The title

Category: Security

You’ve Been Hacked And Now You’re Being Sued!

Cybercrime is a continuing and rising threat. It has been in the news extensively and we have commented on the threats posed by Ransomware and DDoS attacks. We have also commented that 60% of cyber attacks are on SMEs

Here in Singapore we are far from immune to this as SMEs are increasingly becoming soft targets for cyber criminals who see SMEs as easy targets as they often lack the resources, expertise and technical manpower to defend themselves against cyber attacks.

As a result of this, digital data breaches are becoming an all too frequent occurrence today. What is less on the radar of the average SME business owner is the rising number of lawsuits brought brought by customers, government agencies, employees and a variety of other stakeholders.

Cybersecurity is more than just an IT challenge – cybersecurity is now a business and legal imperative.

 


 

What Risks Do I Face?

Broadly speaking there are 2 categories of litigation risks:

1. Criminal prosecution by Government regulatory authorities for the loss and misappropriation of consumer data.

Here in Singapore this is set out in the Personal Data Protection Act and the penalties for breaches of this legistlation are onerous with fines of up to $100,000 and custodial sentences of upto 3 years. The position is similar in most other countries in the region.

2. Civil prosecution by customers, employees and a variety of other stakeholders.

As a SME owner in the business-to-business sector, one of the biggest civil litigation concerns you potentially face is the [temporary or permanent] loss of business client data and your potential liability for your client’s consequential [direct and indirect] loss.

Take for example a professional services firm who experience a data loss as a result of a  cyber-attack, and critical client data is lost – or innaccessible – at a time when it is most needed. In this scenario the owner[s] of this firm could face a civil prosecution for recovery of their client’s losses. In the instance of a consequential loss e.g. loss of business arising from the data loss, the liability could be considerable.

The law of contract law and the law of negligence will vary from one country to another, but the general principles remain broadly the same.

We should of course point out that we are not legal advisors! Our perspective in commenting on these issues is that of IT advisor and our purpose in highlighting these points is to draw your attention to the broader dimension of the risks faced by the SME business owner arising from cyber-attacks. To fully understand  your legal position you should seek professional legal advice.

 


Assessing your risk

As with all these issues, the temptation for the SME business owner is to ignore the issue and to think “this won’t happen to me!”

But there are costs to doing nothing, and you will only discover the full extent of that cost when you experience a cyber-attack and your client’s business critical data is lost….

The prudent approach is to conduct a thorough risk assessment followed by an examination and implementation of the most effective solutions to protect your business.

If you would like to discuss this issue and how to protect your business from these threats and exposures, please get in touch and we will facilitate a thorough review to help you gain clarity, we will inform you on your best options, and if required we will implement a solution for you.

Since inception in 1996, PASR Technologies has been providing SME business owners with a level of service and support to the SME business owner that is typically only directly available in very large organisations.

Servicing businesses from 10 to up to 200 employees, our clients range from local SMEs through to regional offices of larger MNCs, and include airlines.

DDoS Attack – What is it? How To protect Yourself

Major portions of the internet were recently taken offline by a major cyber attack. Websites became inaccessible and internet users were unable to access websites or undertake any of the usual things they do online.

According to global internet security provider Verisign in July 16 Distributed Denial-of-Service (DDoS) attacks have increased 75% year on year, and so recent attacks taking out major portions of the Internet globally are a sure sign of things to come.


So what does this actually mean?

DDoS attacks stop users from accessing any types of Internet resources. They are typically directed at webservers, or DNS servers, and cause those to be inundated with false requests, and thus flooding available bandwidth which then restricts access to resources on the same bandwidth. Hence they are called ‘Denial of Service’


How does this happen?

Hackers initially gain access to compromised devices, and then use these – perhaps hundreds or thousands at a time to launch specific requests against a target site. Hence they are termed ‘Distributed’.


Do I lose Data?

Generally, no – the attacks simply deny access to resources for a period of time. However, if you happen to have one of the machines used to generate the attack, it’s a different story…


Can I protect Myself Against DDoS Attacks?

