Security risks increase when your business moves outside of the safety net of your main workplace. Mobile executives carry sensitive data around with them, and often times open it up to vulnerabilities just for the sake of convenience.

It all seems perfectly innocent. Connecting to wireless Internet in your hotel room, or syncing up to free wi-fi in a restaurant just to get a little work done. Convenient? Yes. Necessary? Sometimes. Is working remotely a down trending habit? Absolutely not. And so, we must learn (and educate our workforce) about how to work remotely more safely.

Protecting your mobile workforce is essential to protecting your business. And it can be accomplished (or at least done more successfully) by following a few simple tips to help keep your business safe from hackers, no matter where you go:

Stay Off the Free, Open Wireless

More and more public places are providing free, or shared wireless Internet. These open networks are dangerous. They’re risky for personal communications, but they are absolutely not suitable for conducting business without protection.

When jumping on public shared wireless connections, it’s essential to do so using a secure VPN connection with the latest encryption methods. This will funnel all your online activities (email, surfing, chat, etc) through this secure connection so prying eyes can’t see what you’re doing. Several companies offer this service but we’ve heard good things about Anonymizer.

As an alternative, Verizon, Sprint, AT&T, and others have mobile broadband services available for a reasonable monthly subscription. Spring for the mobile Internet access card. It’s a small expense for what you get in exchange – the ability to conduct business more securely outside the office.

Bonus Tip – turn off your wireless connection at all times when not in use so you are 100 percent sure about when you are connected to the Internet. If you’ve previously connected to default network names (like Linksys) then anytime that network name reappears at another location, you will be automatically connected to the network opening you up for risks.

Let Hardware Do the Hard Part

We’re joined at the hip to our laptops, mobile devices, iPads, and other mobile gadgets. These crafty handheld devices help us work more effectively, and their processing capabilities and compatibilities increase every day. There’s no turning back from the convenience they provide, and believe me, we wouldn’t want to because the benefits in most cases far outweigh the risk.

Next time you’re packing for a trip, or just to work remotely for the day, think twice about your hardware requirements.

• Use a “travel only” laptop. A stripped down version of your of your regular workhorse but with limited history and minimal applications installed. Of course, passwords and all the “conveniences” of your regular machine won’t be readily available, but do you really need it all when you’re on the road? For some trips, perhaps, but always weigh the risks against the convenience.
• Use Web access rather than physical software for email when possible. Obviously, this is more convenient if you subscribe to the “travel only” laptop model. Either way, take pause to consider all the confidential information that may be stored on your physical machine’s email software if it fell into the wrong hands.
• Clear browser history every time you close Safari, FireFox, Chrome, etc. If anything, this will make it more difficult for cyber thieves to retrace your steps.
• Don’t store documents, presentations, spreadsheets, PDFs, etc, locally. Always connect to your designated location on an approved network and put your information there. The goal is to make your physical hardware as useless as possible. This way, if your laptop goes missing, none of the important information goes with it.
• Don’t store or “remember” passwords, type them in every time unless you want to give unlimited free passes to cyber criminals.
• Don’t leave home without “lojack-like” software, such as Computrace, that can wipe the contents of your mobile device. This provides an extra layer of protection in case your phone or laptop falls into the wrong hands.
• Anti-virus software can be installed on most laptops. There are several reputable virtual security companies that provide reliable service, but in a pinch you can download a free version that is better than nothing, as they say.

Pull the Fire Alarm

Two-factor authentication (aka 2FA or “the fire alarm”) provides an additional layer of protection and awareness for user systems. It’s incredibly simple, affordable, and effective, so there’s no excuse to not have this service for your users 100 percent of the time, but it can easily be enabled for users on the road.

It works like this: When (stolen or legitimate) credentials are successfully entered into a login prompt, the “fire alarm” software places a phone call to the authorized user to 1) alert the authorized user that a designated system is being accessed and to 2) retrieve a secret pin and complete the authentication. With this service enabled, attempted security breaches can be identified quickly, snuffing our suspicious activity before a full-blown crisis ensues.

Watch Your Back, Jack

Your coffee cup is empty, so you grab your wallet and ask the nice person next to you to “watch” your laptop while you go refuel. For an experienced cyber criminal, it takes just second to grab some data off of your computer, phone, or tablet. And lesser skilled (however not necessarily less malicious) hackers could just grab your goods and run. Thieves are everywhere and they park themselves in places where people work for this very purpose.

The coffee shop isn’t the only crime scene. Airports, car rental shuttle, hotels, and the back seat of your car are equally susceptible to theft. Check your bags at every turn. Make sure you’ve got the correct luggage and account for all your personal and professional belongings. Report any stolen items to the police and your IT staff at once.

Be Responsible. Your Business Depends on It.

Anytime you’re doing business on the road without security in place, you’re open for business, but for the wrong customers. You wouldn’t take your customers’ money and let it hang out of your pockets for anyone to grab would you? By leaving data access points open to hackers, you’re essentially doing just that.

Be conscious of how easy it is for hackers to take your company’s valuable information. Take the time to ensure that your company, and your customers’ data, is always protected and accountable, no matter where you are in the world.

A version of this article appeared in eCommerce Times on June 22, 2010.

