5+ reasons why Anti-virus is not enough protection for UK Start-ups: A very British SME Security survival guide
Encryption is the strongest it has ever been, Heartbleed has been fixed, Windows 10 comes with Microsoft’s own brand of anti-virus and Macs are “too secure” to get hacked (if you take away just one thing from this post, believe me this is not true). 2018 seems like a great year to start a business in the UK and worry less about the possibility of some snotty-nosed script-kiddie gaining access to your work computer and stealing sensitive information, right?… WRONG!
Security is an ever-moving strategy which is often ignored by start-up/SME companies as being a luxury for larger businesses with big budgets. Listening to the hype given by the Platform and Operating System companies and one could easily believe that out-of-the-box their tablet, laptop and mobile phone have everything they need pre-installed to keep them secure.
Say hypothetically, if it didn’t, how would one know what was needed to become secure? And how much would it cost? The following reasons hopefully will help you survive the remainder of the current year and beyond by shedding light onto what you should be doing to proactively protect your business, your brand and your customer’s data. Let’s first start with 5 reasons why anti-virus is simply not enough…
#1: Protection in coffee shops (remote working)
When you’re starting a business or simply a sole trader, public Wi-Fi can often be a blessing. We’ve all slurped down our favourite sugary beverage whilst finger-typing a response to that potential client who has shown early stages of interest. Unfortunately, joining a public Wi-Fi hotspot (even from a reputable company) can put your computer, accounts and client data at risk.
This is because you are joining the same network as your fellow hot drink enthusiasts. One or more of whom who may either be looking to gain remote access to your computer or have malware running on their machine actively scanning the network for another victim.
Anti-virus can potentially detect if a virus is installed on your machine (if it isn’t disabled first, say using a rootkit) but if the malicious user finds a way to access your file system or desktop environment by guessing your password, then they are free to act as if they were you. Copying information from your files and emails. What’s worse is, if this happens, the ICO will hold you responsible for this. The fines could easily put a stop to your plans of world domination, if the brand damage doesn’t stop you first.
#2: Knowing when you’re under attack
Do you check your anti-virus’ log files? Of course you don’t, who does right?! But how else would you know what your anti-virus is finding on your machine? What is it doing with it? Was it successful every time?
There may have been an important pop-up message box appear when you left your computer for a much needed pee beak or you may have got tangled up it whilst you were pulse-clicking the OK button of random pop-ups you computer seems to be delivering ever since you installed that unofficial game of Crash Bandicoot you found on that dodgy looking web site last week… Hmmm. Anyway, the point is, there is a common dilemma with software products aimed at the consumer market whereby the developers have to pick one of 2 bad design decisions:
1. Push the liability onto the user by asking them what they should do about a particular action — e.g. “should I quarantine that file?”, Joe Bloggs isn’t a security expert, so how should he know the difference between a genuine binary and a malicious one?
2. Hide everything away in log files — your computer could be being attacked by every country in the world right now and you wouldn’t know unless you read the event trace log and see that your network card is on fire right now!
Both are really bad options, but in order to allow the software product’s business model to scale (and make loads of wonga), they have to allow the software to run without their constant input so one of these bad choices must be made.
Ultimately, if you don’t know you’re under attack, how will you know if/when your security tools did not work…?
#3: Data Protection
You are also a bid risk to your data. There I said it! Receiving payments by email or storing documents containing customer information on popular Cloud drive services such as Apple iCloud, Dropbox or Microsoft OneDrive (described in a subsequent reason) could be breaching Data Protection laws. We’ve all heard people banging on about GDPR, so much so we’re all ready to start a pact to remove those very letters from all keyboards in existence to get a minute’s peace, but essentially there are security processes and documents you need to have in place — then even more importantly, govern everything you do against those policies. Anti-virus does not protect against lack of data protection governance. You either need to employ a Data Protection Officer who knows what he/she is doing, or you need some sort of automated governance system to guide you if you are about to something that the ICO would frown upon.
Regardless of your thoughts of GDPR, it is being governed right now and the fines are enough to stop you sleeping at night. At the very least, companies have always needed to honour the UK Data Protection Act, which is more similar than you would first assume. So there are no excuses and no mitigating reasons (well… none relevant to you anyway).
#4: Web site protection
Back in my consulting days, I heard a phrase way too often from companies which I’d like to share with you. More recently, as GDPR started coming into effect, I’ve started hearing it again and again; “I’m not holding any sensitive data on my web-site, so security isn’t vitally important right now…” or similarly, “My web site is static, so the risk/cost of compromise is too low to warrant an investment in infrastructure”. Urgh, have you lost your minds?!!
Your web-site is pretty much the heart of your brand. Your blog posts, email signature, business cards and press releases will all direct potential clients and partners to your little corner of the internet.
Imagine it being de-faced. Claiming you support, or fund terrorist organisations who won’t rest until Mr Blobby is the Prime Minister and London is run by the grumpy cat from the memes. This would simply ruin your brand. Worse still if the de-facing was subtle, like the earlier example of a hacker installing a page which urged visitors to enter their personal details into a form in exchange for enticing discounts/promotions (Particularly enticing as I am sure they’d be extremely generous whilst discounting your services!). This way, they can collect and leak PII information from your infrastructure.
If they were enticed into creating an account, would they re-use their email password? If so, the hacker could gain access to bank details, board meeting notes, commercially sensitive plans or event incriminating photos from the office Xmas party (you know the ones I mean).
Your web site must mitigate against the latest security vulnerabilities, it should be using HTTPS (which is not as expensive as you might think and Google say it improves your SEO results too) and be penetration tested frequently.
