Human error behind security breaches

Human error behind security breaches

Human error is behind the vast majority of IT security breaches. A breach is a breach, whether through ignorance, a simple mistake or malice. A significant percentage of companies feel exposed to an inside threat so what can they do to protect themselves?

Train your staff

Recently we heard about a company laptop that was riddled with malware. The employee who used it never thought twice about the security credentials of the sites he visited. He never checked emails and attachments before opening them. We advised on cleansing and protecting the laptop, then gave a vital piece of security advice for this situation: change your habits, or the same thing will happen all over again.

This was quite an extreme case of human error. Even so, every company needs to train employees. They should learn where risks might lie, how to spot them and what to do if they think something’s risky. This remains without doubt the greatest cybersecurity danger area for companies of all sizes.

Maintain your IT assets

Do you find constant update notifications annoying? Do you dismisses software updates as  as a nuisance, especially if you have to reboot afterwards? You’re making one of the most serious security mistakes.

human error

Legacy systems can leave services exposed to security risks

Never put off software updates. Whether you use Linux (you do, don’t you?), Mac or MS, software updates are vital for keeping software responsive. Updates protect software from new security threats and loopholes.

Software needs to be monitored and maintained at a system level too. Hardware needs to work at optimum and replaced if its software requirements jeopardize security. There have been several explanations for British Airways’ recent problems, including a contractor switching off power, but legacy systems have also been mentioned as a possible cause.

Restrict access to services

If someone leaves a company their work email address should no longer be available to them (divert it to ensure clients aren’t left dangling). Remove access to any other company services. Whether that employee is friend or foe, leaving access open to ex-employees is like leaving your house keys dangling in the door when you go out. Even worse, you may not have any idea they ever set foot in the house.

This is simple good IT hygiene. Enhance it by implementing different levels of access to company systems, and an audit trail. Know at all times not only who has access to what, but when they last accessed it, and keep that clearance under review.

Disaster recovery planning

These measures will go a long way to protecting your company and avoiding day-to-day pitfalls. Your staff will feel happier that they’re working within IT structures that smooth their working day and protect them against intrusion. IT contractors will be delighted to work with a business that takes security so seriously and uses platforms and utilities that are kept up to date.

However, we’re busy people. We receive hundreds of emails a week and use all sorts of online utilities. Everyone understands the basics of internet hygiene just like we understand that we shouldn’t eat too much sugar, but we don’t always follow the rules. We’re too busy, too tired, too hasty and too pressurised. We don’t double check the sender of every email and attachment we receive, or pay attention to the security of a website. This is especially the case if they appear familiar at a glance. Sometimes we click on something we shouldn’t, and every so often that will have calamitous results. This is how human error creeps in.

Creating a disaster recovery plan is vital for any business that intends to survive a serious IT problem. It’s time very well spent. You keep operating while the situation is put to rights instead of scrambling to find information. There’s a great deal of information available on disaster recovery planning, but we’re always happy to help if you’d prefer professional input. A well-drafted, tested and implemented disaster recovery plan turns an IT problem from a disaster to a nuisance.

The BA fiasco – Lessons for small business services

Small business services – lessons from the BA IT fiasco

small business servicesYou probably don’t have hundreds of thousands of customers, it’s unlikely your chief exec is grilled on the BBC and when your company gets it wrong Twitter might not creak under the weight of invective, but that doesn’t mean that a serious IT failure such as that suffered recently by British Airways can’t cost your company a fortune in money and reputation. Ensure your small business services are robust and well-protected and that you understand best practice. Here we detail the questions to ask your hosting company and the staff managing your IT services day-to-day.

Ask your DC about power failure procedures

BA has put out a barely credible reason for the outage: a power surge at a data centre followed by a failure of the back-up power system. Data centres are designed to withstand power surges and have strong back-up power systems. Problems can still occur, but it beggars belief that a company handling the volume of data, time-critical services and financial transactions that British Airways sees on a daily basis wouldn’t have cast iron measures in place to protect its power supply and back-up power generation. It’s astonishing to consider that BA would leave itself exposed in this way.

For the small company, the lesson here is to ask your hosting company about how it handles a power failure – the classic digger-through-a-vital-cable scenario. Ask it to explain to you – in language you understand – until you’re happy that short of asteroid strike, your services will stay up.


