A good financial software application package or suite may well be ‘robust’ in software terms i.e. it will not crash unexpectedly without warning just as a user is inputting data. But robust and secure have two different meanings in information technology as you will know, so we need to draw a line around the perimeter of our financial applications and assess business security risks from that point outward.

Even the most established financial software brands do not act as security protection layers for your small to medium sized business. It is important to make this distinction and provide appropriate levels of security protection and back up for your financial accounts.

Financial bulls eye

For many perpetrators of malware, a company’s financial assets represent the bull’s eye on the dart board of data breach. Being able to compromise a firm’s financial information can lead to bank account hacking, or the information can be used to analyse customer and partner relationships and billing levels. This is one step away from financial cyber espionage and, globally, this is a growing trend.

Remember, although you may feel that you “only” operate a small to medium sized business, this is low hanging fruit for hackers who might find deeper levels of security protection stopping them from attacking banks and larger enterprises.

Money is money and if it’s a numbers game that has to be played to aggregate data from more than one SMB, then computer systems are very good at automation and they can be programmed to do much of the back breaking work when required.

Parallel thinking

What we want to advocate here is a level of parallel thinking. That is to say: when a business thinks about human resources and employees, it should think about supporting recruitment services; when a business thinks about new business initiatives, it should think about management consultancy services; and when a business thinks about electronic finance and accountancy software, it should think about data security.

With this kind of approach on board, a company can assure its stakeholders that it has mitigated against the risk of financial loss and ensure that it will be trading for the long term. Continuity and business security mean everything in the modern economy, so keeping malware out of your financial systems is as important as keeping spam and viral infections out of your employees’ email accounts.

Customers, partners, industry peers and even competitors will be acutely aware of companies that do not appear to present ‘safely secured’ financial systems and, generally speaking, will quickly turn away in favour of other options.

So to put it succinctly and simply, running any sized business without information security controls, anti virus protection and data privacy policies is foolhardy to say the least. This is a case of both corporate ‘assurance’ and ‘insurance’ alike, even for sole traders and partnerships that want to be taken seriously, so please don’t get caught out.

The UK’s HMRC and the US IRS services are organizations built on tradition, tried and tested processes and both internal and external trust. Public bodies of this nature have been moving conscientiously towards the implementation of web 2.0 driven electronic interaction with the public and the business communities for some years now. But at the same time, their methods and models have not radically changed and that give us an advantage in terms of predictability when it comes to data security.

Public sector predictability

If public sector predictability does exist to some degree, then shouldn’t we be able to use this basic home truth to our advantage when it comes to information security? The truth is that governments don’t change their tax or other revenue payment/billing systems very often and this, in and of itself, should provide us with certain pointers with regard to data safety.

If the tax authorities suddenly send you three emails saying that their payment account details have changed, shouldn’t the “predictability factor” cause you to stop and question the authenticity of this information? The answer is yes it should, of course.

There are some basic operational rules that can help us stay safe with regard to payment services to government. In the UK for example, the HMRC (or to give it its full title, Her Majesty’s Revenue and Customs service) makes it very clear that it will “not charge individuals or companies to provide a service” — so this means that you may have to pay tax or request a tax refund, but you do not have to pay to make the payment or receive it.

The HMRC does in fact provide a help page detailing the types of bogus calls and phishing scams that do sometimes occur here: http://www.hmrc.gov.uk/security/examples.htm — it is worth a read of this information before you set up your initial electronic payment services with your bank if you are starting up a new small to medium sized business and/or operating as a sole trader or partnership at some level.

National news analysis

Simple truth — governmental revenue and tax services are about as likely to change their contact telephone numbers and bank account information, as they are to change their name. So if you haven’t heard about a nationwide re-branding or re-positioning of public services on the national evening news, then there is a very good chance that you may be in receipt of malicious spam/scam type information. It’s not hard to check either, turn on television or check CNN/BBC etc.

Just like your bank, the tax and revenue authorities are not likely to start asking you for your passwords of any sort; nor will they ask you for your bank details as these are generally submitted at the point of registration, so be aware of the need for ongoing vigilance once you do have your public authority systems established.

Perhaps even more obvious is if a potential scammer or spammer appears to willingly engage in email discourse with you. Public bodies are rarely able to operate at this level and generally do not prefer to anyway.

The US IRS (or Internal Revenue Service) lists similar warnings to the UK’s HMRC such as:

• fraudulent use of the IRS name or logo by scamsters
• phony e-mails which claim to come from the IRS and which lure the victims into the scam by telling them that they are due a tax refund
• web site clones where a complete duplicate of the IRS web site “appears” to present users with an authenticated service when in fact the entire framework is fraudulent

Where you prefer to talk about spams, scams or the more Americanized “scamsters”, we are dealing with the same problem here. Businesses need to heed the above information as a foundational information security building block upon which they then themselves build their own secure systems and processes with an appropriate level of anti virus protection software.

Just remember, if it’s tax, it’s money — and if it’s money, it’s a risk situation. So please stay aware and stay protected.

As this is an especially sensitive time period from an IT security perspective, companies will want to research the issues at hand and ensure that they keep their business and financial data safe and secure.

Unfortunately, due to a quick of language, Internet searches relating to “security and finance” will mostly throw up results pointing small to medium sized business (SMB) owners towards commercial services aligned to help them “secure their finances” — and not therefore to information dedicated to “keeping their finances secure”; so the sensitivity of this subject is compounded further.