Again, generally no – you are dependent on the services provider where your resources exist to implement appropriate protection to minimize such outages. BUT, there are steps you can take to minimize such disruptions:

[1] Ensure your DNS provider sets appropriate DNS timeouts for your resources – a day is a good time, but many providers will set five minutes. If you own a .com namespace and set your DNS timeouts too short, access to your resources hosted far away (such as in Singapore) may have been impacted because you could not get DNS name resolution to reach those resources.

[2] Implement bandwidth-limiting to ensure a single server cannot hog all available bandwidth by itself. At PASR for example we expressly limit all machines in this manner – for example our public DNS servers are limited to only 500Kbps to protect other resources in the event of such an attack.

If you are unclear about this and what it means for your business, please get in touch. Since inception in 1996, PASR Technologies has been providing SME business owners with a level of service and support to the SME business owner that is typically only directly available in very large organisations.

Servicing businesses from 10 to up to 200 employees, our clients range from local SMEs through to regional offices of larger MNCs, and include airlines.

At PASR Technologies, we solve your IT problems before you even realize you have one!

How Do You Protect Your “Crown Jewels”?

We have worked with business owners and senior management of organizations with less that 200 staff for over 20 years.

We continually see the same recurring issues when it comes to IT management in SMEs.

One of issue that we find quite disturbing is the cavalier attitude so many small business owners take with regard to the security of their IT assets.

This is especially significant with regard to security of their own data and even more critically the security of their clients’ data that is held on their systems.

A recent survey quoted a senior manager in a professional services firm as saying:

“At the moment internally we don’t really have much [internal] security. Our systems are open; Just about everyone in the office can actually look at anything in the system.”


The issues

 

  • Threats to IT information assets come from many sources – malware, hardware failure, hacking, employee mistake and deliberate sabotage. How do you know that you are protected?
  • How do you ensure that you have current and continual protection across all fronts to ensure your data is not lost or compromised?
  • How do you ensure that organisational information assets are NOT stored on only one key staff member’s laptop, but are stored centrally for all users to access, AND properly backed up and recoverable?

Critical Questions

 

  • How long can your business survive without key data?

Imagine losing important customer files and trying to explain to your clients how this happened. If your immediate response to this question is to say: “But we back up our data regularly!” –  sure you may have a back up strategy but do you regularly test your strategy to ensure that you are 100% sure you are able to recover your data in the event of a major disaster or loss? [Statistics show that 60% of backups are incomplete, and 50% of restores failed.]

  • How do you protect your commercially sensitive data?
  • How do you protect client data held on your computers?
  • What level of security assessment do you undertake on any third-party you bring into your company to undertake IT support and maintenance?

You do realise that every third party who has access to your IT systems potentially has access to all of your secrets?


The Business Impacts and Your Exposures

 

Unless you can answer each of these questions you and your business are at considerable, and potentially catastrophic, risk of business failure and expensive, damaging litigation.

The solution is a consistent, holistic strategy and implementation to protect your business across all of these areas.

If you are unclear about this and what it means for your business, please get in touch. Since inception in 1996, PASR Technologies has been providing SME business owners with a level of service and support to the SME business owner that is typically only directly available in very large organisations.

Servicing businesses from 10 to up to 200 employees, our clients range from local SMEs through to regional offices of larger MNCs, and include airlines.

At PASR Technologies, we solve your IT problems before you even realize you have one!


60% Of Cyber Attacks Are On SMEs

Cyber crime has been in the news recently. A few months ago the UK press was awash with the lurid headlines of   UK telco TalkTalk’s admission that it was the victim of a “significant and sustained” cyber-attack that has led to 157,000 customers’ personal details being accessed.

The UK Institute of Directors (IoD) said only “serious breaches” made the headlines, but attacks on British businesses “happen constantly”. The UK government said it was “committed to tackling cyber-crime”.

 


Here in Singapore we are not immune from this

Small and medium-sized enterprises (SMEs) are increasingly becoming soft targets for cyber criminals…who are increasing hacking into smaller businesses as a way of getting access to larger companies to which SMEs are suppliers.

SMEs are easy targets as often they lack the resources, expertise and technical manpower to defend themselves against cyber attacks. The situation is serious as the 2015 Internet Security Report shows that 60 per cent of all cyber attacks are on SMEs.

