Gone Phishing

Copyright: David Lawson - first published Property Week 2005

Return to Home Page

The day didn’t start well. First, a peremptory email from the bank warning that access had been suspended because of a security breach. Replying with the correct password sorted that out.   Then a few hours later head office went on the warpath about how a  hacker had filtched thousands out of a client’s reserves.  Heads would roll. Thank goodness you prevented further damage by replying to that email so quickly. You should tell the boss, anticipating a nice reward.

  Or should you?  The email was a clever ruse. It appeared to open a legitimate web page with all the right boxes for password and entry codes. But it actually masked a rogue site run by fraudsters.  This is the latest in a long line of security threats that have driven leading banks, software producers and online traders to  partner  government plans for a special web site  warning of the dangers. Get Safe Online will launch next month on the back of a £2m advertising campaign.  If you can’t wait, the National High-tech Crime Unit [NHCTU] is already broadcasting advice on protection on its web site.     [www.nhtcu.org]

  Dave Rodgers hopes the rising clamour will help cut his hours fighting a plague that threatens to cripple hundreds of businesses a year. As chief technical officer for consultant XeonIT  he works overtime  installing a range of measures against hacking, viruses and the latest fraud, dubbed ‘phishing’ by the technology community. It is a form of identity theft that is proving hard to contain.   Rodgers juggles an armoury of security weapons including hardware firewalls and software-based virus checkers and spam blockers. But he is dogged by two key problems: apathy and ignorance. The first is particularly embedded in the psyche of most smaller businesses. They see technology as a utility like electricity or plumbing. Someone else will make sure it is safe.

  The second is found in ‘wetware’ - a term every geek applies to the person sitting in front of the screen. People are crucial weakness.  They can be easily tricked into providing the very information refused by sophisticated protection to a worldwide army of hackers. Anything that reminds users about the dangers is welcome, says Rodgers.  Those users may not be so innocent, however. Imagine a disgruntled employee, about to join a rival. Don’t bother to check whether they have packed the office stapler and a few notebooks. Search instead for a CD or portable drive the size of a pen that could hold the firm’s complete contacts list.  One of the rare times I saw a grown man cry was a rent review surveyor ranting about the way ten years of hard-won deals data had been filched this way by a former  employee.

  Some system managers remove or disable CD players and those dinky USB ports on new desktops which encourage use of pen drives to carry around information.  This can be done easily under Windows XP. It also helps block the inevitable introduction of viruses and trojans [programs that allow hackers into a computer]  via anything from music and video files to messages taken from insecure machines at home.  That pre-supposes there is a systems manager and/or effective protection in the office.  A third of  mid-sized businesses and 90% of small firms have no staff  IT manager, according to consultant Quocirca. They call on experts like Rodgers – often only after a crisis has arisen - so it is no wonder that dangers can be forgotten.

  It is not worth installing protection unless someone constantly checks for holes. Anti-virus systems must be set to update at least every day. Small businesses should  invest in a Microsoft upgrade, as security holes are no longer being plugged in earlier versions. Even Microsoft XP and the latest Internet Explorer are unsafe unless checked at least weekly. In the last six months alone, 40 pages of updates have been issued – and that just covers the headings for each ‘patch’. But take care. Many IT professionals restrict auto-updates because they conflict with other software or create a huge internet load as each PC makes its own connection. Get advice from a consultant.

   In fact, get advice anyway. Half of small businesses have not reviewed internet security in the past year, says Quocirca. This confirms a study by security specialist Symantec showing most firms were aware that viruses are a problem yet few seemed to associate that with protecting important data.  Less than a quarter felt the threat to confidential information was serious and under 10% were concerned about making sure data storage complied with the law. Some 90% of small firms questioned by Quocirca said they had needed to retrieve historic data at some point to satisfy auditors or some other regulatory requirement, yet 75% admitted to a problem recovering it.

  This could lead to a property-related firm crashing in flames. It is only a matter of time before some face a crisis when trying to stand up a valuation to a lender, supply background on a deal for a money laundering probe, or defend the theft of confidential client information. The vital information could be corrupted by a virus or sitting comfortably in some invisible intruder’s pocket.

Key Security Advice

Source: Symantec/NHCTU/Quocirca

Last year 77% of UK organisations queried by the National High-Tech Crime Unit were hit by virus attacks, costing them £27.8m. Another 17% suffered further financial fraud costing £121m.  The NHTCU offers a comprehensive checklist of good practice for small firms on its web site www.nhtcu.org