Where should we turn for SMB finance-related IT advice?

The world of business finance has developed a multiplicity of “advice channels”, almost none of which come without a price. Government services are therefore of particular interest here; almost always impartially presented and generally free of charge, it is worth looking up the public sector advice channels available to your business so that you can become conversant with the tax and revenue offices’ preferred means of a) communication b) payment process and c) even complaints should you need to make them.

Keep moving logically onward from this point and turn to your bank. Look up your bank’s existing online resources detailing transaction security and investigate what other services they might have on offer. UK banks for example often offer a “fraud text alert SMS” service to keep you up to date with emerging scams right to the palm of your hand on your smartphone.

Gone phishing…

Given the prevalence of phishing scams that target both consumers and businesses alike, it should be no surprise to see ‘accounting-related’ phishing swindles raising their head to a more significant degree during the end of year accounts period. Personal ‘home use’ credit-card readers are an important additional separation layer for authentication and safety here – these units are designed for home (or at least out of bank) use to generate unique random numbers for additional log in safety.

NOTE: Credit-card readers are of special importance if for example a business is setting up new tax (or other financial) payments online to a “new” payee.

Obvious signs, the usual suspects

As obvious as some of these notes may seem, the type of phishing swindle that often raises its head close to online banking transactions can at first appear relatively innocuous. Given that we are now inside the “money window”, it won’t do us any harm to mention some of the more self-evident no go areas again. Here are some common fraudulent messages designed to appear as though they might come from your bank or some other financial institution:

• A secure message is waiting for you, click here to read.
• Your account will be closed within 48 hours if you do not respond.
• Please reset your online banking password.
• Click the link below to gain access to your account.
• ‘Dear valued customer’ –

On that last bullet point i.e. “dear valued customer”, please remember that your bank knows your name and so this is almost certainly a generic opening line sent out from some malware and/or cyber-crime related source intent on hacking your business finances.

Of course these common sense and technology-related layers of financial IT safety should sit underneath the umbrella protection offered by a robust anti-virus suite such as AVG Internet Security Business Edition 2012. As important as our core business product is here, some good judgment and best practice is needed too. Please keep your “money window” clean and clear and stay safe online.

The event saw 361 entrepreneurs, investors and business professionals attend the ACCELERATE Forum. With keynote speeches from Julie Meyer, Lloyd Dorfman, Tim Levene, Austin Healey, Tim Leeson, Martyn Dawes, Will King, Kevin Godlington and James Caan; the event was an opportunity for entrepreneurs present and future to share inspiration, insight and opinion.

During the event, attendees were invited to vote via the iPod Touches which they were provided. The questions were designed by the Entrepreneur Country editorial team to include topical issues which are impacting SMEs in the UK.

Below are some of the results:

Importantly, of the 361 people polled, most respondents thought social media to be the most important growth sector for small businesses in the next five years.

This was supported by a vote on innovation where the majority of people polled claimed that digital innovation would be the most significant area for innovation over the next three years.

Focus then turned to the economy and the impact of the downturn on entrepreneurial spirit and the forecast for small businesses. Surprisingly the responses were largely positive with only 31% of people saying they think the state of the economy is making life harder for start-ups.

And lastly, there was a positive note for any young entrepreneurs when over half of the attendees at the ACCELERATE Forum divulged that they were 35 or younger when they started their current company. It can be done!

For more information on the Entrepreneur Country Forums, visit the event website at http://www.entrepreneurcountryforum.com/.

Related articles

• You Do Not Have to Be Under 30 to Be a Startup Success (theworkathomewoman.com)
• What drives US entrepreneurship? (bbc.co.uk)
• Champions of Small Business Forum: “Innovation will lead us out of the recession” (blogs.constantcontact.com)

Unpredictability is the new norm, mobile computing is impacting IT security to a previously unprecedented level, security breaches are really happening in the here and now and, by golly, they can be extremely expensive to fix and put straight

SMB’s are like automobiles

The task of summing up some of the learnings (to use the plural) here is tough in some senses because there are so many sensitive areas to cover; hence, the suggestion that small to medium sized businesses are like cars or automobiles came to the fore.

An SMB is essentially a complex piece of engineering built from a central architectural structure or chassis with many additional components, all of which (through a process of constant use and wear and tear) will need maintenance and replacement and upgrade.

Potholes and pitfalls

Then there is the driver and passengers, the human element i.e. the unpredictable constituents of the mix whose individual choices determine the direction and path to be taken. The road is not always flat and straight, but is far more often twisted and bumpy. As much as a car journey is a process of avoiding potholes and pitfalls, so is the daily operation of an SMB if it is to stay it course.

Taking the analogy a couple of steps further, of you want to protect your car just as you would protect your business. So while you would want to wax and polish your paint job and make sure that you put the best grade of unleaded fuel in your tank, why would you want to pay any less attention to the exterior and interior power and protection mechanisms you use within your small business?

Think of the exterior as the desktops your employees use to interact with company data, as well as your web pages and customer portal where third parties come into contact with your products and services.

Equally, think of the interior environment not as an engine with spark plugs and pistons, but as a company database that needs not only anti-virus and malware protection, but also oil and grease in the shape of additional protection services such as firewalls and anti-rootkit protection layers.

