While the text is basic, it’s accurate enough for beginners. Instead, it’s the image that contains a dangerous chunk of misinformation.

The monitor on the left, labelled as a PC that uses a “standard graphics card”, is displaying a Windows desktop that’s washed out and blurry. The seemingly identical Dell TFT on the right, powered by a “high-end graphics card”, is showing the same desktop – but this time it’s much sharper and more vivid. They’re both outputting at the same resolution.

It’s true that using different screens can alter how a desktop looks, but that’s not the case here: Dell’s page uses two identical monitors that display two identical desktops, with the dramatic change in its appearance apparently caused by the different classes of discrete graphics card being used.

It is, quite simply, rubbish. Any modern discrete graphics card, whether a mid-range model or a more powerful part, is more than capable of displaying a Windows desktop. There’s no chance that by choosing two of the different graphics options available with the Optiplex 790 – let’s say the £86 inc VAT AMD Radeon HD 6350 and the £256 inc VAT dual Radeon HD 6450 option – a desktop will look any different on the cheaper card.

Dell’s page says that its picture is for “demonstrative purposes only”, but it’s not demonstrating anything that’s remotely accurate. Instead, this misleading page appears to suggest that a more expensive graphics card will mean even the Windows desktop will be made brighter and sharper.

That’s especially unfair on a page that’s clearly aimed at novice users – the exact people who will trust this information from a well-known brand, and who’ll fork out extra cash for a graphics card that’s simply unnecessary.

Dell has issued a statement regarding this issue, which we’ve posted in full below. The full story can be read here.

“Thank you for bringing this to our attention. Dell endeavours to help customers to make the best decisions regarding their purchases. It was never our intention to mislead customers, and we apologise for any confusion caused. We have now removed the image from our Global sites. Dell remains committed to delivering the best possible experience to all our customers.”

Mobile money is the future, or so I’m assured by research into the use of Near Field Communications (NFC) systems, which says most of us will be using our smartphones to pay for stuff within the next four years.

First things first, mobile money is not new. And, no, I’m not talking about the fact that money itself is pretty damn mobile when you think about it — what I’m talking about provides a system whereby you don’t have to carry real cash and can instead just point an easily carried payment device at a retailer.

Most of you will immediately know what I’m talking about when I mention the name of this bit of wonder kit, this device that has revolutionised retail, that does away with the need to carry cash and that just about everyone is comfortable using: it’s called a debit card.

For the small business it’s a no-brainer as the payment mechanisms are already well established and the associated costs already factored into the business plan. There are precious few compatibility problems, everyone knows how to use it and almost everyone has one. Sure, even with chip and pin there remains a fraud risk but, again, that’s a known entity and most businesses will be aware of the procedures required to mitigate the risk and deal with any fraud that should occur. And, my debit card does not need a battery, how about yours?

Debit cards

Which brings us neatly to the problems I have with this concept of the majority of us jumping from cash and cards to smartphone money and NFC systems. Debit cards have been around since the early eighties and, in 2011, banks still issue cheque books. OK, that is about to change over the next year or two as a result of fewer people actually using cheques any more, but it has taken more than 25 years to get to this point.

Debit cards have been around since the early eighties and, in 2011, banks still issue cheque books

If we are to believe the NFC hype then the general public acceptance jump from debit card to smartphone as payment method will take less than five years. That, frankly, is very hard to believe, even for an evangelistic and unashamed geek like me. (Of course, the fact that the research suggesting this was commissioned by Monetise, a “global enabler of mobile money services” does nothing to help me accept the conclusions.)

But let’s take a closer look anyway. I am informed by this research that the number of people in the UK using their mobile phones to manage their money (access bank accounts, make purchases and perhaps pay some bills) has doubled in just two years. Sounds impressive, but it has doubled from 5% to 10%, so hardly anything to get really excited about.

