisons to your service provider. No one else is to have any conversation or perform any actions pertaining to IT. Thus reducing potential information leaks and improving the effectiveness of the service.

Cultivate a culture
Doing a full circle we come back to you and your team. We are, after all, humans, creatures of habit. If habits are not cultivated to be good, they will form anyways, and in most cases, they will be bad. So proactively help create good habits and culture. Regular formal and informal meetings and training sessions will yield a long term sustainable IT aware culture.

So there you have it. The best things in life are indeed free. You do not need to be an IT guru nor would you need an addition to your IT budget to implement these basic yet effective tips to secure your IT. These will not eliminate the threats but will significantly reduce your chances of being ‘hacked’.

References

• http://www.crn.com/slide-shows/security/240165003/top-10-security-breaches-of-2013.htm
  
• http://en.wikipedia.org/wiki/Social_engineering_(security)
  
• http://online.wsj.com/news/articles/SB10001424052702304526204579101602356751772
  
• http://arstechnica.com/information-technology/2014/02/iranians-hacked-navy-network-for-4-months-not-a-surprise/
  
• http://www.forbes.com/sites/chrisversace/2014/01/22/2014s-hacking-pain-is-cyber-securitys-gain-for-symc-feye-pawn-keyw-csco-cuda-ftnt-impv/
  
• http://abcnews.go.com/Technology/story?id=119423
  
• http://www.forbes.com/sites/andygreenberg/2014/02/20/how-the-syrian-electronic-army-hacked-us-a-detailed-timeline/
  
• http://www.theinquirer.net/inquirer/feature/2320371/2013-was-a-very-hacked-year
  
• http://aneuron.com/stay-secure-friend-hackers-targeting-smbs/
  
• http://blog.quatrashield.com/2013/12/17/357/
  
• http://www.infosecurity-magazine.com/view/25357/pwc-and-infosecurity-europe-release-the-latest-information-security-breaches-survey/
  
• http://en.wikipedia.org/wiki/Phishing
  
• http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012014.pdf
  
• http://www.scmagazine.com/february-2014-threat-stats/slideshow/1809/#1
  
• http://www.cio.com/article/598122/15_Free_Enterprise_Collaboration_Tools
  
• http://www.androidcentral.com/no-excuses-its-time-turn-two-step-authentication
  
• http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
  
• http://www.computerworld.com/s/article/9181939/Infected_USB_drive_blamed_for_08_military_cyber_breach
  

Forget Big Data or the 2.5 billion gigabytes data being created by us each day based on IBM research back in 2012.

Let’s just focus on the data your business generates every day. Each one of your departments, your employees, your suppliers and your customers create large amounts of data every day. It may be in the form emails, phone calls, social media and company website interactions.

Now what if every business decision you made was not just driven by your innate intuition and vast experience but now also armed with an accurately analysed version of all your data? They call it Data Driven Decision Making (DDDM). Simply put, it is what is says. Imagine KNOWING what your customers, clients or employees truly need and being able to fulfil that need exactly when they need it. It’s one of many advantages DDDM brings to a business. To learn more, have a look at some of the research articles listed below.

The good news here is that you are closer to being data driven than you think. These 5 steps will put your business on the path to becoming a data-driven powerhouse.

1. Collect
To start with, carefully and comprehensively collect data from every source available. At this stage the scope needs to be as wide as possible. Think everything from employee banter, customer service, sales, marketing (websites, social media) and operations to global economy. At this stage it’s all about quantity. It can be recorded on excel sheets or word documents. Keep it simple.

2. Assess
You’ll be surprised how much information there is when you really start to look for it. So instead of trying to tackle everything all at once, start by identifying small chunks of information directly relevant to your business, employees, customers and suppliers.

3. Organise
Once identified move this data into a Business Intelligence or Data Analytics service. There are a host of apps and cloud based services that are free or have free trials that allow you to try before you buy. Most of them are priced per user per month with no contracts. See the reference section below for some options.

4. Analyse
Analytics services and tools provide visual and numerical representations of data being analysed. They convert raw data into usable information and provide comparative analysis in various combinations.

