The title

Category: Cyber Crime

You’ve Been Hacked And Now You’re Being Sued!

Cybercrime is a continuing and rising threat. It has been in the news extensively and we have commented on the threats posed by Ransomware and DDoS attacks. We have also commented that 60% of cyber attacks are on SMEs

Here in Singapore we are far from immune to this as SMEs are increasingly becoming soft targets for cyber criminals who see SMEs as easy targets as they often lack the resources, expertise and technical manpower to defend themselves against cyber attacks.

As a result of this, digital data breaches are becoming an all too frequent occurrence today. What is less on the radar of the average SME business owner is the rising number of lawsuits brought brought by customers, government agencies, employees and a variety of other stakeholders.

Cybersecurity is more than just an IT challenge – cybersecurity is now a business and legal imperative.

 


 

What Risks Do I Face?

Broadly speaking there are 2 categories of litigation risks:

1. Criminal prosecution by Government regulatory authorities for the loss and misappropriation of consumer data.

Here in Singapore this is set out in the Personal Data Protection Act and the penalties for breaches of this legistlation are onerous with fines of up to $100,000 and custodial sentences of upto 3 years. The position is similar in most other countries in the region.

2. Civil prosecution by customers, employees and a variety of other stakeholders.

As a SME owner in the business-to-business sector, one of the biggest civil litigation concerns you potentially face is the [temporary or permanent] loss of business client data and your potential liability for your client’s consequential [direct and indirect] loss.

Take for example a professional services firm who experience a data loss as a result of a  cyber-attack, and critical client data is lost – or innaccessible – at a time when it is most needed. In this scenario the owner[s] of this firm could face a civil prosecution for recovery of their client’s losses. In the instance of a consequential loss e.g. loss of business arising from the data loss, the liability could be considerable.

The law of contract law and the law of negligence will vary from one country to another, but the general principles remain broadly the same.

We should of course point out that we are not legal advisors! Our perspective in commenting on these issues is that of IT advisor and our purpose in highlighting these points is to draw your attention to the broader dimension of the risks faced by the SME business owner arising from cyber-attacks. To fully understand  your legal position you should seek professional legal advice.

 


Assessing your risk

As with all these issues, the temptation for the SME business owner is to ignore the issue and to think “this won’t happen to me!”

But there are costs to doing nothing, and you will only discover the full extent of that cost when you experience a cyber-attack and your client’s business critical data is lost….

The prudent approach is to conduct a thorough risk assessment followed by an examination and implementation of the most effective solutions to protect your business.

If you would like to discuss this issue and how to protect your business from these threats and exposures, please get in touch and we will facilitate a thorough review to help you gain clarity, we will inform you on your best options, and if required we will implement a solution for you.

Since inception in 1996, PASR Technologies has been providing SME business owners with a level of service and support to the SME business owner that is typically only directly available in very large organisations.

Servicing businesses from 10 to up to 200 employees, our clients range from local SMEs through to regional offices of larger MNCs, and include airlines.

What is your business risk from broadband outage?

Cybercrime has been in the news extensively and we have commented on the threats posed by Ransomware and DDoS attacks. However recent events here in Singapore have highlighted another often ignored and very real threat to SME businesses – what happens when your broadband service provider experiences a major outage?

Singapore telco Singtel experienced an islandwide outage of its fibre broadband service for nearly 24 hours over the weekend.

This follows on closely from two recent broadband service outages that hit Singapore based service provider StarHub and that have been attributed to “intentional and likely malicious attacks” on its servers.

Over the past few months broadband outages have been reported from BT in the UK, Deutsche Telekom in Germany, and Australian telco Telstra which has experienced 7 major outages in recent months!


Why does this matter?

Well aside from the inconvenience to millions of consumers denied access to their favourite content on the internet it can have a devastating impact on businesses.

To put it bluntly you need your network to run your business. In these challenging and competitive times, few businesses can afford a single location to go off-line, and definitely not the HQ or the data centre!

If you experience a broadband outage, your network goes down, and your business is impacted – but by how much?

The reality is that most SME business owners don’t know the answer to that question… until the network goes down!

Above and beyond the immediate direct costs, there are indirect costs:

  1. Loss of employee productivity
  2. Reputational damage with customers, suppliers and banks
  3. Loss of current revenue, loss of future revenue, and in some cases compensatory payments

Short broadband network outages can be an expensive nuisance, but the impact of larger outages can be devastatingly insurmountable for some businesses.


