Protecting your data in a dangerous online world
(As originally published in the Financial Post, July 2012)
By Rafael Etges, Leader, Information Security, Ernst & Young LLP
We’ve recently seen a sharp increase in criminally and politically motivated cyber attacks. Cases are reported by the media on a daily basis, and concerns are also being raised during industry discussions.
While some criminal activities are conducted in isolation by private citizens, others have been associated with state sponsors, who overlook, sanction or even fund them, suggesting a new form of privateering in cyberspace.
Social discontent has also been manifested online. Given the impacts of the global financial crisis, perceived social inequality associated with globalization and the economic crisis in Europe, organizations of all sizes are being targeted by organized groups of “hacktivists.”
Meanwhile, organizations are constantly trying to reduce their operating budgets, and security is often a low priority. And while emerging technologies such as cloud computing, social networks, mobile computing and “big data” analytics can enable start-ups to be much more productive than before, these technologies can also expose entrepreneurial organizations to new risks as their data is sent across new platforms and systems. This is particularly true for organizations that largely depend on the generation and manipulation of sensitive data to generate value for their customers and stakeholders.
It’s important to protect your brand, your reputation, your customers’ trust and your own peace of mind. Your level of protection will depend on your risk tolerance and appetite.
No one should steer through turbulent and poorly regulated waters in a fragile and unreliable ship.
Think about the extent to which your business depends on technology, and consider the following:
- Your data — including personal data, banking and payment data, business and private communications, intellectual property, contracts and legal documents — could be sold if stolen.
- Your business may be associated with controversy —immigration, health, economics and e-commerce, law, education, research and development, environmental impact, for example — and may invite hostility, whether justified or not.
- You don’t need to be “big” to be a target. Most threats such as viruses and automated scanners probing for unprotected targets will infect and take over a computer with complete disregard for its ownership. Viruses treat a multinational bank’s computer the same way they treat that of a local NGO. In most cases, the bank’s systems will be better protected, diverting attacks to smaller organizations that are easier to penetrate.
- The largest cyber attacks occur through millions of infected computers located anywhere in the world that are simply used as tools to work against a single target. It’s not about having secret data — it’s about having a working computer that can service others.
The reality is that until the internet is properly regulated, and law enforcement can ensure everyone’s safety from online crime, we are essentially on our own.
To be successful, today’s entrepreneur needs to be internet savvy and know the basics of online protection:
- Keep your computers updated with a robust antivirus and firewall solution, security patches and web browsing filtering. Read more about this in Ernst & Young’s recent article Protecting your customers’ data as your business grows.
- Assuming that your business does not have an in-house security expert, find an advisor you can trust – ideally someone with professional experience and IT security certification.
- Educate yourself – not to become an IT engineer, but rather to know what to do when you receive a suspicious email or file. Know when to trust, and adjust your online behaviour accordingly.
- Many businesses are eventually victimized by cyber crime in one way or another. Establish a plan of action – what would you do if you discovered that you had been hacked? Best to build your plan now when you have the time and can think clearly, rather than try to react under the stress and pressures of a cyber attack.