Attacks against popular web applications such as these constitute more than 60% of all attacks on the internet, and some of the exploits don’t even require a user to open the downloaded document or file. Victims’ computers may be compromised by simply visiting an infected website masked with the perception of being a trustworthy, big, software brand.

Client-side vulnerabilities are so powerful because they give hackers a mask behind which to carry out exploits. Users feel confident downloading files from trusted sources or using tools and applications such as Microsoft SQL, FTP, and SSH that are perceived to be safe because of popularity and industry-wide user-acceptance.

Did you know that:

• websites are most often compromised by SQL injection, Cross-site Scripting (XSS), and PHP File Include attacks.
• web servers are primarily exploited and compromised  by brute force password guessing attacks and web application attacks.

It’s scary, but true; there are a number of automated tools designed to make it easier for even novice hackers and script kiddies to carry out such attacks. Once deployed, these attack methods give cyber criminals the ability to quickly discover and infect thousands of  websites or computers at once in such a way that will propagate infections across other computers and servers around the globe.

Most importantly however, client-side vulnerabilities provide an open doorway through which many hackers can achieve their ultimate goal – stealing sensitive data for financial gain.

Security experts believe social networks like Twitter and Facebook are targeted because of the sheer number of users. Defacement is the most common motivation for ego-driven hackers, and these high traffic, high involvement communities are a great way to disrupt many victims at once.

A study by Webroot sheds light on a few other reasons why social networks make a ripe targets for hackers.

• 36% of social networkers admit they don’t hide personal information
• 33% admit to using the same password for all of their online accounts
• 28% accept “friend requests” from strangers

With such a high percent of social networking users being unaware of the dangers, “hackers lure users into taking actions they shouldn’t by making it appear as if a friend within their social netowrk has sent them a message – only the message is from a hacker who has hijacked the friend’s account,” warns Mike Kronenberg CTO of Webroot’s Consumer Business division.

The technique described by Mr. Kronenberg is known as phishing, and it’s one of the most preventable ways hackers obtain access to confidential information. SQL injections, Cross-site Scripting (XSS), and Cross-site Forgery Requests (CSFR) are more covert, technical methods that hackers use to get the infomation they need.

“As a web service or SaaS provider, you can help protect your users from these attacks by hosting your applications in a secure environment. Users need to be savvy, and when they can’t stay up to speed on all the risks, community users should be weary and overly cautious at all times,” suggests Chris Drake, CEO of FireHost.

In reality, the latest sum TJX has to pay is small potatoes compared to the capital outlay the retailer has made since 2007 to mitigate the security breach that exposed 45 million credit and debit card numbers. When the leak was discovered, TJX set aside $107MM to deal with the fallout and the expenditures to date are in that range. In two of the largest settlements, they’ve paid $24MM to MasterCard and $41MM to Visa banks. In addition, TJX has been ordered to undergo costly external audits every other year for 20 years by the FTC.

Is it 100% possible for companies to avoid costly and negative public facing situations such as this?

Maybe not, but there is quite a lot you can learn from past system compromises to help prevent making the same mistakes. In fact, PCWorld Canada has compiled a “top ten” list of vulnerabilities companies maintaining a serious presence online should know about.

1. Operating System Flaws
2. SQL Injections
3. Drive-by Downloads
4. Compromised Password(s)
5. Social Engineering
6. Malicious Email
7. Physical Access
8. Compromised Network
9. Wireless Hacking
10. Weak Access Points

These vulnerabilities require more than software patches and basic anti-virus software to keep your network and data safe from hackers, and most companies don’t have all the resources available necessary to provide complete protection.

“Instead of relying on costly, in-house expertise, many firms are looking outward to goal-focused security consultants to help identify openings hackers could easily exploit,” said Chris Drake, FireHost CEO. “We recommend that every client undergo a security audit just to ensure everything within your power is being done to help prevent confidential internal and consumer data from leaking into the wrong hands.”

An article on FoxNews.com revealed the most recent committee member to be Jeff Moss, aka Dark Tangent. Mr. Moss is widely recognized as founder of the DefCon and Black Hat hackers’ conferences. He has worked in information security for accounting giant Ernst & Young and presently works as an independent cybersecurity consultant for a variety of corporations.

Mr. Moss looks forward to bringing  “a skeptical outsider’s view” to the HSAC, but admits he was surprised by President Obama’s invitation to join the council stating, “I always figured that because of my associations in the past that I would be kind of out of the running for anything like this.”

The US’ strategy of inviting hackers to join governmental agencies is not unique. Britain is taking a precautionary stance on cyber warfare as well by hiring former computer hackers to join a newly formed security unit aimed at protecting cyberspace from foreign spies, thieves, and terrorists.

The cyber security prevention unit will be based at Britain’s Government Communications HQ (GCHQ) in Cheltenham, western England. Britain’s Security Minister, Lord Admiral Alan West said British government systems have probably come under cyber attack, but that he did not know of any specific cases where sensitive data had been lost.

Private organizations, individuals, and corporations should take a proactive stance on cyber crime and identity theft as well.

Chris Drake, FireHost’s Chief Executive Officer recommends every individual and professional organization maintaining a presence online to align themselves with experts in web site security. Speaking from experience he states, “You can prevent negative press, unnecessary expense, downtime and a ton of headache by identifying and resolving website security risks before problems strike.”

Read more about how FireHost can help identify vulnerabilities in your web site by visiting our Vulnerability Audit page.