The research insists that the number will go past 50% “in the next few years as banks and retailers take advantage of the widespread adoption of smartphones, apps and 3G phone networks to deliver new services”. OK, given a rather huge dose of benefit of the doubt I will go along with that. Where I think it all goes tits up is when it insists that a major factor will be “the emergence of ‘tap-and-go’ payments using Near Field Communications”.

An emerging trend?

The report, Emerging Trends in Mobile Banking, discovered 57% have used mobile banking more frequently in the past year than they did in the previous year, 68% find banking on the handset easier than over the internet, and 70% are very keen to use their mobile to buy things. Really, very keen? That may change when they get to the shops and discover the mobile phone battery is dead. Or the shop in question doesn’t accept Nokia money, only Motorola money. “You want to pay by iPhone sir? There’s a 1.5% handling fee for that as Apple charge us extra” and so on.

I’m not knocking NFC just for the sake of it; I can see huge potential for the technology. But to suggest that most of us will be flocking to pay for stuff with it in just a handful of years from now is folly of the first order. Until a smartphone is as small as my debit card, has the same battery life and can be pretty much guaranteed to be accepted everywhere I go, I think I will be sticking with my flexible friend…

More and more businesses are dreading that Tuesday every month when Microsoft release a bunch of security patches and updates.

Patch Tuesday should be a thing to look forward to, of course, seeing as it’s when the latest round of application and operating system vulnerabilities get a nice big sticking plaster to protect your systems and data from exploit. The trouble is that when, as with the latest Patch Tuesday, there are no fewer than 17 security bulletins (nine rated as critical) covering a whopping 64 vulnerabilities –  many of the patches requiring a full system restart – it all starts to become something of an IT management nightmare. Especially for the smaller business where there isn’t an IT manager or even an IT department to handle such things.

The vast majority of smaller businesses that I talk to are not IT savvy, they get by and rely upon the systems and software they are supplied to do their job. They don’t switch browser to Firefox or Chrome, they run Internet Explorer because that’s what everyone else uses and it came with the box. What’s more, they often run an older version of Internet Explorer as they apply the “if it ain’t broke” rule. Wrongly in the case of older versions of IE, of course, which are broken from a security perspective.

The latest Patch Tuesday updates included one (security bulletin MS11-018, which was rated critical and covered IE6, IE7 and IE8) which protects them from a vulnerability that can compromise the browser as soon as it visits a malicious site. It’s vital if a business is using one of those versions of Internet Explorer that they apply the patch, yet it’s bundled in with all the others and likely to be lost in an all or nothing approach to updating.

Surely it would be better if Microsoft rolled out patches individually, on demand, as they became available, rather than storing them up and releasing them in a flood like this?

Many small businesses opt for the nothing approach, at least in the short term, as installing and rebooting eats into either work or leisure time. Many will have been advised to turn off automatic updating to prevent such interruptions to their business processes and will simply ignore the warnings about updates altogether.

For consumers these mammoth updates are a nuisance, but nothing more. If they want to minimise disruption they can simply schedule the update to take place while they sleep. Small businesses are not in such a position, they have to supervise the process to ensure there are no hiccups. Those businesses without specialist IT support are in a Catch-22 situation: they have to understand the vulnerabilities as they apply to their particular needs and prioritise the patching process accordingly, but they don’t so they can’t. Then there’s the problem of compatibility testing, especially if the business uses custom applications that could be impacted by the patching.

Security patching of critical vulnerabilities is vital to safeguard your business data, but unplanned patching can interrupt business processes and potentially break custom applications. Surely it would be better if Microsoft rolled out patches individually, on demand, as they became available, rather than storing them up and releasing them in a flood like this? Surely it would be better if the reasons for patching and implications of not patching were explained better to the end users rather than pointing to the somewhat jargonised security bulletins?

So, if you are a small business, how do you deal with Patch Tuesday?

StartUp Britain is an initiative to help startup businesses in the UK. Clearly this is a good thing in principle though some have suggested – not least my Real World Computing comrade Kevin Partner -  that some of the sponsors and backers of this Government-applauded but privately backed venture are rather in it for themselves, judging by the help and offers that have been made public.