#5: Software patching
As a start-up business, it isn’t always feasible to buy the latest version of software products. A budding designer who is just starting out could not be expected to afford to buy the latest version of Photoshop for example, settling for an older copy purchased from eBay, Amazon or some dingy back-channel of the inter-web.
The problem is, the latest versions have the latest security patches. You could be installing software which at the time of release was secure but is now effectively an established back-door into your device.
You should always install an update to your operating system and all purchase software regularly. One requirement of achieving Cyber Essentials (a government-led certification to ensure UK companies meet basic security levels) is having a documented manifest of allowed applications and making sure they are regularly patched. Anti-virus will not block a genuine product which contains known vulnerabilities. Nor does it force you to frequently check and install updates.
#6: Cloud drives
Slightly niche example, but if you’re working with government agencies or with local authority data (as an example), you need to ensure this data is kept in the country. One key part of data protection is ensuring the data does not leave the country when its mark/classification requires it to stay in the country.
The problem with Cloud drives (e.g. Apple’s iCloud) is you no longer have control (or transparency) over where copies of that data are stored, and which government agencies can request access to it — even without your knowledge. Cloud drives work by copying data and storing it on the company’s own infrastructure — most of these technologies have what is known as zone-based high availability, which means your data isn’t lost when their data centre in the USA goes offline. How does this work? Simple, by storing it in another data centre in another country. Where? It’s entirely up to them.
Anti-virus on your computer does not protect copies of your documents which reside on Cloud infrastructure. Nor can it track where it’s going or what is being used for (e.g. bulk market research).
#7: Other malicious intent
The previous reason raises another important point; if prevention (in this case Authorisation) isn’t effective at stopping someone and they are able to access your computer (or worse, your company web site) then you have nothing to tell the difference between good behaviour (like you adding a press release), to bad behaviour (like a hacker installing a contact form on your site, encouraging your web site visitors to sign-up for a massive discount by entering their name and address and other sensitive PII[TM4] information).
Traditional security which relies on black and white, yes or no, permit or deny is simply not enough in the 21st century. Large companies are making use of Machine Learning, AI, neural networks and other technologies with fancy names (though sadly not TWAIN [TM5] in this instance) to allow their security infrastructure to constantly learn from new emerging patterns, getting smarter and smarter. Sadly, these technologies are often out of the reach for SMEs for two reasons:
1. They are simply too expensive, only accessibly to the uber-sized elite businesses
2. The technologies involved (think deep learning or distributed blockchain) are too complex for laymen to approach, ultimately requiring expensive consultancy bills in order to implement
What’s out there currently?
After being in the software industry for 16 years, consulting, testing, building security systems of my own (including a national, automated governance system for the NHS) and keeping my knowledge of the market up-to-date, it is clear that the market lacks a Security As A Service for SMEs and start-ups.
An example (and great product) is Alienvault. They claim “affordable pricing to claim every budget” however the starting price of the service is over $1,000 per month! Obviously not feasible for your everyday UK businesses. I personally would want to try and get this number down to as little as £10-£20 per month, which I do think is possible.
Cloud computing and PaaS technologies are very trendy commodities right now, meaning that experts in the field no longer need to have a large investment in infrastructure in order to build world-class, scalable security services that are genuinely affordable and could help the UK become the most secure place to trade in the world (a grand vision, I agree).
The end goal is to make incorporating security into your business a complete no-brainer no matter how big or small your company is.
Given some time and a few willing, patient and enthusiastic early adopters (who like free stuff), this vision will become a reality much sooner than you think!
A call for action
Thanks so much for reading this article. I have one small favour to ask before you go; there are 2 options, the first will cost you no more than 30 seconds, the other has lots of exciting benefits but will require a commitment of around 2–4 hours per month (whatever you can spare). Namely,
1. Please sign up to our mailing list and keep updated as this vision becomes a reality and the services are available for you to use. I have always looked after the companies that reach out in the early stages, often not just with gratitude but with licensing discounts
2. Early adopters who can take a couple of surveys, talk openly about their business and their own bespoke security concerns, and test out early versions of the service
If you can spare a little extra time, please include in your email what surrounding security and protecting your business most concerns you right now?
You can do either right now by emailing me on: tom.medhurst@icloud.com thank you so much in advance, look forward to speaking with y’all soon! 😊
About the author, Tom Medhurst
Starting as a young, ideological programmer, Tom was thrown in the deep end building high-scale telecoms systems for BT, Microsoft and Verizon. Over the next 16 years he has built anti-terrorism appliances for several UK government agencies, built a national security governance system for the NHS (running within N3) and built the technology stack behind a User Behaviour monitoring toolkit used by most Police Forces in the UK to tackle anti-corruption, securing and secure a patent for Cyber Convergence relating to the context of people’s behaviour whilst interacting with devices and physical security (e.g. IoT, access control).
In 2015 he also invented and patented the ability for banks to audit their WhatsApp and WeChat messages, voice and video calls to achieve MiFID II compliance whilst enabling these communication channels on the trade floor.
In 2017 Tom architected and with his team, built the 1st-of-its-kind Counter-fraud system for detecting benefit fraud and mistakes in Council Tax Support and Housing Benefit claims for every resident in Essex used by each of the local authorities and the county council.
In parallel, his tenure as a self-employed security consult has enabled him to publish articles in global geek magazines, assisting growing software businesses reach their goals and helping SMEs through security accreditation (e.g. Cyber Essentials and Pen. testing).
In his spare time he enjoys nothing more than jumping from perfectly working aeroplanes.