OK so it’s a slightly lighthearted somewhat obvious parallel to draw, but if anything an SMB may well be likened to a second hand car rather than something straight out of the showroom. Compromises may have been made here and there to save costs during start up and you may be running with approved re-mould tyres for the first twelve to eighteen months before you start buying brand new equipment.

The key thing to remember here is not to guide the business down a dead end street with no exit straight into an IT security infection.

So, buy a map, fill up on fuel, check the SatNav directions if you have them, ask others who might have traveled the same route beforehand how they found the journey and – as you’re going to want to keep running for as long as you can – find out what the parking is like so you know where the safest place to put down roots is.

There are a certain predictable truths that govern the way small to medium sized businesses (SMB) approach IT security. These truths are borne out of basic operational factors that should help us define the business parameters inside firms in this space. With these certainties (or commonalities at least) on board, we can start to reduce risk and look towards longer-term growth and profits.

So what are we talking about here?

SMBs are actually pretty consistent in terms of their requirements for security software. They want IT security software that a) delivers the right level of protection b) does not impact negatively upon business performance and c) works effectively in the background.

SMBs typically take a ‘generalist’ rather than a ‘specialist’ approach to IT security and IT generally for that matter. Security responsibilities will often be handed to an employee with other administrative responsibilities too and a complete rather than a heavily bespoke/customisable solution will be preferred..

This means that the SMB will spend a comparatively small number of hours in any given week analysing security risks — and so (as obvious as this may sound) logically the firm will need to choose a “comprehensive” solution that automatically updates and keeps track of current threats.

These facts are largely dictated by the “size” of the company i.e. small to medium sized. These same facts give rise to some basic home truths i.e. the SMB is safer to opt for a trusted brand where levels of protection are more “quantifiable and measurable” all round.

The SMB landscape is now starting to populate with companies who have realised the need to lock down their IT security and (in many cases) lay down a written policy for reasons which may even be related to compliance.

Covering risk factors in all four corners.

As firms embark upon more stringently protected future growth paths, an awareness of the full scope of business risk starts to become clear. SMBs the start to see that IT security risk translates directly to a) financial risk b) reputational risk c) market risk and even d) credit risk.

Suddenly the SMB starts to realise that application and data security should become a formal entry on the procurement side of the firm’s balance sheet. After this, the SMB starts to look at related areas such as disaster recovery planning and perhaps even content filtering for the employee’s usage of the web.

This is the very simple thought process that all small businesses need to sit back and consider. Failure to address these issues is leaving an open door open to the risk of a security breach and its subsequent costs.

It is not a complex model to grasp, ensure you follow business truths when they can be identified as easily as this.

Related articles

• Is this IT Security Breach “Stuff” really Happening? (blogs.avg.com)
• SMB IT Security Size Matters, But It Shouldn’t (blogs.avg.com)
• New Year’s IT Security Resolutions For SMBs (blogs.avg.com)

A large proportion of users don’t stop to think about the web server software that sits on data centres to drive cloud-based applications on their desktop or mobile device and, to a degree, why should they?

Everyone wants an Internet that “just works” and not everyone wants to know how its underlying mechanics operate.

The approach is fine until something goes wrong. When a virus works its way into your business and/or a phishing or social engineering scam preys on an unsuspecting employee, the reality of the web and IT security breaches start to kick in.

So is this IT security breach stuff really happening?

Yes it indeed is. AVG’s recent SMB Market Landscape Report found that one-in-six SMBs have experienced an IT security breach in some form. While this figure is marginally down against 2010, it still represents more than 1 million companies in the USA and UK who have suffered as the result of failing or insufficient IT security.

So as real as the threats are, the challenge for small to medium sized businesses remains the same. It’s a simple mathematical equation = big businesses have more scope than SMBs to spend money on providing dedicated resources focused on IT security across the board – but, SMB’s face the same risks that big businesses face both in terms of the number of potential malware attacks and their severity.

If a breach does occur, a further imbalance comes to light. Both business models must devote an equally proportionate amount of time and money to rectifying the breach. But the cost of replacing damaged hardware and the cost of interrupted business will be felt much more acutely in the SMB, who will logically not have the size and scope to channel or balance resources from other departmental pools or silos.

It’s akin to being hit with a knock out punch full in the face rather than taking a glancing blow to the ribs.

Fortunately, as malware has evolved over the years so have resources dedicated to SMB-level IT security. Tools such as AVG Business Edition have been developed with an innate appreciation for the constraints of the small to medium sized businesses within which it is typically deployed.

AVG also understands that IT security should be based around more than just size. A company is made up many elements, but its people, its technology and its operational structure often have the greatest impact upon what type of security risks it will most commonly expose itself to. We have a core competency in IT security; companies should not be fooled into taking their eye off their own central market proposition and USP (unique selling point). Stay in business and stay safe.

Related articles

• SMB IT Security Size Matters, But It Shouldn’t (blogs.avg.com)
• Revisiting the insider myth (liquidmatrix.org)
• Warning: Traditional Security Breaches are Still at Large (techsecuritytoday.com)

So when it comes to SMB security awareness size really does matter. But, as most us know, it really should not.

The common perception among many fledgling businesses is that paying for IT security is an unnecessary expense. If controls are put in place at any level then they are often administered without any third party support or consultancy — and this is fine, as long as certain caveats, policies and mechanisms are put in place to ensure its effectiveness.

The challenge here is to think big.

Small to medium sized businesses from two person partnerships up to newly formed firms still numbering less than ten employees need to treat their IT security protection as if they were a multinational.