However, things hit a new low with Microsoft’s offer: it is offering “free technology resources worth up to £400 per company”, which sounds pretty good to me at first glance.

But when you go to read the Microsoft offer you find that the offer consists of:

1. “Webinars and seminars – we will build a programme to train 5,000 businesses”  - which sounds just like the free webinars and seminars Microsoft already provides.

2. “A free 90-day trial of Microsoft Dynamics CRM Online to help you manage your customer relationships and sales pipeline. Worth £370.” Excuse me? £370 of value in a 90-day trial of some Microsoft software? I can go to the Microsoft website and get a 30 day trial for free. Do it three times if you really need to. But claiming this is “worth £370″ is an insult to small businesses.

3. “A head-start on online advertising with Bing and Microsoft. Worth £30 + sign up for a free webinar.” So you get £30’s worth of free advertising on the Microsoft advertising engine. Gosh.

4. “A free 60-day trial of Microsoft Office, the essential software suite for managing a small business,” for which, curiously, Microsoft attaches no value. Probably because it is a “free trial”.

So the reality is that Microsoft has not provided “free technology resources worth up to £400 per company”. That, dear Microsoft, would be two full licences of Office 2010 for small business for free. Trialware and a free play with your advertising engine adds up to a great big zero.

One week after the Government focused on big business with a 2% cut in the main rate of corporation tax (which doesn’t apply to small businesses) it’s seeking to make up for this by supporting StartUp Britain.org. This website, which features a picture of David Cameron levitating and a very red-faced Richard Branson, purports to “make it easier for new companies to flourish” and, perhaps, is the planned replacement for BusinessLink.

The essential difference with StartUp Britain is that it’s been developed and run by private companies rather than the Government. This gets around BusinessLink’s obsessive focus on regulation rather than the development of business. However, the Government’s much vaunted idea – that private individuals and companies will philanthropically fill the gap left by their withdrawal from public services – is immediately exposed as pie in the sky by StartUp Britain.

The site is little more than a series of links to other sites (how original) along with “up to £1,500 of great offers”. Sadly what these offers amount to is a set of promotional vouchers, many offered by the founders of StartUp Britain. For example, Glasses Direct (whose founder Jamie Murray Wells is one of the backers of StartUp Britain) offers a £15 discount voucher.

In other words, I have to spend money with Glasses Direct, contributing to its profits, to benefit from my StartUp Britain voucher. That’s not even a very good offer compared to those available to Joe Public on its site. Whose business is this site supposed to be helping? HP’s link quite hilariously doesn’t work. A Google AdWords voucher, free legal cover (when you buy insurance) and 10% off AXA insurance round off an utterly underwhelming offering.

To make matters worse, many of the links take you directly to products rather than free information. For example, Alan Sugar’s autobiography and Duncan Bannatyne’s Anyone Can Do It (which is very good). A cynical person might see this as little more than a marketing opportunity for the companies involved. Lucky I’m not cynical then, isn’t it?

Perhaps the biggest problem is that, as with BusinessLink, the number of links makes business look more complicated than it is. Essentially, business is about finding a product or service that enough people will buy from you to make a profit, building it and then marketing it. My advice to budding entrepreneurs is to get the book Purple Cow by Seth Godin and, if you’re thinking of an internet business, Free, the future of a radical price by Chris Anderson.

Once you have your idea in the bag, it’s time to get into the nitty gritty of business plans, accountancy and marketing. Perhaps by that time Startup Britain will be worth visiting.

The internet has been running out of space for the best part of ten years now, address space that is. In a nutshell, the 4,294,967,296 addresses provided by IPv4 are pretty much exhausted and so we must start embracing IPv6 which can provide a few more.

How many, exactly?

How does 340,282,366,920,938,000,000,000,000,000,000,000,000 addresses sound to you?

