Human error is behind the vast majority of IT security breaches. A breach is a breach, whether through ignorance, a simple mistake or malice. A significant percentage of companies feel exposed to an inside threat so what can they do to protect themselves?

Train your staff

Recently we heard about a company laptop that was riddled with malware. The employee who used it never thought twice about the security credentials of the sites he visited. He never checked emails and attachments before opening them. We advised on cleansing and protecting the laptop, then gave a vital piece of security advice for this situation: change your habits, or the same thing will happen all over again.

This was quite an extreme case of human error. Even so, every company needs to train employees. They should learn where risks might lie, how to spot them and what to do if they think something’s risky. This remains without doubt the greatest cybersecurity danger area for companies of all sizes.

Maintain your IT assets

Do you find constant update notifications annoying? Do you dismisses software updates as  as a nuisance, especially if you have to reboot afterwards? You’re making one of the most serious security mistakes.

Legacy systems can leave services exposed to security risks

Never put off software updates. Whether you use Linux (you do, don’t you?), Mac or MS, software updates are vital for keeping software responsive. Updates protect software from new security threats and loopholes.

Software needs to be monitored and maintained at a system level too. Hardware needs to work at optimum and replaced if its software requirements jeopardize security. There have been several explanations for British Airways’ recent problems, including a contractor switching off power, but legacy systems have also been mentioned as a possible cause.

Restrict access to services

If someone leaves a company their work email address should no longer be available to them (divert it to ensure clients aren’t left dangling). Remove access to any other company services. Whether that employee is friend or foe, leaving access open to ex-employees is like leaving your house keys dangling in the door when you go out. Even worse, you may not have any idea they ever set foot in the house.

This is simple good IT hygiene. Enhance it by implementing different levels of access to company systems, and an audit trail. Know at all times not only who has access to what, but when they last accessed it, and keep that clearance under review.

Disaster recovery planning

These measures will go a long way to protecting your company and avoiding day-to-day pitfalls. Your staff will feel happier that they’re working within IT structures that smooth their working day and protect them against intrusion. IT contractors will be delighted to work with a business that takes security so seriously and uses platforms and utilities that are kept up to date.

However, we’re busy people. We receive hundreds of emails a week and use all sorts of online utilities. Everyone understands the basics of internet hygiene just like we understand that we shouldn’t eat too much sugar, but we don’t always follow the rules. We’re too busy, too tired, too hasty and too pressurised. We don’t double check the sender of every email and attachment we receive, or pay attention to the security of a website. This is especially the case if they appear familiar at a glance. Sometimes we click on something we shouldn’t, and every so often that will have calamitous results. This is how human error creeps in.

Creating a disaster recovery plan is vital for any business that intends to survive a serious IT problem. It’s time very well spent. You keep operating while the situation is put to rights instead of scrambling to find information. There’s a great deal of information available on disaster recovery planning, but we’re always happy to help if you’d prefer professional input. A well-drafted, tested and implemented disaster recovery plan turns an IT problem from a disaster to a nuisance.

The post Human error behind security breaches appeared first on OpenSure Blog.

You probably don’t have hundreds of thousands of customers, it’s unlikely your chief exec is grilled on the BBC and when your company gets it wrong Twitter might not creak under the weight of invective, but that doesn’t mean that a serious IT failure such as that suffered recently by British Airways can’t cost your company a fortune in money and reputation. Ensure your small business services are robust and well-protected and that you understand best practice. Here we detail the questions to ask your hosting company and the staff managing your IT services day-to-day.

Ask your DC about power failure procedures

BA has put out a barely credible reason for the outage: a power surge at a data centre followed by a failure of the back-up power system. Data centres are designed to withstand power surges and have strong back-up power systems. Problems can still occur, but it beggars belief that a company handling the volume of data, time-critical services and financial transactions that British Airways sees on a daily basis wouldn’t have cast iron measures in place to protect its power supply and back-up power generation. It’s astonishing to consider that BA would leave itself exposed in this way.

