The popular media spends a lot of time and energy talking about the risks business computers face from viruses and malware. Suppliers of computer security products such as antivirus suites reinforce this message with studies and statistics. A reality check is needed.
For many years, surveys have reported that antivirus (AV) software is installed on more than 90 percent of all personal computers (home and business). While that sounds reassuring, it is not. Those same surveys have shown that 38 percent of users are not keeping their antivirus applications up to date — once the software is installed, these users are ignoring the need to regularly check for and install updates.
Consider this: according to AV software producers, malware creators have produced more Trojans, worms, and viruses in the past 18 months than in all of the last ten years combined. In the first half of this year, McAfee detected 300,000 new malware examples on the Internet. That means, on average, 50,000 new malware programs are appearing every month this year!
AV software vendors release updates to their software every day, trying to keep the gap between their discovery of a new item and their release of a “signature” file their software can use to identify it and protect you from it, to a minimum.
If you are not updating your AV software at least weekly (daily is better), the money you spent on it is wasted because you are not protected!
Amazingly, small businesses are among the worst offenders when it comes to not deploying AV software at all. Symantec recently reported that one in three small businesses have no antivirus protection at all. These businesses run a very real risk of having their bank accounts and credit compromised, and their customer records stolen.
The threat of malware is real and growing, but there is an even bigger problem than non-existent or out-of-date antivirus software: poor or non-existent password management.
Many (perhaps most) computer users regard passwords as a nuisance. Companies often have multiple software applications that each require a unique log-in identity and password. Companies often also have accounts on social networking sites such as MySpace and Facebook, together with numerous other accounts on the web, with staff assigned to maintaining them.
When companies seek to establish strong password policies and try to enforce them, they run into staff resistance. They often compound the problem by not following up on password policies. Company ownership, who should be leading the effort to protect the business by setting and enforcing strict password policies, often share users’ view that passwords are a nuisance and do nothing.
Big companies and their software providers found the cost of dealing with help desk calls about forgotten passwords to be too high, so a few years ago they began setting up automated systems. These use a challenge-response mechanism, where correctly answering a question like “what was your mother’s maiden name?” or “what was the make of your first car?” allowed the person providing the answer to set a new password for the account.
Challenge-response systems are increasingly high-risk. All I need to do is troll through sites like Facebook, Myspace, and Twitter to find the answers to the questions your staff might be asked, because your staff are talking about their mothers, their favorite pets, and their first cars in those places.
Think that sounds far-fetched? Twitter CEO Jack Dorsey’s email was recently compromised when a hacker guessed the challenge response on a Twitter employee’s Google Apps account, and was able to use that to access the Twitter network.
Good Password Practices
To get serious about passwords you should:
- use strong passwords.
- use a different password for each application or website.
- change your passwords every 30 to 60 days.
- never write down your password on a Post-it note and stick it to your monitor or “hide” it on your desk.
- never use the same password for different site/software log ins.
A strong (very hard to crack) password is a random mix of upper- and lower-case letters, numbers, and other characters, and is from 7 to 15 characters long. This (which is not a password I use!) would be a good password: Jw8!t3*7^d
A weak password is something easily guessed: for example, you drive a Honda Civic so you use “Civic” as your password.
Not all software applications or websites require you to use your real name to log in. websites increasingly are allowing your log in name and your “screen” name to be different. If you have the option, choose to use a non-name as your login name: “TinyBubbles” will be easy enough for you to remember; a hacker trying to crack Mary’s account on the corporate website is not likely to try that as a user name.
Compromising user accounts to access corporate information is big business and organized gangs are making millions of dollars doing it. Companies large and small are being compromised, and in many instances are faced with multimillion dollar lawsuits because they failed to adequately protect client data and other confidential information.
Do you want to be the company owner who didn’t make an effort to enforce rules about keeping AV software current, or passwords strong and secure? If you are not a company owner, do you want to be the staff member who opened the door to malware on the company network, or let someone hack into an email service or accounting service and steal data?
Small business does not usually have an IT department to keep an eye on these issues. Owners and senior managers need to pay more attention before their business becomes part of the history of poorly managed computers.