<EM>Business mentor: </EM>What firms need to know about good security on the net

As more New Zealanders conduct business over the internet, the need for security is paramount. Sarah Trotman asks the chief technology officer for Microsoft New Zealand, Brett Roberts, what New Zealanders need to know to protect their businesses when online.

Sarah: What are the key threats New Zealand businesses need to be aware of when they are doing business over the internet?

Brett: You need to know how to protect yourself and safeguard your business against attackers who want to steal your confidential information. Within the last few years we have seen online attacks escalate from spam campaigns through to the more dangerous online identity theft, where an expert attacker is undertaking a scam for direct gain and will use your details for their own benefit.

These financially motivated attackers are using malicious software known as "malware" or targeting consumers with insidious "phishing" scams. Sometimes people want to ignore these threats but being complacent in relation to security is dangerous.

Sarah: We hear a lot about phishing scams affecting consumer confidence; can you explain what a phishing scam actually is?

Brett: A phishing scam occurs when a person is tricked into entering their password and other confidential information in a fraudulent website that looks exactly like the original. This is usually from a link included in a spam email sent to customers of the company the attackers are imitating.

The details are then used by attackers for their own benefit or sold to another company. There have been many accounts of this happening in New Zealand and the attackers are often not based here.

A survey by Symantec and the Employers and Manufacturers Association (EMA) in 2005 revealed 51 per cent of businesses had been the target of a phishing attack.

Sarah: So how can we tell if a website stated in an email is the company's authentic site or a phishing site?

Brett: You need to be cautious of any email message asking you for financial or personal information. Go to the company's official website to see whether the request is legitimate before you do anything else. Another way to determine authenticity is to use a phishing filter in your internet browser, such as the anti-phishing technology that is part of Microsoft's Internet Explorer 7 browser (IE7).

This has a phishing filter which alerts you to potential phishing sites, blocks access to confirmed phishing sites, and makes it very clear which sites provide secure data exchange.

The filter is updated several times an hour using information from Microsoft and industry security partners with the latest fraudulent web sites. IE7 also uses security badges to indicate if the site you are visiting is suspicious or is a known phishing site.

IE7 is in beta 2 stage so a final version should be out later in the year.

Meanwhile, the steps you can take to safeguard your business include checking the domain name against that of the official company site and calling the company or organisation directly when you receive any email requests for information.

It's also important to have policies in place for internet and email use and to ensure you don't give administration rights to all of your staff.

Use strong passwords to authenticate identities; it's very important as hackers have tools that come up with simple passwords in minutes. Explain to your employees why security is important and put policies in place in relation to internet and email usage.

If you have wireless networks make sure they are secure by ensuring the security features built into Wi-Fi products are turned on. By default manufacturers turn them off.

A recent Netsafe survey looking at security and safety for New Zealand small businesses showed only 31 per cent of them had educated employees on all of their ICT policies. Furthermore, half let their employees use portable devices to take data out of the office and yet only 21 per cent have a confirmed policy for protecting it.

* Brett Roberts will be discussing the future of online search at 10am Friday 11 May at the Small Business Expo, ASB Showgrounds, Greenlane.

* To email your questions to Sarah Trotman, clink on the link below.