What if… or Threat Management in Practice

Think about the role your information systems and data networks play in your business, or your personal life. Contemplate how you perform transactions with customers, with business partners in your supply chain, or with financial service providers. Consider the data you have stored on your computers, storage systems, laptops and smartphones. Ask “what if…”.

Data security threats can impact your business in many ways, or your personal life. There are many different types of threat, but the good news is that not all of them are really a big risk to you. From your perspective, the key is to manage the threats, or decide which threats you can ignore and which ones you really need to take seriously. If you have read the editorial in this issue of Protected, you may remember a simple way to approach threat management. It starts with identifying those threats which would impact you most seriously. After that you can look at your level of vulnerability to those particular threats, and at the likelihood of that threat targeting you. There is no single answer, but the best approach will be different for different companies and different people. I will attempt to provide a simplified analytical overview for individuals, companies, and ISPs (Internet Service Providers) in this article.

Managing personal data threats

In the current threat scenario, phishing is probably the most serious threat to an individual Internet user. After all, losing a large amount of your hard-earned personal money is rather serious for most of us. Phishing means you are tricked into giving e.g. your personal bank account information to a third party which pretends to be your bank. This is usually accomplished with the use of very professional looking (with logos and the right look&feel) SPAM emails and related web sites which make you believe they are legitimate bank messages and sites. And once the criminal has your bank account info, often including the PIN, he won’t delay in stealing your money.

Phishing can also take the form of phony web-shops which sell e.g. CDs or electronics at bargain prices. You will never get any goods, nor is your credit card immediately charged, but the crooks get the number and will sell it on the black market. The fraudulent charges will appear later.

Phishing attacks are growing more popular, and unfortunately there are no watertight automated countermeasures yet. F-Secure Internet Security 2005 and other commercial solutions can stop some of these attacks, but not all. Our R&D is focusing on the problem, but in the meantime, user vigilance is needed. Here are some practical tips:
  1. Check to see if the e-mail is actually from your bank and not from just any bank. If it isn’t, ignore it.
  2. If the e-mail is not personally addressed to you, it is probably a scam.
  3. Check the language and spelling of the text contained in the e-mail. If you find misspelled words or substandard language, assume that it is not from your bank
  4. If the e-mail urges you to act immediately or else your account will be closed down, ignore it. It is not from your bank.
  5. If anything feels even remotely wrong, stop. If something feels wrong, it most probably is.
  6. Never click any link given inside the e-mail message. Instead, type the URL of your financial institution directly.
  7. If you do not know the URL of your bank’s website, take the time to call them to find out.
  8. Never provide sensitive personal information to anybody over the Net, whatever the circumstances.
Another serious threat from a personal perspective is losing personal data, such as family photo archives or personal files. This can happen through virus attacks or hacker attacks. Fortunately it is fairly easy to protect against this: make sure you have an up-to-date antivirus solution installed with a personal firewall, like F-Secure IS2005. And learn to back up, e.g. on CDs or DVDs.

In addition to viruses and worms, there is a host of other threats. Freeware, shareware, cookies, media players, interactive content, and file sharing applications may contain code and components to actually collect and disseminate information about Internet users. They can track your surfing habits, abuse your Internet connection by sending this data to third parties, profile your shopping preferences, hijack your browser start page or pages, modify important system files, and do all this without your knowledge or permission.

Internet users of all types will need protection against data-mining, aggressive advertising, parasites, scumware, trojans, viruses, worms, diallers, browser hijackers, and tracking components. However, the impact of these threats depends very much on how you actually use your computer and the Internet, and how sensitive you choose to be about your habits becoming known.

Managing corporate threats

Data security threats have become more serious for companies, as a large part of their operations have become fully dependent on information systems and data networks. Companies also usually have data that is sensitive: either their own data, or even more critically, their customer’s data. Consequently, the main risks for organizations currently are:

  • Physical risks: if an IT-system controlling a real-world process is compromised, can it cause physical injury or death to employees or bystanders?
    		•
  • Business continuity: if your IT systems or data networks (internal and external) are down, can you continue doing business? What is the downtime cost per day?
    		•
  • Customer trust: if third parties gain access to your customer's sensitive data (financial, medical, personal etc.), how seriously will it influence their willingness to do business with you in the future?
    		•
  • PR exposure: how bad will the publicity be if your systems fail? How bad will it be if your customer data is compromised?
    		•
  • Loss of competitiveness: how seriously will your competitive advantage be impacted if internal data is leaked externally, and to competitors?
    		•

    If you start your analysis using impact scenarios, you will pinpoint those threats that should most concern you. Once you have a clear idea of these, it will be very easy for F-Secure and our partners to design a set of security solutions and services that will protect your organization against the most significant threats.

    Managing ISP threats

    In addition to the threats facing ISPs and all companies, ISPs also need to fulfil the security requirements of its large customer base. The unfortunate fact is that if an ISP’s customers experience a lot of security problems, the ISP’s credibility will be eroded, even if it has ensured its own security to the highest standard. The implication is that an ISP needs to make it very easy for its customers to protect themselves. This can be directed at customers as an added-value service, becoming a profitable business for the ISP (Security as a Service), and a very easy, cost-effective and trouble-free way for its customers to stay protected.

    Active promotion of security as a service by the ISP will also have definite positive effect on its image. Caring about your customer’s security is never a bad business idea.

    Pär Andler, Marketing Director, Global Marketing
    Pirkka Palomäki, Vice President, Research and Development


    Printable versionBegin Begin | Back Back