Just as every Dollar, Pound, Yen and Euro of profit is treated with ultimate respect in ANY size of business, the same universally level playing field should also govern the security controls that ANY firm uses to protect itself from malware, phishing, spam and social engineering in all its forms.

The problem is that hackers don’t discriminate when it comes to electronic data and the opportunity to make money from implanting malware onto users’ machines. It’s a numbers game and if a successful malware attack starts at a small business level then it can still “perform well” for the perpetrators by spreading to all a user’s contacts and their contact’s contacts exponentially.

Think about it – in the time it takes for a hacker to get through the defense shields of a major international banking corporation, they could be dropping infected code into a thousand or more small businesses operating without any anti-virus protection technologies.

Malware is a numbers game

Without wanting to deliberately coin a phrase here, there’s an awfully succinct way of summing this subject up – “distributing malware is a numbers game, just ensure that you don’t become one of the numbers.”

You can download the full AVG SMB Threat Landscape Report at the AVG Resource center.

Related articles

• Botnets: The Biggest Threat to Enterprise Security – Quick Take (biztechmagazine.com)
• How safe is your surfing? Few SMBs have social networking security policy (zdnet.com)
• SMBs more security-savvy but don’t see themselves as targets (zdnet.com)

A time of business re-orchestration…

Looking ahead at 2012, what initiatives will you take to ensure that your business achieves more? What new business drives will you undertake and how will you orchestrate and manage your business processes to maximise profits? Specifically, how will you approach your IT security protection in the new ‘social media’-connected web 2.0 landscape to keep your data and application assets safe?

The most important aspect of setting resolutions and goals is the need to keep them realistic and achievable. Start your new year security planning methodically without a feeling of unnecessary panic.

A good starting point for an average SMB might perhaps be to carry out an inventory of current computers and mobile devices. Once you know how much equipment you’re going to need to protect, it’s easier to quantify and start tackling the task ahead of you.

In the post Christmas period or ‘holiday’ season many employees will come to into work with new ‘devices’ they may have received as gifts. From tablet computers to smartphones to pocket video recorders and so on, these units all represent a data security risk if they are connected to your business IT system.

The New Year might be a good time to declare a ‘Device Amnesty’ and ask all employees to list the mobile devices that they intend to use at work.

Any new year is a time of uncertainty; nobody quite knows what the next 12-months have in store. With this in mind, it is the perfect period to lay down a security policy for your firm to adhere to.

Whether this document is a simple one-pager or needs a binder and a front cover to hold it together, it doesn’t matter, just do it – write it, follow it, update and revise it, but above all, enforce it.

Ensure that your firm’s forward-looking business plan embraces and includes IT security protection commensurate with the needs of your online and digital activities.

Put your firm’s data safety sensitivities on the table and analyse where your risks are most likely to exist. Then and only then, deploy protection software appropriate to your company’s position as an electronically connected business.

Lastly, we at AVG would love to wish all our business customers a safe, “secure” and prosperous New Year. Happy 2012 everyone.

Let’s look at the facts. AVG’s own SMB Market Landscape report found that almost three quarters of small to medium sized business do NOT agree that the use of mobile phones in business represents a threat to IT security.

With this blithe (or at least unconcerned) attitude in mind, consider the fact that IT analyst firm Forrester has said that mobile development has been a top five initiative in 2011 for nearly all enterprises. A recent survey by the analyst firm showed that more than 50% of enterprises are most interested in using mobile applications or mobile optimized web sites to reach out to their customers. In other words, mobile is growing.

Cyber criminals aren’t stupid

Now as you probably know, cyber criminals aren’t stupid and they tend to go for the low hanging fruit first. We’ve been here before if you think about it. Malware and viral attacks of all forms first targeted Windows due to the wide installed base of users that existed. Then, over time, other platforms including Linux and Apple Mac OS X started to come under fire as more users adopted these other computing “paradigms”, or environments if you prefer.

Follow the argument through and it’s not hard to work out the next most logical target for purveyors of malware to target. If the fastest route to users’ information assets, intellectual property and identity is targeting mobile devices now powerful enough to store (or channel access to) this data, then that is where malware developers will naturally gravitate towards.

To compound this problem, mobile devices offer users a route to using some of the most “risky” computing services that exist. Social networks have been notoriously hijacked with obfuscated (disguised) links to dangerous external web sites. Users naturally have their defences lowered when talking to “friends” inside these networks. But these very friends may have already had their profiles compromised and used to host the onward dissemination of malicious content.

Multifarious malware

Again looking outward from Windows to explain how broad and multifarious the malware landscape is today, the “almost un-moderated” Android Market has been subject to a Trojan rootkit attack during 2011. This malware used so-called “backdoor” techniques to infect users who had downloaded applications with legitimate sounding names. Some 50,000 users were affected and “factory resets” were advised even after the apps were removed.

So are we placing some sort of blind faith in mobile computing devices today? AVG suggests strongly that the answer to this question is yes. Whether this is because we still think of smartphones as “phones” rather than computers, whether it is because we still consider the traditional desktop PC as the most likely place to see a virus, or whether it is because we simply haven’t stopped to think about it yet – the reality is that mobile threats are here, they are real and they can be extremely damaging.

At this risk of sounding like a road safety traffic accident commercial, please don’t become yet another statistic. Help us wake up our collective business and consumer consciousness to this issue today.

