SMEs are vulnerable to attack, expert warns

With a new internet security threat emerging every 10 seconds, Hong Kong's small and medium-sized enterprises (SMEs) - comprising the bulk of the business community - often ignore security systems that can protect their businesses.

According to Michael Gazeley, managing director of managed security service provider Network Box, judging from research carried out by his company, far more SMEs operate without adequate internet protection than those that have taken steps to protect the security of their systems.

The situation is equivalent to leaving the doors of an office wide open overnight with valuable products on display, says Gazeley, whose company offers a range of solutions to protect small offices to multinationals.

He says last year, Network's security analysis identified more than three million new threats - or approximately one every 10 seconds. Among these were zero-day viruses, so named because there is zero time between a virus being launched and the vulnerability they exploit. He claims standard antivirus technologies are unable to cope with this type of threat, especially as virus writers are starting to use internet-based antivirus sites to test their viruses prior to launch. This is particularly threatening to computers left on overnight and depends on antivirus solutions that are only updated every few hours or by command.

Gazeley believes that trying to educate companies, particularly SMEs, has become a vital part of protecting and assisting Hong Kong's business environment. 'It is far better to be a planner than a victim,' Gazeley says. 'Even if a system has been compromised and remedial action is taken, there is the possibility the hacker has left a malware tool that allows the system to be compromised a second time.'

He says the complexity and speed with which new threats are created make it virtually impossible for companies to depend on out-of-the-box solutions to protect their systems. 'In the same way that most companies are aware it is more efficient to hire a specialised security firm to protect buildings, the same approach should be used to protect the security of computer systems,' Gazeley says. Network offers a 24/7, 365-day service, which is consistently monitoring, checking and producing solutions. This contrasts with standard security systems, which usually pull updates from a server once a day, twice a day, or at best once an hour.

'It really is quite amazing that, in one of the most interconnected places in the world, where all around you, you see executives using the latest electronic gadgets, the same people are reluctant to invest a very modest amount to protect the very tools that provide the lifeline between the company, its clients and profits,' Gazeley says.

He says that for as little as HK$800 per month for a company with up to 10 computers, or less than HK$5,000 for up to 50 computers, firms are offered levels of security they could never come close to matching by using standard solutions. 'Still, it amazes me that Hong Kong SMEs continue to ignore the threats that could so easily damage their businesses. Larger organisations understand the risks they run by not having adequate internet security, while SMEs, who often have the most to lose, simply ignore the risks they are exposed to,' Gazeley says.

With more than 20 years of experience in the computer security industry, Gazeley says he has seen the nature of internet security threats change significantly. Rather than create viruses that disrupts computer systems or reformat hard disks, hackers - usually cyber criminals - use sophisticated tools, known as malware, to infiltrate computer systems. These can be downloaded from reputable websites, which have become compromised, from e-mails with attachments distributed as spam e-mails.

Security breaches range from stealing credit card and other financial details, proprietary designs and commercial information to storing child pornography without the company's knowledge, or remotely using the system as part of a larger network to crack security passwords in other systems.

'It is very much in the interest of cyber criminals to keep the computers they have accessed working as normally as possible. In most cases, the company or individual will not have noticed anything unusual with their operating systems.

'We have had people come to us with their businesses thrown into disarray because their computers have been unknowingly used for illegal third-party activities and been seized as part of a police investigation, even though they are completely innocent,' Gazeley says.