But let’s say that a power surge and failed back-up power service has indeed knocked your website, email and other utilities offline. Small business services are potentially more vulnerable to this than a huge global company as they won’t be sitting on the same dedicated services as a large company. British Airways was heavily criticised for not communicating with its customers; Alex Cruz, British Airways’ chief executive, explained this away by saying the messaging services were also affected by the outage. A company with the resources of BA has all its eggs in one basket? Staggering. A basic strategic error. Of course BA has data protection to consider when it contacts customers and has to use secure and encrypted channels for this, so I’m not convinced about the suggestion I heard to fire up a GMail account and email everyone. A security breach would have been the last thing BA needed on top of the outage, but again, a company with the infrastructure of BA surely could use services sitting in another data centre to communicate with customers. All data held should be backed up and held in multiple locations, so all customers should have been contactable.

Consider how you communicate with your customers: do you have contact data backed up? Do you have an alternative channel to communicate with your clients if your services go down? Back ups are very important but unfortunately their value is often underestimated until things go wrong and that data becomes critical.

Virtually every company uses some form of social media these days, and while it may not be the right channel for communicating sensitive information, make sure your clients know how to make contact with you in the event of a problem. Put your social media contact buttons or URLs in your email footer and on any paper invoices or other communications you may send out. Not knowing what’s going on ups the ante for your cllients very quickly and makes everything 10 times harder to deal with. If you can let your clients know that you’re aware of the probem and that you’ve set in train your recovery plan, you’ll make the aftermath less heated. Once everything is back to normal, get in touch with your clients to give them an update. Remember that other companies may view you as you view other small business services and expect a similiar response from you as you do from your hosting company.

Reliable IT staff

Whatever the truth of it, accusations have been aimed at British Airways that it made redundant its best (and therefore expensive) on-site IT staff and that the delay in restoring services was in part attributable to having to use remote contractors. Small business services are especially vulnerable in this situation as they rarely employ in-house IT staff and are entirely reliant on the procedures and expertise of the hosted platforms they sit on, so ask your hosting company what its emergency plan is. What’s your SLA – everything restored in four hours? Within 24 hours? What resources does it have access to? How much redundancy is in place? Redundancy is effectively ‘spare’ services and capacity that step in automatically to keep everything working when the main service is having problems. Ideally neither you nor your customers should notice that anything happened. Ask your hosting company too whether you’re charged separately for this type of support and what compensation is offered.

Doing the day job

BA is an airline: it flies passengers all over the world. This is and should be its priority, not dealing with IT problems and their very public fall-out. What would happen to your business if you had to spend three days dealing with IT problems instead of doing your real job? Would you lose money, miss opportunities, upset valued clients, have to cancel appointments, spend time and money reassuring and perhaps compensating people? These things have lasting consequences. To minimise the likelihood of a problem, the time it lasts and the fall-out you have to deal with, create a disaster recovery plan. We wrote an article about this a while ago and the advice stands. Sometimes things go wrong, but in the words of that article, plan to reduce it from a disaster to a nuisance.

Vatican library uses open source to avoid vendor lock-in

Who knew Vatican library uses open source?

Vatican library uses open source, according to this article:

Vatican library: open source for long-term preservation

The article looks at the way Vatican library uses open source and open standards for long-term preservation of electronic documents. Head of IT at the Vatican Library, Luciano Ammenti, identified another key benefit: avoiding vendor lock-in.

Both of these points are interesting and we’ll take a closer look, but this line from the article really leapt out:

The Vatican library does not have a policy prescribing open source and open standards, says Ammenti. “The reality is that in our data centre we use a lot of open source software, sharing our experiences with other scientific communities. It is a privilege to use their open source solutions.”

The best solutions are open source

Vatican library uses open sourceIn other words, the set up at the Biblioteca Apostolica Vaticana (to give it its proper name) hasn’t been prescribed or imposed by a higher authority, rather it simply provides the best solution and day-to-day it helps the Library achieve its aims. The Vatican library uses open source just because nothing else performs as well, not out of adherence to higher principles. That’s a very powerful endorsement of open source, and further reading of the article reveals that the IT department at the Vatican library uses open source for wider operations.

Well-maintained open source software

Discussing digital file format in particular, Mr Ammenti referred to the features of the actively-maintained system the library uses and contrasted it with the only proprietary alternative, which was last updated in 1998. The freedom to identify and migrate to well-maintained open source systems such as that one is a key element of the appeal of open source and the heightened productivity it can unlock. Making operational decisions in the knowledge that open standards underpin the choices you make is a breath of fresh air for IT professionals used to working within the limits of proprietary systems.

If you have any queries about adopting open source alternatives to any of the proprietarysolutions you use, please email