But recessions happen for a reason, so is it all bad news?

Answer #1: NO – there is a school of thought among economists detailing the sharpening of business processes during economic slowdowns. As we shed cumbersome unprofitable business units and/or processes, we become more “nimble” and ready for new more challenging commercial landscapes – or so the theory goes.

Answer #2: YES, it is bad news – the truth is that while companies are cutting back to meet austerity targets, it is fairly common to see crucial infrastructural elements of the business being chipped away at. But these are the very things that the business cannot afford to lose.

Cutback targets often focus on areas such as marketing and advertising, sometimes to the detriment of business in the longer run. Cutbacks often focus on employees and what are deemed to be less productive workers; like marketing this is a very subjective area and one that is hard to quantity.

Where cutbacks have also often focused is on IT security controls i.e. licenses for current versions of anti-malware software. What we are able to say here is that there is an economic certainty at hand if this business component is cut i.e. increased risk of data loss and associated risk to intellectual property.

IT security expenditure should always be viewed as an “investment in business continuity” rather than a cost in the first instance. To suggest that AVG itself should be viewed as some sort of economic barometer may be too strong, but since the turn of the decade our business has not reduced its total employee count or the amount we have been investing in our own research labs. If anything, the figures show these areas developing.

We used the work “psyche” at the start of this blog and there’s a good reason for that. This subject is all about mentality and way an SMB tackles web-based dangers, which may prey on weaknesses in its operational workings.

You could even argue that it comes down to attitude.

The “risk averse” SMB still wants to avoid infection by malware and Internet-driven dangers. The “risk adverse” SMB takes active steps to protect itself as a matter of basic trading best practice.

However you define it, this has been a time of great business uncertainty. What we can say definitively is that if we combine or multiply those uncertainties with a reduction in IT security spend, then we have a certainty of risk and our future profitability is at stake. We hope that this is the kind of business model that every SMB will grasp.

The ubiquity of Internet connectivity and Internet-connected devices means that we are rarely far from the web at any time, especially during our working hours in an office environment. With our favorite browser just one click away, companies are realizing that the cost of lost employee productivity has become a very real factor impacting their business.

Typical activities include social networking, chat and even gaming – but of course November and December also bring a surge in electronic shopping as we approach the holiday season; and none of these activities come without an associated risk in terms of exposure to malicious links, phishing scams and identity theft etc.

ISACA’s total sample of 1,224 respondents found that 775 of workers spend time online shopping using either work-supplied or personal devices. Nearly one-third of consumers say that they plan to do more shopping than last year using their work-issued or their own device (32%), potentially increasing IT security risks for their employers.

Although consumers using work devices are becoming increasingly concerned about the risk of new technology such as location-based tracking (suggesting that there is increased awareness of the consequences of compromising work information) they are still doing it — on average, consumers with a work-supplied device or personal device used for work purposes plan to spend 32 hours shopping online.

According to ISACA, “While the number of hours spent shopping while at work may have decreased year-over-year in 2011, the use of personally owned devices with corporate access, coupled with uncertainty about policy, and the assumption of IT backup, threatens company security and proprietary information.”

But is the tide turning?

Whether they are using work or personal devices, 37% of workers say that they are starting to use PayPal or other secure payment services to protect their purchases, their money and their identity. However encouraging this may be, the facts also state that 28% of consumers using work devices to do holiday shopping assume their IT department is ensuring their work-supplied computer or smartphone’s security.

To compound this reality, the younger the worker/consumer is, the greater the level of assumptive carelessness they tend to exhibit.

Many companies will be keen to promote the work-life balance ethic and allow a limited “reasonable” amount of social networking, holiday shopping and even non-work related socializing while employees are using company machines. The problem is that 16% of workers questioned said that their employer has no formal policy prohibiting or limiting personal activities on work devices. In addition, about one-fifth (20%) do not even know if their firm has a policy on these topics, indicating a need for better communication.

Interestingly, men appear to be more intent on online shopping than women at this time and, again to make matters worse, men exhibit less awareness of online security risks.

In summary, the results of this study are somewhat sobering to say the least. The so-called “consumerization of IT” is the term we use to describe employees bringing their own highly powerful Internet connected devices (such as tablets and smartphones) into the workplace – and this trend is only increasing right now. The risks to company information security are, logically, also increasing.

It is the season to be jolly. But it is also the season to be careful when it comes to business IT security.

Download ISACA’s full report here.

The fact is that the “total” cost of an IT security breach can be far higher than companies might at first imagine.

Often, the first people to notice the effects of a data breach will be a company’s customers; so the impact this has on client confidence can be substantial. As electronic commerce has become the norm for business transactions at every level, customers are rightly wary of dealing with a breached company. When it comes to data breaches, prevention really is the only cure.

Remedial action

The immediate aftermath of an IT security breach sees a company “drop everything” and try to fix the problem that has occurred and also mitigate further risk. The source of the breach will need to be identified and weaknesses will need to be patched, plugged and made sound. The firm may also need to contact a lawyer at this point to agree on its legal position and this is never a cheap thing to do.

The loss of business in terms trading time is felt hard.

Of course finding the problem is only part of the challenge here. Next the compromised company will need to install robust anti-malware protection, encrypt sensitive data, lay down an employee security policy and so on. Basically, the business has to undertake all the things that should have been done in the first place.

Once again, the loss of business in terms trading time here is felt hard.