Now I’m not going to get stuck into the whole ‘how to migrate to IPv6 thing’ here, nor even the debate about how long we really have left to make that migration (although Steve Cassidy will be examining this in issue 200 of PC Pro). Nope, I’m more interested in what the potential impact upon internet security will be when it’s a done deal and everything is connected to the internet.

In other words, does giving everything an IP address open the door for your fridge to start spamming you? Or perhaps more appropriately, given the type of crap contained in most of the spam I see, your toilet for that matter? Seriously though, what does IPv6 mean for security?

Much of the FUD coming is coming from those with something to sell, be it product or consultancy

Given enough IP addressees, the argument goes, the spammers can cycle through such a large and diverse range that spam blacklists become unsustainable, as by the time a domain has been verified as a spam source and added to the blacklist, the spammers behind it have already moved it to another IP address.

This, it seems to me, is less an IPv6 problem and surely more a ‘rely on blacklisting to defeat spam’ problem. Other content-focussed techniques, such as Bayesian filtering, don’t care about where the source is but only what the output consists of.

So are there actually any hidden dangers in the move to an IPv6 address space system at all, or is it all just the usual round of FUD? As some organisations have already implemented IPv6 without any great collapse of security systems, I am inclined to think it is just that. Much of the FUD is coming from those with something to sell, be it product or consultancy.

Potential problems

There will be problems, of course. I’ve heard reports that the Duplicate Address Detection (DAD) system, which provides the means for a device to ask others on a subnet if they are using a particular address, could be used for denial of service (DoS) attacks without too much effort. But then again, those in the know have told me that it doesn’t take a whole big bunch of effort to detect this happening and block it.

Am I scared that IPv6 will cause the sky to fall in? Nope, and neither should you be. IPv6 itself is not intrinsically any less secure than IPv4, as long as it is implemented properly — which means doing your homework during any transition period between the two and ensuring you are not creating holes through which your own particular little piece of sky could fall. But that’s not different to any transition from one network technology to another…

I do, of course, appreciate that neither the original iPad nor the iPad 2 are pushed primarily as a business tool, but maintain that it’s a valid question to explore nonetheless.

The trouble is, I’m hard pressed to come up with too many small business scenarios where media consumption, rather than creation, is a core computing requirement. As a complementary device to an existing netbook or laptop it comes into its own but, seriously, how many small businesses have the kind of budget which will stretch to such a fanciful and, frankly, superfluous purchase in the current economic environment?

Sure, you see suits with iPads all the time when travelling first class on the train, so perhaps there is a real business demand? Not that I’ve noticed,  as whenever I look to see what those suits are doing with their iPads the answer is much the same: playing a game, checking schedules, browsing the web and maybe reading (although rarely writing or replying to) their email. I can’t ever recall seeing someone working on a document or spreadsheet, although I have seen one person with what looked like a PowerPoint presentation running.

My advice to the small business contemplating an iPad 2 purchase would be to look instead at buying the original iPad with a £100 discount from Apple before the iPad 2 goes on sale

Nope, the business types I see are using the iPad like a giant smartphone that doesn’t make calls. The fact that they all have a real smartphone, which does make calls, sitting on the table next to the iPad makes this all the more fantastical. Of course, you can buy one of those iPad cases with a keyboard built in to add business usability, and the ones that I have tried are actually quite good. But it’s another expense that the average small business can ill afford, and if you are looking for a machine that couples a screen with a keyboard then why opt for an iPad in the first place over a netbook or baby laptop? Remember, this is all within the remit of small business usage before you start bombarding me with consumer reasoning.

So what does the iPad 2 itself bring to the small business table that may change the way I look at the device in this context? Well I will admit that FaceTime could be a useful small business tool, bringing usable if very basic videoconferencing into the mix, which was totally missing from the original iPad. But as a unique small business selling point it is something of a hard sell. Most small businesses that I visit are quite happily using Skype on their webcam equipped netbooks and laptops to meet mobile videoconferencing needs, and those with iPhone 4 devices already have FaceTime anyway.