For the small company, the lesson here is to ask your hosting company about how it handles a power failure – the classic digger-through-a-vital-cable scenario. Ask it to explain to you – in language you understand – until you’re happy that short of asteroid strike, your services will stay up.

Communication

But let’s say that a power surge and failed back-up power service has indeed knocked your website, email and other utilities offline. Small business services are potentially more vulnerable to this than a huge global company as they won’t be sitting on the same dedicated services as a large company. British Airways was heavily criticised for not communicating with its customers; Alex Cruz, British Airways’ chief executive, explained this away by saying the messaging services were also affected by the outage. A company with the resources of BA has all its eggs in one basket? Staggering. A basic strategic error. Of course BA has data protection to consider when it contacts customers and has to use secure and encrypted channels for this, so I’m not convinced about the suggestion I heard to fire up a GMail account and email everyone. A security breach would have been the last thing BA needed on top of the outage, but again, a company with the infrastructure of BA surely could use services sitting in another data centre to communicate with customers. All data held should be backed up and held in multiple locations, so all customers should have been contactable.

Consider how you communicate with your customers: do you have contact data backed up? Do you have an alternative channel to communicate with your clients if your services go down? Back ups are very important but unfortunately their value is often underestimated until things go wrong and that data becomes critical.

Virtually every company uses some form of social media these days, and while it may not be the right channel for communicating sensitive information, make sure your clients know how to make contact with you in the event of a problem. Put your social media contact buttons or URLs in your email footer and on any paper invoices or other communications you may send out. Not knowing what’s going on ups the ante for your cllients very quickly and makes everything 10 times harder to deal with. If you can let your clients know that you’re aware of the probem and that you’ve set in train your recovery plan, you’ll make the aftermath less heated. Once everything is back to normal, get in touch with your clients to give them an update. Remember that other companies may view you as you view other small business services and expect a similiar response from you as you do from your hosting company.

Reliable IT staff

Whatever the truth of it, accusations have been aimed at British Airways that it made redundant its best (and therefore expensive) on-site IT staff and that the delay in restoring services was in part attributable to having to use remote contractors. Small business services are especially vulnerable in this situation as they rarely employ in-house IT staff and are entirely reliant on the procedures and expertise of the hosted platforms they sit on, so ask your hosting company what its emergency plan is. What’s your SLA – everything restored in four hours? Within 24 hours? What resources does it have access to? How much redundancy is in place? Redundancy is effectively ‘spare’ services and capacity that step in automatically to keep everything working when the main service is having problems. Ideally neither you nor your customers should notice that anything happened. Ask your hosting company too whether you’re charged separately for this type of support and what compensation is offered.

Doing the day job

BA is an airline: it flies passengers all over the world. This is and should be its priority, not dealing with IT problems and their very public fall-out. What would happen to your business if you had to spend three days dealing with IT problems instead of doing your real job? Would you lose money, miss opportunities, upset valued clients, have to cancel appointments, spend time and money reassuring and perhaps compensating people? These things have lasting consequences. To minimise the likelihood of a problem, the time it lasts and the fall-out you have to deal with, create a disaster recovery plan. We wrote an article about this a while ago and the advice stands. Sometimes things go wrong, but in the words of that article, plan to reduce it from a disaster to a nuisance.

The post The BA fiasco – Lessons for small business services appeared first on OpenSure Blog.

Vatican library uses open source, according to this article:

Vatican library: open source for long-term preservation

The article looks at the way Vatican library uses open source and open standards for long-term preservation of electronic documents. Head of IT at the Vatican Library, Luciano Ammenti, identified another key benefit: avoiding vendor lock-in.

Both of these points are interesting and we’ll take a closer look, but this line from the article really leapt out:

The Vatican library does not have a policy prescribing open source and open standards, says Ammenti. “The reality is that in our data centre we use a lot of open source software, sharing our experiences with other scientific communities. It is a privilege to use their open source solutions.”