Even after fixes have been carried out and even if firewall and anti-malware protection has been put in place, credibility in the marketplace may have been lost and customer confidence has to be won once more – and this takes time. Crucially, this process also takes time and money (think advertising, marketing, corporate promotions and entertainment etc.)

You can’t escape the facts; the loss of business in terms trading time and additional expenditure will have a direct impact on the firm’s bottom line.

Just as there is no such thing as a free lunch, undeniable economic certainties govern a company’s approach to IT security software – It will cost more to fix a breach than insure against it happening. This can be done by taking a number of steps, including purchasing licenses for anti-virus software. Given the prevalence of malware today and our global shift to electronic business practices this truism should resonate as long as any home truth you choose.

What factor makes a great property purchase opportunity? Location, location, location. What factor makes a safe small business trading opportunity? Security, security, security.

But there is a problem.

The problem, or the challenge if you prefer, is that most small to medium sized businesses still rank traditional IT vulnerabilities as the area of most concern. By “traditional” IT vulnerabilities, we mean email attachments and dangerous website links. For many SMBs this is often the “complete picture” when it comes to information security. The perception is that if they cover these channels off, then they are safe.

Of course traditional threats have far from disappeared, but a new breed of more intrusive malware techniques are evolving across many layers of the web. As we now access the Internet from more devices, many of them mobile, for more of the time – the risk is multiplied every day.

So what shape are these new dangers?

We’ll cover a handful of new “attack vectors” here including phishing, search engine poisoning, social engineering, industrial espionage, dormant malware and more.

Phishing is not new, but it is on the rise and is changing. Phishing techniques generally involve users receiving emails from spurious non-existent businesses offering them amazing deals in return for sharing personal information. As users have become more aware of phishing, so phishing has become more targeted. Bogus offers have started to select specific user types and offer them specific goods and services relating to their interests. An example would be gamers using a particular console being offered player tokens or rewards if they respond to an email offer.

Search engine poisoning receives less attention than viruses, yet it is on the rise. This is the process by which hackers “poison” search engine results to direct users to malicious website links. This can be achieved by using the sponsored links section in the search engine or can be done more directly via the injection of HTML code. This can be very effective for hackers as they don’t need to actually break into the web servers running the websites being targeted, they simply need to find vulnerable sites and inject code to suit their means.

Social engineering encompasses phishing as one of its major components, but goes further to include confidence scams and trickery of all kinds that have been performed for many years before the arrival of the Internet. Think of this as the scenario where you might trust a worker in a branded jacket or tabard with a clipboard and a name badge; anyone can “brand” themselves as a legitimate employee representing a company to hide their real criminal intent – the same scams exist in our online world in many forms.

Many people imagine viral attacks to happen immediately upon infection. In fact, malware will very often lie dormant until a user performs a certain function with her or her PC or other device. Dormant malware could be coded to execute only when e-commerce transactions are being carried out so that maximum damage can be brought about. Once again, malware is constantly becoming more sophisticated so this is yet another consideration to be aware of.

AVG’s engineering labs work at a higher velocity and a deeper level of code inspection than any team of hackers, however sophisticated an operation they might be a part of. That being said, an awareness for the new dangers being thrown up by this shifting landscape is important if users want to stay safe and keep their data and personal information protected. Unpredictability is the new norm and change is the new constant.

The Information Age Awards, now in their third year, are annual awards aimed at celebrating innovative thinking among the IT industry. They are voted by readers using an online video voting system.  Information Age is one of the UK’s leading IT B2B monthly magazines with 45,000 subscribers.  It also publishes Business XL, growthbusiness.co.uk and smallbusiness.co.uk taking the total subscriber base of Vitessemedia to 120,000.  Since every Vitessemedia subscriber is eligible to vote, SMBs account for more than half the voters involved.

What are some of the categories?

The categories listed below are the categories for the Information Age Awards 2012.

Data Centre Innovations
Green IT Innovations
Information Management Innovations
Security Innovations
Cloud & Virtualisation Innovations
Comms & Networking Innovations
IT Services Innovations
Business Applications Innovations

As you can see, there is a broad spectrum of categories, one that reflects the importance of IT to an ever increasing number of industries.

What has AVG been nominated for?

AVG’s Internet Security Business Edition 2012 has been entered in the Security Innovations category.   Purpose-built to help SMBs deal with an evolving threat landscape, AVG 2012 combines multiple innovative features from smart scanning to multiple touch-point anti-virus protection and Internet security (including e-mail and the Web along with emerging threats like information theft, social engineering and use of social media for business) to deliver big improvements in speed, protection, cost and time savings.

The video, found below highlights the vulnerability and the lack of awareness surrounding the IT security of SMBs in the UK.

How can I find out more about the Information Age Awards?

To view all the nomination categories or the nominees, visit the Information Age video awards site at http://www.information-age.com/video-voting/.

Here you’ll find all sorts of information on previous winners and be able to vote for existing nominees or even nominate your own.

Want to talk to us directly?

If you’d like to get in touch with AVG’s SMB team simply drop us a line on the AVG Business Facebook community.

Well the DSD has recently updated their advice based on their analysis of reported security incidents and vulnerabilities detected by DSD in testing the security of Australian Government networks in 2010. The great news is that plenty of these strategies can be easily adopted by small and medium businesses (SMBs).