Enhanced performance courtesy of the A5 chip apart, the iPad 2 only really brings HD mirroring to the business checklist. This, courtesy of a Digital AV adapter at further cost, will at least enable portable presentations to be made to a HDTV screen or projector.

Apple didn’t go overboard on the business angle at the launch of the iPad 2 for good reason: it is not a market that is being aggressively targeted because it isn’t primarily a business device. Simple as. Those niche businesses which did have a use for the iPad will, budgets allowing, already have invested in the technology and will find precious little reason to upgrade to iPad 2, as most of the advances were in design form rather than business function. Where’s the USB socket for starters? Some have said that what Apple has launched is really the iPad 1.5 and I’m minded to agree. In fact, my advice to the small business contemplating an iPad 2 purchase would be to look instead at buying the original iPad with a £100 discount from Apple before the iPad 2 goes on sale.

This might not be as stupid an idea as it first sounds, especially when you consider that it can be updated to iOS 4.3 which brings many of the benefits of the iPad 2 at no extra cost. OK, you won’t get FaceTime as an OS upgrade cannot magically install cameras front and back, but iOS 4.3 does provide a welcome speed boost to Safari web browsing with the Nitro JavaScript engine, which is now built into the WebKit core rendering technology.

It’s not just what I call a ‘press release speed increase’ either: this one actually makes things faster in the real world by using just-in-time compilation to halve JavaScript execution times. Then there’s the Personal Hotspot feature. Using this, your iPad can share an iPhone 4 data connection, assuming your carrier supports such a tethering plan and you can afford the additional cost. If it does, and you can, then you will be able to set up a personal hotspot permitting any five devices from three Wi-Fi, three Bluetooth and one USB.

Whether you are thinking about the iPad or iPad 2 as a small business purchase, the real before you buy test should be made at the App Store. The proof of the iPad pudding really is in the consumption of apps. Apple is proud of the 10 billion downloaded apps stats, and rising quickly all the time, but how many of those are relevant to your business niche? If there are enough apps that address a real need in your business then maybe, just maybe, it deserves consideration when you start to look at replacing that laptop or netbook.

But it’s a big if…

Much has been written about the security of data in the cloud, and even more about the insecurity of the same. Until now, things have been somewhat quieter when it comes to how we access cloud-based data on the move. That, I suspect, is about to change.

Plenty of effort has been poured into securing online data stores, and plenty is made by the providers of those cloud services in making sure potential customers know about it. Which is why the bad guys are understandably looking for the soft targets, and at the moment that would appear to be Android apps.

I’ve said it before, and I will say it again: the smaller your business, the bigger the benefits of cloud computing. That rings especially true at the ‘free’ end of the cloud scale where the attraction of services such as those provided by Google can offer real bottom-line savings for hard pressed small business concerns. Security within the free or low-cost cloud isn’t somehow automatically weaker than that found at the expensive end of the cloud provision market either.

You can be sure that Google has invested heavily in securing the data at rest within those cloud bases, incorporating all the multi-layered protocols and synchronous replication processes you might expect. But perhaps it needs to invest more at the other end, the smartphone to be precise. What you need to ask yourself is whether Android could be the weak link in the cloud security chain?

Dan Wallach, an associate professor in the Department of Computer Science at Rice University in Houston, got the ball rolling when he revealed that his undergraduate security class had decided to listen in on the traffic to and from his Android smartphone, a Motorola Droid X running Android 2.2.1, with his permission of course.

With Android overtaking Apple iOS as the most popular mobile operating system, security of Android apps is going to become something we hear more and more about

The class used Wireshark and Mallory to sniff the data and quickly discovered that Google wasn’t encrypting traffic heading for Google Calendar (using the default Google Calendar app that came with the phone) which is a pretty bad start if you were expecting this kind of information to be kept secure and confidential in transit. Google is, I understand, planning on introducing encrypted traffic to Google Calendar on Android as part of an unspecified maintenance release in the future.