How can I protect my business?

  1. You can reduce your exposure by having a secondary broadband provider. By having a second internet connection, the internet activity can be load balanced over the two lines with an automatic switch-over in the event of a network issue.
  2. If you are the business owner of  an Internet-dependent SME you may want  to avoid a dangerous over-reliance on fixed networking solutions by having either a Wireless 3G/4G enabled router, or satellite-based solution for additional backup.

The first step is a thorough risk assessment

Clearly there are costs to either or both of these solutions. And the temptation is to ignore the issue.

But there are costs to doing nothing, and you will only discover the full extent of that cost when you experience a broadband network outage.

The prudent approach is to conduct a thorough risk assessment followed by a cost-benefit analysis.

If you would like to discuss this issue and what it means for your business, please get in touch and we will facilitate a thorough review to help you gain clarity, we will  inform you on your best options, and if required we will implement a solution for you.

Since inception in 1996, PASR Technologies has been providing SME business owners with a level of service and support to the SME business owner that is typically only directly available in very large organisations.

Servicing businesses from 10 to up to 200 employees, our clients range from local SMEs through to regional offices of larger MNCs, and include airlines.

 

 

 

DDoS Attack – What is it? How To protect Yourself

Major portions of the internet were recently taken offline by a major cyber attack. Websites became inaccessible and internet users were unable to access websites or undertake any of the usual things they do online.

According to global internet security provider Verisign in July 16 Distributed Denial-of-Service (DDoS) attacks have increased 75% year on year, and so recent attacks taking out major portions of the Internet globally are a sure sign of things to come.


So what does this actually mean?

DDoS attacks stop users from accessing any types of Internet resources. They are typically directed at webservers, or DNS servers, and cause those to be inundated with false requests, and thus flooding available bandwidth which then restricts access to resources on the same bandwidth. Hence they are called ‘Denial of Service’


How does this happen?

Hackers initially gain access to compromised devices, and then use these – perhaps hundreds or thousands at a time to launch specific requests against a target site. Hence they are termed ‘Distributed’.


Do I lose Data?

Generally, no – the attacks simply deny access to resources for a period of time. However, if you happen to have one of the machines used to generate the attack, it’s a different story…


Can I protect Myself Against DDoS Attacks?

Again, generally no – you are dependent on the services provider where your resources exist to implement appropriate protection to minimize such outages. BUT, there are steps you can take to minimize such disruptions:

[1] Ensure your DNS provider sets appropriate DNS timeouts for your resources – a day is a good time, but many providers will set five minutes. If you own a .com namespace and set your DNS timeouts too short, access to your resources hosted far away (such as in Singapore) may have been impacted because you could not get DNS name resolution to reach those resources.

[2] Implement bandwidth-limiting to ensure a single server cannot hog all available bandwidth by itself. At PASR for example we expressly limit all machines in this manner – for example our public DNS servers are limited to only 500Kbps to protect other resources in the event of such an attack.

If you are unclear about this and what it means for your business, please get in touch. Since inception in 1996, PASR Technologies has been providing SME business owners with a level of service and support to the SME business owner that is typically only directly available in very large organisations.

Servicing businesses from 10 to up to 200 employees, our clients range from local SMEs through to regional offices of larger MNCs, and include airlines.

At PASR Technologies, we solve your IT problems before you even realize you have one!

60% Of Cyber Attacks Are On SMEs

Cyber crime has been in the news recently. A few months ago the UK press was awash with the lurid headlines of   UK telco TalkTalk’s admission that it was the victim of a “significant and sustained” cyber-attack that has led to 157,000 customers’ personal details being accessed.

The UK Institute of Directors (IoD) said only “serious breaches” made the headlines, but attacks on British businesses “happen constantly”. The UK government said it was “committed to tackling cyber-crime”.

 


Here in Singapore we are not immune from this

Small and medium-sized enterprises (SMEs) are increasingly becoming soft targets for cyber criminals…who are increasing hacking into smaller businesses as a way of getting access to larger companies to which SMEs are suppliers.

SMEs are easy targets as often they lack the resources, expertise and technical manpower to defend themselves against cyber attacks. The situation is serious as the 2015 Internet Security Report shows that 60 per cent of all cyber attacks are on SMEs.