80-20 rule reigns supreme

DSD says that 85% of the incidents they responded to in 2010 could have been prevented by following the first four mitigation strategies listed in their Top 35 Mitigation Strategies for 2011:

1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.
2. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.
3. Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.
4. Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker.

Regular readers of AVG’s security advice might recognise the top 3 items. We constantly mention them. Best of all, they’re not too difficult for small and medium businesses (SMBs) to implement. Though strangely enough, large enterprises, with all of the top resources available to them, often struggle with these basic security measures.

Changes from 2010 to 2011

Interestingly, the DSD’s analysis released back in 2010 suggested that at least 70% of the targeted cyber intrusions that the DSD responded to in 2009 could have been repelled by the same first four strategies. This would seem to confirm that would be cyber intruders were looking for more bang-for-buck in 2010, rather than using more sophisticated attacks.

It’s also interesting to note that the top 2 strategies switched position in the DSD recommendations from 2010 to 2011. This backs up what we’ve been saying about the bad guys moving more of their focus to vulnerabilities in common utilities and application in 2010.
What should an SMB make of all of this?

SMBs need to make it a priority to address the top four mitigation strategies. This can be achieved gradually, starting with computers used by the employees most likely to be targeted by intrusions, and eventually extending them to all users.

Once this is achieved, you can selectively implement additional mitigation strategies based on the risk to your business information and operations. Other items in the Top 35 worthwhile for an SMB to also consider include:

• #5 – Host-based Intrusion Detection/Prevention System to identify anomalous behaviour such as process injection, keystroke logging, driver loading and call hooking.
• #6 – Whitelisted email content filtering allowing only attachment types required for business functionality.
• #9 – Web content filtering of incoming and outgoing traffic, using signatures, reputation ratings and other heuristics, and whitelisting allowed types of web content.
• #12 – Workstation inspection of Microsoft Office files for abnormalities
• #13 – Application based workstation firewall, configured to deny traffic by default, to protect against malicious or otherwise unauthorised incoming network traffic.
• #14 – Application based workstation firewall, configured to deny traffic by default, that whitelists which applications are allowed to generate outgoing network traffic.
• #21 – Antivirus software with up to date signatures, reputation ratings and other heuristic detection capabilities.

And the good news is that installing AVG Internet Security Business Edition to protect your workstations and servers will enable you to easily achieve all of these key items! What are you waiting for?

Please check out the full list of 35 Strategies to Mitigate Targeted Cyber Intrusions.

SMEs face significant challenges in surviving in the current economic climate, with most firms realising that savings need to be made at every level and in every department. One of the key areas in which SMEs can make savings is energy.

Although spending money on gas and electricity for business purposes is unavoidable, small businesses can, to a certain extent at least, control how much they spend.

These are some of the most effective ways to reduce spending on business energy.

1. Switch off the lights…

…and computer monitors, photocopiers, printers, phone chargers, microwaves, kettles, radios, TVs and any other electrical items your office may have.

How many times have you left an empty office in the evening to discover your colleagues have not switched anything off? Set an example and switch items off – try putting labels on plug sockets reminding colleagues to do the same. Simple steps like these cut energy bills and could also save items shorting out from electrical power surges.

2. Generate green electricity

Going green need not be expensive. In fact, SMEs can save substantial sums by switching to eco-friendly power sources. While all of the leading energy suppliers offer deals on energy that has been generated in an environmentally friendly way, for example from wind turbines, small firms can go a step further by producing their own green energy.

Installing solar photovoltaic panels on company buildings can result in substantial savings over the year. This is particularly true during the spring and summer months when solar panels capture sunlight to be converted into electricity or hot water (or both). Electricity generated by solar panels can be used throughout the office, enabling companies to dramatically cut spending on energy bills. It is also possible to make a profit on solar panel installations if surplus power is produced and sold to the National Grid.

3. Insulate, insulate, insulate

Heat loss is as much a drain on the bank balance as it is a scourge to the planet. Office buildings that lose excessive heat through poor insulation consume far more energy than those that have been properly insulated. To ensure that heating bills remain as low as possible, SMEs should consider investing in triple glazing (a significant step up from double glazing in this respect), draught excluders and cavity wall insulation. Lofts and ceiling spaces should also be insulated as a matter of priority.

4. Turn down the thermostat

Most office buildings in the UK are warm, stuffy places which lack adequate air conditioning and are jam-packed with staff and machinery; it is little wonder employees tend to complain about the ambient temperature.

Overly hot office buildings are not just uncomfortable, they are also damaging to the environment. Research suggests that turning down the office thermostat by just one degree can result in an 8% saving on heating bills.

5. Install motion sensor lighting

Energy can be saved by controlling when and how lights are used. Environmentally unfriendly offices maintain a lights-on policy throughout the day. In contrast, sensible firms install motion sensor lighting to ensure that lights only come on when people are present in a room.

6. Use energy efficient hardware

Finally, companies can save money and become more environmentally friendly in the process by replacing old, energy inefficient equipment. This exercise should focus particularly upon computers, printers and central heating boilers. All of these items can be replaced with modern, greener alternatives.

The initial capital cost of replacing old equipment is very little in comparison to the long-term savings that can be made on energy bills.

More ways to save energy and money

Further methods of greening your business can be as simple as working towards a paper-free workplace where practical, reducing waste and recycling as many materials as possible. Even boiling a full kettle rather than the amount of water you actually need drains energy and small electrical heaters are just as bad.