What really grabbed my attention, however, was while the professor had a Facebook account configured to specify fully encrypted traffic, the Android Facebook app ignored that and sent everything in the clear. Especially as Wallach notes “Facebook isn’t doing anything like OAuth signatures, so it may be possible to inject bogus posts as well”. Oh, and one of the requests that the class saw heading to the Facebook server was carrying a SQL statement, which doesn’t bode well.

Identity management specialist Phil Lieberman argues that the sending of data (other than passwords) in the clear is “absolutely typical of open-source software” and insists that there is little or no incentive for the software developer to do otherwise unless the destination system absolutely requires it.

Indeed, he goes further to warn that the Dan Wallach revelation is an “early warning shot” when it comes to the use of cloud-computing platforms and Android. “The stark reality is that computer science graduates rarely, if ever, receive any training on how to write secure applications,” Lieberman claimed. “So it should come as no surprise that many applications created by these same people are insecure”.

Certainly, with Android overtaking Apple iOS as the most popular mobile operating system, security of Android apps is going to become something we hear more and more about. Unlike Apple, which has had relatively little problem with malicious apps finding their way onto iPhones, courtesy of what some argue are Draconian controls over what reaches the App Store, the Android Market accepts anything that is uploaded and there are no such pre-publication clearance controls to filter out the insecure and downright dangerous.

So perhaps it should come as no surprise that just last week we have seen the discovery of some 50 or so Android apps infected with the ‘DroidDream’ rootkit, which are capable of intercepting and diverting personal data. Of course, Google acts quickly (within minutes in this case) to remove such software as soon as it can when such a discovery is made, but that didn’t prevent people downloading them and being infected in the first place. The DroidDream rootkit also has the capability to download other malicious software which it can then install, so nobody really knows how many handsets are already infect or what they are infected with.

More alarmingly, those same infected handsets, or even the same apps, could be used to access business data in the cloud. Whereas much focus has been put on ensuring company data is properly encrypted when stored on mobile devices, that focus has to now widen to include the apps being used to access the data in the first place.

At the very least, security policy needs to encompass the usage of authorised apps only on any device used to access business data. Better still, ensure that processes are in place that control what data and services a mobile device can, and cannot, access. Either that, or as Phil Lieberman starkly says “use your smartphone to log into cloud and secure systems at your peril”.

How much is your data worth? You may think that the customer database your business has built is priceless, and individuals probably regard their online data as being rather valuable as well. After all, that’s why we put so much effort into securing it. Unfortunately, the basic economic laws of supply and demand exist within the criminal marketplace just as they do elsewhere.

Which means that our perception of value is hugely over-inflated when compared to the reality of the online underground economy. That reality is that as malware production and exploitation has rocketed, and stolen data has flooded the marketplace, so the price has plummeted to pretty unbelievable lows.

I’ve been scouting around the various cybercrime underground markets, as well as talking to professional security researchers, and have found pricing that ranges from a few pence for basic stolen credit card numbers purchased in bulk, to a few hundred pounds for a verified ‘active’ bank account with a balance in excess of £10,000 and an online purchase history to go with it.

The risk of arrest is far higher to the person cashing in on a stolen bank account than it is for someone simply selling the data on the underground market

At the really cheap end of the stolen data market are those volume purchases of stolen credit-card numbers. If you fancy taking your chances with a bunch of 100 US-originated cards, unverified and with no guarantees of still being active, then you can pay as little as 10p per card.

Double it if you want the same volume but with a guarantee (whatever that may be worth when dealing with low-life criminals) that the accounts have not yet been reported as compromised, and double it again if you want UK-originated cards rather than American ones.

Platinum variants used to carry a premium, but these seem to have all but disappeared. The bad guys are not adverse to racking up the profit margin with value-added deals though, charging an extra £1 per card if you want accompanying security data (such as postal address and mother’s maiden name) and 50p per time for cards registered to an owner in a specific city.