Ascendas’ www.spacetobe.com.sg website was hacked in 2014 – an activity that has occurred all too frequently to SG websites in past months. A concerned colleague – after being advised (three days later!) that the website’s database of personal  information might have been exposed – asked me:

 


This is scary – so how can I be safe?

And what a good question!

Basically, we cannot. In the same way that we can protect our own homes with locks – without being a locksmith – we simply cannot guarantee that our homes will not be broken into by thieves, and precious contents stolen. Yes, we can report the matter after that fact, but as for cybercrime, we may never know what has been taken, and may not get it back.

In the mentioned case the hackers defaced the site by posting a public notice stating it had been hacked, so users, and the site owners, knew that it had occurred, but consider this more scary scenario: – if the hackers above had sufficient access to deface the site:

  • How long have they had these permissions?
  • Have they previously extracted out personal/private data?
  • What if they just took data and did not advertise their presence this time?

A few pointers to feel safe and secure

How should we go about protecting personal information that we provide to various online resources? In the same manner that we choose good and strong locks for our doors and windows, we need to be sure that we each do the same with our online credentials, and we also need to ask the owners and managers of such resources about what security practices they follow. So there are two components here, but only one of them is under our own control.

Here’s a few pointers as to what we each must do.

  • Use strong passwords. Preferably use a phrase or something easily remembered. For example, change ‘My dog’s name is Spot’ into a password MdniS. Add perhaps the year we got our dog, and a special character, and you have MdniS2011# – a very strong password that we can easily remember without writing it down.
  • Use different passwords for each online resource that stores your information. If we access a lot of sites that need logins but do not store private/personal information, it’s OK to have a common username & password, but for those that do store such data, DO NOT SHARE.
  • Limit the amount of information that we provide. Just because a website asks for 25 pieces of data does not mean they are all mandatory. Limit the input to only those mandatory fields necessary to use the site.
  • If entering financial data like credit card numbers, make sure the site is using an encrypted connection: – look for the https httpsMoniker at the start of the url.

 


 

How can I be sure the site is secure?

All of the above however does not help us if the site is not secure, and this means we need to be sure that both the site owners practice good security, and the site hosters also practice good security – an entity we as site users do not have any direct contact with, which means we have to rely on the site owners. Here’s some questions you might like to ask of those that ask for your personal data.

OnlineCreditCard

  • How do you protect my data?
  • How do you protect your servers from hacking?
  • How are your servers physically protected?
  • Do you know who has administrative access to your servers?
  • What are your policies and practices regarding password management?
  • What are you policies and practices regarding terminating access for resigning employees?
  • Do you change access passwords when staff leave?
  • Do you disable user accounts when staff leave?
  • Do all administrative users for your site share the same username and password?
  • Is there an online policy available regarding security and data protection?
  • Do they regularly check security logs for improper access?
  • Do they have any intrusion detection/prevention systems in place?

Be aware of the risks and manage your own online information

Obviously, some of the providers we deal with may never answer these questions, and there is not a lot we as individuals can do to force them to do so – other than simply not giving them anything personal or private – but this approach will generally thwart our business, and so is not acceptable. In the end, we need to ensure that we personally manage our own online information as securely as we can, and be constantly vigilant over the bits we have no direct control over.

I personally use a lot of online resources, and supply credit card details at least weekly for purchases. Am I concerned? Sure, but simply being a luddite and stopping using them is not an option in today’s connected world. Have I ever been hacked? No, well not that I know of, but then I practice all the points I mention above, and ensure that the organisations I deal with online are reputable.

Finally, we must each remain continually aware of the risks associated with the online world, and be personally responsible for our own access.


If you would like to discuss these issues and what it means for your business, please get in touch. Since inception in 1996, PASR Technologies has been providing SME business owners with a level of service and support to the SME business owner that is typically only directly available in very large organisations.

Servicing businesses from 10 to up to 200 employees, our clients range from local SMEs through to regional offices of larger MNCs, and include airlines.

At PASR Technologies, we solve your IT problems before you even realize you have one!

 

© 2016 PASR Technologies Pte Ltd

Terms & ConditionsPrivacy Policy

Support

Support Hotlines

Email: support@pasr.net

Skype: pasrsupport

  • Singapore

    +65 6340 1018

  • India

    000 800 443 0046

  • Philippines

    1800 1651 0800