5. Act
This is where you deliberately put into action strategies driven by the precise information at hand.

Repeat
This one’s a bonus step and also the most important. New data is created every second. To truly realise the full potential of DDDM, the fundamental steps above need to be an ongoing process.

In this Digital age information is gold. The truly rich are not the ones that have the most but are the ones that do the most with what they have. So stop worrying about fancy terms like Big Data and use what you have to transform your small business into a Data-Driven Powerhouse!


References
Data Driven Decision Making (DDDM)

• http://www.a51.nl/storage/pdf/SSRN_id1819486.pdf
• http://www.clrn.org/elar/dddm.cfm
• http://www.marketingcharts.com/wp/online/top-benefits-of-data-driven-decision-making-35749/
• http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1819486

Small Business Data Analytics Solutions

• http://www.predictiveanalyticstoday.com/top-10-data-analysis-software/
  
• http://www.entrepreneur.com/article/224888
  
• http://www.getapp.com/software-customer/Small%20Business/data-analytics-software
  
• http://www.computerweekly.com/feature/The-best-software-for-small-businesses-SMEs-Essential-Guide
  

While entertaining to us Game of Thrones fans, this video very well highlights the Cold War that has been brewing between the big social networks of this planet. Ryan Holmes, CEO of Hootsuite has detailed this pretty well on his blog. 

With the Season 4 of our favourite show coming to end, a GoT related post was inevitable.

It is that time again as football (soccer) fever grips this planet. Nike has 'Just do(ne) it'. This one is inspiring on many levels and yet very entertaining. Enjoy!

So there is a new malware in town called GameOver Zeus or GOZ. On 2 June 2014, FBI announced it had teamed up with its counterparts from around the globe, including the Australian Federal Police, to bring down a botnet that is believed to be responsible for stealing over a $100 million from businesses and consumers.

What is it?
GameOver Zeus is essentially a malware. It is reported to be one of the most sophisticated of its kind. Specifically designed to steal baking details, it not just takes over the computer but turns the computer into a zombie that becomes a part of a much larger network of other infected computers. Thus forming a botnet spread across the world used to harvest banking and other critical information.

During the operation they also uncovered network of computers and servers infected with CryptoLocker, a ransomware that encrypts and locks you out of important files on your PC and demands a fee in return for unlocking them.

Both of these allow creators full access to your server or computer, often with minimal detection.

Modus Operandi
The main distribution vehicles for these have been, like most, emails and phishing.

Carefully worded emails with attachments are sent to all the contacts on the infected PC unbeknownst to the owner. Friends, family and colleagues are easily caught off guard.

What you need to do?
As of writing this, the botnet has been taken down. Having said that GameOver Zeus is no ordinary malware. It does not have one specific control centre. It has a peer-to-peer command structure thereby making it very tricky to pin it. The authorities have issued a fortnight’s warning to businesses and users to protect their servers and PCs. Apple Macs are not affected by these malwares. But here are a few urgent things all, and I mean ALL, users of any devices connected to the internet must do as best practice;

• Always ensure to update your computers and devices with the latest available updates.
  
• Especially for old Windows PCs, make sure you have an always updated antivirus software.
  
• Use strong passwords and change them at least every 2 to 3 months.
  
• Avoid visiting unknown random sites.
• And last but the most important one is remain hyper vigilant with emails even from people you know. If they seem even slightly out of the ordinary do not open them. All attachment must be treated with some level of suspicion.

Remember every glitch is a bug, not all are dangerous but you never know which one is. So in the big bad world we call Internet be very aware!

References

• http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted/gameover-zeus-botnet-disrupted
  
• http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted/documents/gameover-zeus-and-cryptolocker-poster-pdf
  
• https://www.us-cert.gov/ncas/alerts/TA14-150A
  
• http://www.us-cert.gov/ncas/alerts/TA13-309A
  
• http://www.news.com.au/technology/online/gameover-zeus-virus-link-to-australia-as-fbi-moves-to-shut-down-the-global-banksiphoning-operation/story-fnjwnfzw-1226941496956