The best solutions are open source

In other words, the set up at the Biblioteca Apostolica Vaticana (to give it its proper name) hasn’t been prescribed or imposed by a higher authority, rather it simply provides the best solution and day-to-day it helps the Library achieve its aims. The Vatican library uses open source just because nothing else performs as well, not out of adherence to higher principles. That’s a very powerful endorsement of open source, and further reading of the article reveals that the IT department at the Vatican library uses open source for wider operations.

Well-maintained open source software

Discussing digital file format in particular, Mr Ammenti referred to the features of the actively-maintained system the library uses and contrasted it with the only proprietary alternative, which was last updated in 1998. The freedom to identify and migrate to well-maintained open source systems such as that one is a key element of the appeal of open source and the heightened productivity it can unlock. Making operational decisions in the knowledge that open standards underpin the choices you make is a breath of fresh air for IT professionals used to working within the limits of proprietary systems.

If you have any queries about adopting open source alternatives to any of the proprietarysolutions you use, please email support@opensure.net.

The post Vatican library uses open source to avoid vendor lock-in appeared first on OpenSure Blog.

Imagine you’re already a very happy user of an open source program, full of the joys of freedom of choice, and you’ve chosen Original Sync (imaginary software for our imaginary scenario) to keep track of your contacts, appointments and emails.

You love it 95% of the time but there’s this little niggle – you’d like it to be able to do something additional to save you a job or help you work more efficiently. Wouldn’t it be great if it could talk directly to your note taking app or come with different coloured backgrounds for different days of the week or fill in a time sheet or in some other way do something totally incredible that it doesn’t do atm?

An open source program and approach allows you get those changes made – here’s how it works:

Adding the features you want

You approach your hosting provider (that’s us) and pose us the problem. We talk to the programmers that we know and trust, and ask them if that mod is possible. Chances are it is, so the programmers obtain the source code (because that code is ‘open’, ie available to see and use) and develop it to include the features you want. Bingo – you have software that does just what you need it to do, an open source program with your name on it (not literally). The modified source code and new program is available for anyone to use, because why not?

The world is a happier place because Monday is pink and Tuesday is a delicate shade of sea green.

Choice and freedom

Using open source to run your business expands your horizons as it gives you the choice and freedom to use the software that’s right for you, not the software that a developer wants you to use or that you have to use if you want other related packages to keep working. This is called ‘lock-in’ and is one of the most unattractive aspects of proprietary software. Switch to open source and lock-in becomes something that holds back your competitors, not you.

The post An open source program to suit you appeared first on OpenSure Blog.

It’s important to be clear about ownership of your web assets and content. Here we take a quick look at a couple of areas, and include an update on something we were talking about a fortnight ago – linking accounts.

Who owns your content?

It’s reasonable to assume that you have total ownership and full rights over all your original content that you post on the internet. Reasonable, but possibly wide of the mark. Double check the Ts&Cs of any sites where you post content.

Some sites such as LinkedIn explicitly reassure you that your content is yours and you have full rights to it, but there’s a sting in the tail:

…you own the content and information that you submit or post to the Services and you are only granting LinkedIn the following non-exclusive license: A worldwide, transferable and sublicensable right to use, copy, modify, distribute, publish, and process, information and content that you provide through our Services, without any further consent, notice and/or compensation to you or others.

– our bold, because that’s quite an important little clause. Some sites go further and expect to be able to use others’ original creative content royalty-free. This from WattPad, a creative writing platform:

C. For clarity, you retain all of your ownership rights in your User Submissions. However, by submitting User Submissions to Wattpad.com, you hereby grant Wattpad.com a worldwide, non-exclusive, royalty-free, transferable license to use, reproduce, distribute, display, and perform the User Submissions in connection with the Wattpad.com Website.