Unverified bank account data is also cheap enough at £1 per record, but if you want one that comes ‘guaranteed’ as active and with a positive balance of up to £500, then you can up that to £50. The bigger the available balance on a verified account, the more you can expect to pay. How does £400 for an account with around £50,000 of available funds grab you?

The most expensive charges are reserved for accounts which have an existing record of online purchases and PayPal transactions, and are therefore less likely to attract unwanted attention as the funds start to empty.

I know what you are thinking: if that balance was really available why would the criminals be selling the account data for such a relatively small amount instead of cashing in themselves? The answer can be summed up in one word: risk. The risk of arrest is far higher to the person cashing in on a stolen bank account than it is for someone simply selling the data on the underground market. Especially as most transactions are made using ‘untraceable’ cash transfer services such as Western Union or Liberty Reserve.

DIY Kits

The underground economy doesn’t only apply market forces to the value of your data, but does the same when it comes to selling the tools that allow the bad guys to steal it in the first place. The news that you can now buy a do-it-yourself kit for creating a rogue Facebook application for as little as £15 on the web black market came as absolutely no surprise to me.

Nor that yet another kiddie script on steroids kit has surfaced; after all, it was only a matter of time before someone decided that there is more money to be made and less exposure to risk by selling a Facebook malware app creation kit than operating a Facebook malware app scam. What’s more, it’s certainly no surprise that such a thing should come so cheap.

The malware business has long since followed hacking and become commoditised. By which I mean, just as with the hacking business before it, as malware activity has increased dramatically over the past few years, so the market value of malware exploits and the kits used to create them has declined equally dramatically. So whereas the top-end rogue coders selling highly customised and complex Trojan exploit kits to establish hard-to-track zombie networks, which can be used to rent out DDoS and spam attacks, are still demanding many thousands for their handiwork, the budget end of the market is really low cost.

Ironically, the templated, kiddie-script kit end of the malware market is also plagued by piracy, with gangs cracking software and making it available for free. The payload for this free lunch being pretty similar to most pirated commercial software, in that it carries malware of its own. The crackers add code that ensure a copy of any data stolen is passed back to them for resale, and some even comes with a Trojan built in to allow them to take control of the network used by the rival gang installing it. That creates more stolen data to flood the market and further drive the price down, which in turn means they need to steal more in order to make a living.

But perhaps the saddest thing about this malware cost equation becomes apparent when you factor in the cost to business of the data being stolen which, according to a report from the Ponemon Institute last year, sat at an average of £64 per record.

The truth of the matter is somewhat different, of course, and basic data security is neither difficult nor expensive to achieve. All it takes is a little bit of technical know-how and an awful lot of common sense.

One aspect of data security where common sense often gets thrown out of the window is that of physical theft. Sure, there is an argument that as long as your data is properly encrypted it matters not a jot if the bad guys access your hardware, steal your laptop or find your USB stick.

It’s an argument that holds a fair amount of water, and I’m the first to advocate an ‘encrypt everything’ approach to data, but safeguarding your hardware against physical theft is so obvious that I’m always amazed to discover so many small businesses doing no such thing.

I’m the first to advocate an ‘encrypt everything’ approach to data, but safeguarding your hardware against physical theft is so obvious

Many will say that they already pay hefty insurance premiums, and if the old laptop is stolen then it’s a good opportunity to upgrade with the claim money. But what if all your data wasn’t properly encrypted, what about the interruption to your business continuity (even if it’s only a matter of an hour or two while a current backup image is squirted onto a spare machine) and what about the notion that not becoming a crime statistic is actually a good thing?

The bottom line is that taking any risk with your data is a bad thing and ensuring that your hardware is protected from theft or loss to the best of your ability is a no-brainer. The Absolute Theft Recovery team monitors laptop thefts, and has compiled a top ten list of the most common places where hardware is stolen from, after analysing the details of thousands of reported thefts during 2010. I was somewhat surprised that most thefts of laptops occurred from school, but have to imagine that’s because Absolute do a lot of business monitoring hardware in the education sector.