Ascendas’ www.spacetobe.com.sg website was hacked in 2014 – an activity that has occurred all too frequently to SG websites in past months. A concerned colleague – after being advised (three days later!) that the website’s database of personal  information might have been exposed – asked me:

 


This is scary – so how can I be safe?

And what a good question!

Basically, we cannot. In the same way that we can protect our own homes with locks – without being a locksmith – we simply cannot guarantee that our homes will not be broken into by thieves, and precious contents stolen. Yes, we can report the matter after that fact, but as for cybercrime, we may never know what has been taken, and may not get it back.

In the mentioned case the hackers defaced the site by posting a public notice stating it had been hacked, so users, and the site owners, knew that it had occurred, but consider this more scary scenario: – if the hackers above had sufficient access to deface the site:

  • How long have they had these permissions?
  • Have they previously extracted out personal/private data?
  • What if they just took data and did not advertise their presence this time?

A few pointers to feel safe and secure

How should we go about protecting personal information that we provide to various online resources? In the same manner that we choose good and strong locks for our doors and windows, we need to be sure that we each do the same with our online credentials, and we also need to ask the owners and managers of such resources about what security practices they follow. So there are two components here, but only one of them is under our own control.

Here’s a few pointers as to what we each must do.

  • Use strong passwords. Preferably use a phrase or something easily remembered. For example, change ‘My dog’s name is Spot’ into a password MdniS. Add perhaps the year we got our dog, and a special character, and you have MdniS2011# – a very strong password that we can easily remember without writing it down.
  • Use different passwords for each online resource that stores your information. If we access a lot of sites that need logins but do not store private/personal information, it’s OK to have a common username & password, but for those that do store such data, DO NOT SHARE.
  • Limit the amount of information that we provide. Just because a website asks for 25 pieces of data does not mean they are all mandatory. Limit the input to only those mandatory fields necessary to use the site.
  • If entering financial data like credit card numbers, make sure the site is using an encrypted connection: – look for the https httpsMoniker at the start of the url.

 


 

How can I be sure the site is secure?

All of the above however does not help us if the site is not secure, and this means we need to be sure that both the site owners practice good security, and the site hosters also practice good security – an entity we as site users do not have any direct contact with, which means we have to rely on the site owners. Here’s some questions you might like to ask of those that ask for your personal data.

OnlineCreditCard

  • How do you protect my data?
  • How do you protect your servers from hacking?
  • How are your servers physically protected?
  • Do you know who has administrative access to your servers?
  • What are your policies and practices regarding password management?
  • What are you policies and practices regarding terminating access for resigning employees?
  • Do you change access passwords when staff leave?
  • Do you disable user accounts when staff leave?
  • Do all administrative users for your site share the same username and password?
  • Is there an online policy available regarding security and data protection?
  • Do they regularly check security logs for improper access?
  • Do they have any intrusion detection/prevention systems in place?

Be aware of the risks and manage your own online information

Obviously, some of the providers we deal with may never answer these questions, and there is not a lot we as individuals can do to force them to do so – other than simply not giving them anything personal or private – but this approach will generally thwart our business, and so is not acceptable. In the end, we need to ensure that we personally manage our own online information as securely as we can, and be constantly vigilant over the bits we have no direct control over.

I personally use a lot of online resources, and supply credit card details at least weekly for purchases. Am I concerned? Sure, but simply being a luddite and stopping using them is not an option in today’s connected world. Have I ever been hacked? No, well not that I know of, but then I practice all the points I mention above, and ensure that the organisations I deal with online are reputable.

Finally, we must each remain continually aware of the risks associated with the online world, and be personally responsible for our own access.


If you would like to discuss these issues and what it means for your business, please get in touch. Since inception in 1996, PASR Technologies has been providing SME business owners with a level of service and support to the SME business owner that is typically only directly available in very large organisations.

Servicing businesses from 10 to up to 200 employees, our clients range from local SMEs through to regional offices of larger MNCs, and include airlines.

At PASR Technologies, we solve your IT problems before you even realize you have one!

 

© 2016 PASR Technologies Pte Ltd

Terms & ConditionsPrivacy Policy

Support

Support Hotlines

Email: support@pasr.net

Skype: pasrsupport

  • Singapore

    +65 6340 1018

  • India

    000 800 443 0046

  • Philippines

    1800 1651 0800