This is all there in black and white, but how many people actually read it, inform themselves and consider the ramifications? This is a concern as WattPad is aimed at the teen/young adult audience. These digital natives often dismiss this stuff as boring and unimportant, which can have unwelcome consequences.

If you’re posting original content make sure you understand what can be done with that content. Read the agreement and make sure you’re happy with it. Otherwise, don’t sign up.

Registering a domain name

Easy peasy. Find one of the few remaining available domain names, hand over your £9.99, fill in a few fields and you’re away. Or maybe you get someone else to do it and trust them to get it right. It isn’t that simple though and making common mistakes can jeopardise your whole business set-up.

Common mistakes

To focus on just a couple of mistakes, do you know who’s named as the owner of the domain your business relies on? Do you know who’s named as the administrative contact? These should be respectively the owner of the business and the person who is authorised and competent to act for you on domain matters. This should be an in-house IT person or a trusted technical provider.

Do you know if the contact email on your domain registration arrives at a live and monitored inbox? Is there an established path to contact you, eg to deliver notice that your domain name is nearing expiry? This all sounds extremely simple and it is, but many small business owners don’t know the answers. To make matters worse, they wouldn’t know who to ask. This exposes a business to losing their online presence and email addresses.

Consider this from Nominet:

We have always required domain name holders to provide accurate and up-to-date information in the form of a correct registrant name and postal address. Failure to do this means a registrant risks losing their domain name.

And that’s before a company registering a .uk is wrongly described as a charity. This and other mistakes can legally permit your domain to be removed from you. We’ve had to act for clients who’ve suffered this mistake. It’s now our practice to run the rule over existing domains new clients bring to us. It’s all part of the service.

Ask the experts

Help is at hand. In this as with so much else, OpenSure can see the process through for you accurately and quickly. We can run a check on an existing domain and advise on domain queries, such as false invoicing scams.

Using a third-party app to log-in

Two weeks ago we looked at why linking accounts on different platforms wasn’t such a good idea, and now this from Computerworld:

A new tool allows hackers to enerate URLs that can hijack accounts on sites that use Facebook Login, potentially enabling powerful phishing attacks.

All sorts of sites allow you to use other sites’ logins to log in to them, eg Goodreads. This is yet another example of stretching security rather thin, completey unnecessarily. Just come up with a unique login for your Goodreads account and snip another thread between your online identities.

The post Ownership of content and assets appeared first on OpenSure Blog.

Security isn’t just down to other people choosing not to hack your device or a service you use – you have some control and some responsibilities too. As part of our ongoing weekly series on security, we review three measures you can take today to increase your security and privacy and that of the people you communicate with.

Keep distribution lists private

How often do you get an email from someone that includes swathes of other email addresses in the Cc field? Lucky you if the answer is ‘not often’. Dare I ask how often you *send* an email like that?

It’s bad manners to reveal lots of email addresses that have been displayed without their owners’ consent. It looks amateurish and spoils the layout of your email. Some recipients will realise it’s hardly personal and delete without bothering to read it.

So how do you prevent this and avoid jeopardising other people’s security? It’s very simple: when sending a mass email ensure that the recipient addresses go in the Bcc (blind ‘carbon’ copy) field. Put your own address in the To field. That’s all it takes.

Be careful what information you record

It’s too easy to keep up a running commentary across the breathtaking range of social media opportunities. Add to that devices that we actively configure to record our sleep, exercise, health. We can even record our driving experience with dashboard cams.

Proving your innocence

The innocent face of this is to increase our own security and protect ourselves (proof that that white van simply pulled out in front of you). It helps us optimise our lifestyle for the benefit of our health. Consider though the implications of being on the wrong side of the law or a dispute. Clearly we aren’t going to encourage anybody to with-hold evidence or do anything shady, but put it like this: information you don’t record can’t be twisted to be used against you.

