Prevention better than cure
Cyber attacks, such as the recent assault on the Hong Kong Exchanges and Clearing (HKEx) website, have helped to raise awareness of the need for protection, but the city's small businesses are advised to be more proactive.
Roy Ko, manager of Hong Kong's Computer Emergency Response Team (CERT) co-ordination centre, says more vigilance is needed to protect information technology systems.
'Following the HKEx incident, larger companies with access to resources are more likely to review their internet security and the way they store important information. But, in reality, SMEs [small and medium-sized enterprises] with limited resources are inclined to concentrate on their day-to-day business instead of considering internet security a priority,' Ko says.
'Often small organisations do not have the technical expertise or resources to institute and maintain the necessary protection of their internet systems. Therefore, they should try to work closely with their service providers to see if they can offer ways to block hacking and other types of unwanted intrusions.'
To help raise awareness of the need for internet security, CERT regularly organises seminars aimed at SMEs, internet professionals and the general public. For instance, a recent seminar focused on the threats and trends rising from using Facebook and other social networking sites. Another targeted service providers, web forums and web-hosting organisations to look at ways they could offer protection to their clients.
CERT, which was set up in 2001 with government funding and operates under the Hong Kong Productivity Council, also responds to reports of hacking attacks on Hong Kong websites and works with victims to remedy the situation. In addition to liaising with other website security providers, CERT also monitors the internet to see if websites have been defaced or compromised. CERT is also on the lookout for malware, which is significantly more complex than that of previous generations, often involving multiple components.
'Very often small companies are unaware their website has been hacked or illegally tampered with. When this happens, we advise companies on the steps they need to take and work with them to restore their systems,' Ko says.
He says that while it is difficult to avoid random botnet attacks involving thousands of computers, which constantly bombard a website denying normal user access, there are ways that companies can reduce other types of threats.
Without investing large sums in financial and human resources, Ko says companies can take useful steps that can help to protect loss or misuse of data and protect systems from hackers. For instance, in addition to seeking out and frequently installing updates, companies should ensure information is regularly backed up on different systems, put in place employee internet security training, change passwords and implement usage guidelines.
Ko says that, when thinking about online security, companies should consider the adage 'prevention is better than cure'. 'Planning and preparation work can prove vital. Given the limited resources of most SMEs, a security breach is far more likely to have a devastating effect on a small company than a larger company, which has the resources to handle viruses and hacking attacks,' he says. As criminals step up their efforts to target smartphones and computer systems with hidden malware, Ko advises SMEs to be on their guard when using laptops and hand-held devices for conducting business.
'There are very few internet security systems available for smartphones compared with tethered systems, but this should not prevent users from taking precautions such as avoiding downloading applications from suspicious websites,' says Ko, who points out that any smartphone that can surf the internet is vulnerable and could easily infect other systems if it is connected to a company internet. 'Users should treat a smartphone like a PC, which means installing as much security as possible and having policies in place for how to connect to corporate assets.' He says despite the hacking and malware risks associated with smartphone devices, an equal threat involves the lost or stolen device. In this case, password protection, encryption and related security measures become the highest priority to ensure the device and its data are secure.
Ko also advises laptop and smartphone users to protect personal and company information with passwords. They should also consider if uploading sensitive company information is necessary. 'Using encryption can protect a laptop or smartphone from unauthorised access, embarrassment or the misuse of personal details,' Ko says.