Switching your business energy supplier to greener and more efficient supplier can also save your small business a fair amount of money over time.

Remember to question yourself too – do you REALLY need to print out that extra copy of a document? Could you reuse paper rather than chucking it? Do you recycle batteries?

Remember the three R’s whenever possible – Reduce, Reuse, Recycle.

We’d love to hear your small business energy-saving tips too. Please share them in the comments.

The latest Entrepreneur Country workshop titled Profit With Technology. Hosted in London on Wednesday 26^th October and costhosted by legal firm Nabarro.

The topic:

Profit With Technology focuses on how technology is revolutionising the way our businesses are run and how they generate income. It covers the how the latest services like cloud computing services, virtual working and social media are redefining how we develop products and services, engage with customers, increase our ability to work dynamic and flexibly and help us to control our bottom-line.

Speakers:

Experts from across a number of industries came together to deliver short keynote speeches. Below is a very brief introduction to each speaker and a summary of the topics they covered:

Bradley Starr – CEO, Bizantra

“Networking is key for startups. Looking elsewhere for expertise can help forge strong SMB partnerships.”

Bradley Starr focussed on the importance of communications strategies among SMBs both customer facing and B2B. He emphasised the importance of CRM and presented the Bizantra product to the audience which is complete and integrated suite of business management software specifically dedicated to helping the small and startup business to reach its true potential. This includes shared document libraries to finances, HR to contact management and order management to secure messaging.

Martine Foster MBA – IBM Global Financing Sales Manager, IBM

“The success of any business is still dependant on its ability to meet client needs and improve its competitive position.”

Martine is a leading professional with 15 years experience in the field of IT Finance and specialises in IT financial solutions to Small to Medium size enterprises. Her talk focussed on how smart IT purchase choices by SMBs can help foster growth and how poor decisions can stunt growth. Martine drew on her vast experience to illustrate how IBM’s various payment plans can help support a business depending on its circumstances.

Lucy Herreras-Griffiths – Co-Founder, Kuku Apps

“Do not rush into it!”

Lucy delivered a fascinating talk on the power of smartphone apps and their increasing role in businesses of all types. Lucy was quick to pour cold water on the notion that every business needs an app or that apps should be made just for the sake of it. It’s important to talk about success metrics for apps and Lucy emphasised that in today’s app environment simply reproducing existing content just won’t cut it.

James Garner – Head of Content, AVG Technologies

“Why would hackers target SMBs? SMBs are often an unprotected, low risk gold mine.”

AVG’s own James Garner focussed on the rising trend of working on the move. Working from outside the office has been proven to improve employee productivity but doesn’t come without inherent risks. James guided the audience through simple tips to SMB owners to ensure that both their staff and their hardware are as safe as possible. Due to their small size and perceived unimportance SMBs are often left unprotected from cyber attack. This presents a golden opportunity to cybercriminals who are presented with a risk free opportunity to get hold of business information.

Peter King – UK SMB Cloud Services Manager, Microsoft UK

“The most important asset for your business isn’t your people, it’s your intellectual property.”

Microsoft’s Peter King gave an interesting and informative talk about cloud services and about how cloud services, both on site and externally hosted can change the way companies can operate. On demand scalability means that SMB’s can take advantage of services designed for large scale enterprise with only the fraction of the cost. Peter emphasised the importance of realising that the cloud is as dynamic as an SMB needs to be. Cloud doesn’t just stop at software as a service but instead can provide entire scalable platforms for companies of all sizes.

Eesheta Shah – Partner, Intellectual Property, Nabarro

“Protecting your intellectual property is a huge advantage in competitive SMB space.”

Eesheta’s talk explained the different measures of protection that companies, including SMBs, can take to protect their intellectual or design property. The most powerful aspect of securing your own intellectual property, Eesheta explains is not the enablement for your own company but instead the limitations it enforces on your competitors. She then took the audience through everything from copyrighting, trade marking, patenting and design protection and emphasised that it’s important that SMBs take action early and adopt a quality over quantity approach.

Linda Cheung – CEO, CubeSocial

“You have to be a person to use social media, you have to have a personality. “Lurk and learn” if you have to.”

It’s not always easy to see how social media can fit into a business strategy. Linda gave a step by step breakdown of how longstanding doubts about success metrics and ROI that surround social media business strategy. Curiously Linda names British TV personality Jonathan Ross as an inspiration for her social media conversion. Linda advocates using social media as the ideal platform to as find out where your contacts hang out online and determine which platforms to invest in – speak to your audience where they want to listen. She also stated the importance of using social media to research clients and prospects. Time can be saved and shared interests discovered.

David Scholtz- Ariadne Capital

David from Ariadne gave a quick closing speech from a investment capital perspective. He gave a simple three step guideline to how viable a potential investment could be.

• Is it fixing a problem?
• Does it replace existing behaviour?
• Can you mother explain the benefits?

David explains that technology is a continuous process of evolution, before launching or funding a product it’s important to consider where your product fit in? What precedes it? What will come next? In principal, this will help your product avoid becoming the next minidisk and become the next iPod.

What next?

Videos, pictures and other media from the event will soon become available.

The half day workshop is bringing together innovative SMEs and global thought leaders such as Microsoft and IBM to give start-ups practical information and tools for using technology to accelerate their business growth.

If you can’t make it then AVG will be there tweeting and writing a blog covering the highlight’s of the half day’s seminars. You can follow our tweets on the day at @AVGEvents.