Just imagine the fun an insurance company (yours, or someone else’s) could have with your health and fitness data. What if it could be proved that you were sleep-deprived or fasting the morning you had a car accident (consider this case ongoing in Canada)? What if you’d used Twitter to vent your frustration with a child the day that child breaks an arm? You’d be innocent, but now you may have to prove that because of the information you’ve broadcast and/or recorded.

You’ve all heard of children having parties while their parents are away. The time and venue made it onto social media and 300 uninvited guests arrived, with predictable results. Hilarious. What a numpty. But take a step back and draw the connection between that and the situation you could be creating for yourself.

Kill off obsolete accounts

Over the years we accumulate vast numbers of accounts. These accumulate across forums, social networking, journal log-ins, multiple email accounts etc etc. It’s worth revisiting these from time to time and deleting any that you’re sure you no longer need. This minimises your exposure to hacking attacks as well as reducing the amount of information about you that’s available on the internet.

In most cases, certainly for personal non-work related accounts, it’s advisable to avoid using your real name for display purposes. Clearly professional sites such as LinkedIn are an exception. And remember – never EVER re-use a password.

The post Security quick tips to act on today appeared first on OpenSure Blog.

Smartphone security and the specific risks attached to increased smartphone use have attracted a lot of attention recently. Not only is the technology ever more sophisticated, inter-connected and beyond many people’s ken, but we rely on these phones in business and give them free access to much of what we do.

By sending information back and forth and connecting to myriad accounts and services we concentrate lots of valuable data about ourselves in one easy to intercept location. Here we outline three steps you can take today to minimise your exposure.

Reviewing connected apps & accounts

Do you run social media on your phone, using Twitter, LinkedIn, Instagram, Pinterest, Facebook etc for your business? Five minutes’ use of these platforms will show you that many people automate cross-platform posting so that every Facebook status update is tweeted and every Instagram post pops up on Tumblr  – often with no accompanying information and without any suggestion of why we should want to schlep over to FB or Instagram to see it in its full glory.

There are lots of reasons for not cross-posting (from a content point of view, these platforms have different functions and audiences therefore your FB content isn’t suitable for Twitter and vice versa, and it bores audiences who follow you on several platforms to see the same content on each), but the most significant is that linking your accounts like this dramatically increases your exposure to hacking. If someone gets into one account it’s a short hop to compromise the others.

• Review your linked accounts and consciously uncouple wherever you can.

Remove apps that sell information

Downloading a free app is always a gamble (and some paid ones are risky too – do your homework before downloading). Consider how the developer is going to monetise that app: it might be advertising, it might be anonymised user data gathering or it might be simply selling on your data, with or without – most likely without – your consent.

Consider this Flashlight case. First of all, what on earth is a torch app doing asking for  access to such a range of data in the first place? It gets worse. To quote the Wired article linked to above:

The FTC has clamped down on another flashlight apps [sic] for doing downloading data for advertisers without informing consumers

Trying to find out precisely what information is being gathered (as opposed to simply the scope the app requests) is very difficult, and that’s in the developers’ interest. As the article goes on to say, there’s really no such thing as a free app.

As well as that article listen to this brief podcast article from The Naked Scientists.

• Pay attention to the permissions a new app asks for and don’t download it if it’s not essential and you have concerns

Apply software updates

Do you keep on top of your phone’s requests to update apps and software, or do you automate updating? Patches and updates come out in response to changes in external elements that apps use to run (ie not something within the developer’s control), in response to security concerns and calamities, and in order to offer you a better service or user experience.

You should have the option to authorise these updates manually (and change other settings such as downloading updates only over wifi so you don’t hammer your data allowance). Setting update to manual is a good idea if you want to keep close control over updates and have the option to review what they’re asking for. You might be surprised at what’s still lurking on your phone (you can uninstall anything you feel you don’t need any more – do you really need that eBay app these days, the one with your eBay password stored in it?) and what updates are asking to access.

• Set updates to manual and review them with every update request

The post Smartphone security appeared first on OpenSure Blog.