Advisers: Be careful out there in cyberspace

The online security landscape is changing in fundamental ways. Many financial advisers are unaware of these changes, and that makes it all that more critical to defend against them. That was the major theme of a presentation last week titled “Information Security: Protect Your Practice Today and Tomorrow.” I thought it was the most eye-opening session I attended at the Financial Planning Association conference in Denver. In the interest of full disclosure, I worked for years with the presenter, Matt Sarrel, who is now the founder and executive director of Sarrel Group, a private network and information security consulting firm. He is certified as an information systems security professional. When I worked with Mr. Sarrel, he was a technical director at PC Magazine Labs, where he helped pioneer a lot of the testing methodology for the first generation of Internet security appliances that came to market. The expanding need for those appliances and the demand for their increased sophistication reflect how scary today's small-business world has become, especially since virtually everyone uses a web browser. Because of that, more threats than ever lurk on the Internet, and advisers need to make sure that they are prepared.

COSTLY BREACHES

Here are a few statistics that Mr. Sarrel mentioned: • According to the Ponemon Institute LLC's “Annual Cost of a Data Breach” study from last year, on average, a breach cost $202 per record compromised or stolen. • Among the 43 data breach incidents studied, the minimum total cost to the organization was $613,000 and the maximum more than $32 million. The average cost of a security breach was $6.6 million, up from $4.5 million in 2005, when 13 breached organizations were studied. “The take-away here is that you need to have a layered approach to your computer and Internet security —one that uses active protection,” Mr. Sarrel said. This means running security software that goes beyond the traditional signature-based antivirus software and include heuristic (self-learning), host-based intrusion protection, which can often be purchased bundled in the form of a suite. Threats aren't limited to computer viruses. “A lot of traditional viruses you knew were viruses — it was often an ego thing [on the part of the hacker] and made obvious, but today's attacks on the other hand are often part of big criminal enterprises. They don't want you to know; they make money off of you not knowing,” Mr. Sarrel said. We all face what are known as blended threats — malicious software that takes advantage of vulnerabilities identified in a computer's operating system or applications, nowadays especially in web browsers. Such software or code is used not only to infect a lone computer but also to enlist that computer as a way to infect others — even millions — in what are referred to as denial of service attacks. According to a 2007 analysis by S21sec (an international digital security company headquartered in Spain) e-mail attachments were the source of infection for just 13% of computer infections, whereas browser exploits accounted for 65%, operating system exploits 11% and downloaded files 9%. With this in mind, here are some practical tips to keep your firm safer. If you use Microsoft's Internet Explorer, make sure to run the latest iteration, Version 8, if at all possible, and keep it updated on all the systems in your office. There are good, popular and free alternatives to Internet Explorer that run on Windows PCs, including Mozilla Corp.'s Firefox and Google's Chrome browser, among others. Since more than 90% of the nation's businesses continue to run on Microsoft Windows, such environments are the biggest target. As annoying as they can be, let your Windows updates run whenever prompted. The same goes for the operating systems on your hardware servers. Although a growing number of advisers are taking advantage of hosted applications in which they no longer have to maintain their own server hardware, many shops still have them, and many go unpatched and aren't updated regularly. Although it would be impractical for most businesses to switch operating systems, it is worth noting that comparatively little malware targets Apple Computer Inc.'s operating systems or Linux. When it comes to employee behavior (including your own), never download plug-ins from unknown sources, and be aware that the addresses of known sources can be faked or spoofed. It is also a good idea to limit your staff's ability to surf the Internet willy-nilly from their work machines. In addition to the software firewalls found in most antivirus security suites, it is a good idea to consider a network firewall.

'MORE USER-FRIENDLY'

These come in the form of both hardware systems and software that can run on a dedicated PC or server. Some of these also provide host-based intrusion prevention systems or HIPS, according Mr. Sarrel, and can be updated to counter new types of threats. “Five years ago when Symantec Endpoint Security came out, you almost needed to be a programmer to set it up and manage it, but things have grown far more user-friendly,” though it can still be a good idea to hire a consultant that specializes in these types of installations, he said. “If you hire a consultant, make sure they document everything; at a bare minimum, have them provide you all your user names and passwords, and at least a basic network diagram,” Mr. Sarrel said. E-mail Davis D. Janowski at [email protected] Online resources referenced in this story: Fourth Annual US Cost of Data Breach Study Ponemon Institute Other references: S21sec Sarrel Group Top Tech Dog Selected news, reviews, and resources: Reporter's note: In terms of quality, thoroughness, consistency, testing methodology, quality of writing — you name it — the bottom has fallen out of technology product reviews for small businesses. Because of that I cannot, in good faith, simply point you to a site that I think does a good job on all fronts. That said, I've cherry picked a few reviews where I know the reviewer and trust them. I'm all ears for those that want to send along a site they like and trust. The Best Security Suites for 2011 [Advisers, at the very least, you need to have one of Neil's Editors Choice security suites running on all the PCs in your shop; he has been reviewing and testing these products literally for decades and is more familiar with how they work than any unbiased reviewer out there]. Firewall (computing) [Decent overview of firewall technology and evolution] One-Stop Security [Note: This is the last hurrah at PC Mag in terms of covering SMB-focused security appliances in a roundup fashion; no one paid more attention to detail than my long-time colleague Oliver Kaven when it came to testing these devices. Some of the products and companies reviewed no longer exist or have been acquired; given the time I plan to revisit the products and vendors to see who still exists] SMB Security: Eight Tips to Protect Your Business Network Small-Business Security [Note: Written in 2004 while I was with PC Magazine, I include this for the introductory material in the first three pages, which still holds true; some of the products and companies reviewed no longer exist or have been acquired; given the time I plan to revisit the products and vendors to see who still exists] Symantec Endpoint Protection 11 Symantec Announces New Business Security Suites Additional online reading: Computer security coverage of Neil Rubenking at PCMag.com [Long-time reviewer Neil Rubenking's knowledge and coverage of computer security products for the consumer is unmatched, and much of it can be applied to the small business environment.] Survey finds that SMBs often lack basic security Extra Online Protection: Free, Easy, Effective s21sec Security Blog W32.Stuxnet Dossier EU Agency analysis of ‘Stuxnet' malware: a paradigm shift in threats and Critical Information Infrastructure Protection