It came as no surprise at all that the home and the car made up the rest of the top three, with work following close behind at number four. Hotels, restaurants, public transport including taxi cabs, and airports were also common venues for computer crime.

So what can your small business do to prevent becoming part of the statistics? Actually, quite a lot and most of them are low cost and easy to implement.

Physical locks

Take the straightforward, if rather retro sounding, matter of making use of the Kensington lock slot and looping a decent quality cable around an immovable object to secure your laptop against casual theft in your office? Please note that the leg of a chair or desk is not an immovable object, and a five quid cable that can be cut using a pair of nail clippers isn’t decent quality. Cables are fine for protecting against opportunistic thefts during office hours, but if laptops are left in the office overnight then you should consider investing in a made-for purpose lockbox or secure storage cabinet and suitable alarm systems.

Also, when it comes to in-situ hardware, a cable will not stop the determined thief equipped with a pair of bolt cutters. The good news is that such thefts seem to be on a downwards spiral. While I have no official figures to support this claim, I’ve not been reading about so many hardware thefts as I used to and the business grapevine would suggest that offices are not being targeted as much as they used to be.

I suspect that the falling price of memory has a lot to do with the apparent decline in such crimes, as ripping a machine open and stripping it of RAM to sell down the pub or on eBay used to be high on the agenda of a petty thief. Couple that with a general decline in desktop computing and the ready availability of cheap netbooks, and it’s hardly surprising that demand for knock-off RAM and second-hand machines has fallen like a lead balloon.

Mobile alarms

Opportunist and professional thieves would appear to favour the mobile hardware market these days, and that means laptops, netbooks and smartphones. So how should you go about protecting these from the bad guys and moments of stupidity when things get lost? The latter is, actually, a much harder proposition that the former. Losing things is a fact of life, although losing a lappy can often be a rather expensive one in terms of both the hardware cost and the interruption to your working day and beyond.

Attach a transmitter to your laptop and keep the receiver in your pocket; if the two should be separated by more than the preset couple of metres or so an alarm will sound to remind you

You can buy alarms which work on a proximity principal, such as the Zomm reviewed in this month’s issue of PC Pro. Attach a transmitter to your laptop and keep the receiver in your pocket; if the two should be separated by more than the preset couple of metres or so an alarm will sound to remind you (and everyone in the vicinity) that you’re stupid.

At the low end of the budget scale such devices provide a simple method of preventing both the accidental loss of laptops at airports and train stations, for example, as well as opportunistic theft. For the one-man band business they make a lot of sense, but slightly bigger concerns might want a slightly more complex and costly solution such as a lojack service.

These use a software agent embedded in the BIOS firmware that maintains contact with a service centre, either via GPS or Wi-Fi depending upon your hardware, and allows the laptop to be located if lost or stolen. Lojack services are also useful in that they can keep a log of all activity after the theft was reported and remotely block access to your data, or even delete it if you prefer.

A similar service can be had for free if you happen to have an iPhone, using the Apple MobileMe service and an app called Find My iPhone. Once installed, you can locate your missing iPhone from any web browser and have a custom message pushed to the home screen and lock screen, together with an alarm sound. An email is sent to let you know that the message has been pushed to the handset, and another provides a date and timestamp when that message has been viewed on the iPhone itself. You can also remotely lock the iPhone or wipe all data, and the precise location of the device is displayed via Google Maps.

Laptop anti-theft measures

Don’t leave your laptop in the car. If you absolutely must, make sure it’s locked in the boot, preferably securely with either the Kensington lock slot and a cable, or within a specially installed car safe. Of course, if your car gets stolen then so does your laptop.

Don’t spend a fortune on a designer laptop bag, or use the branded one that was supplied with the laptop. These simply serve to identify you as a potentially valuable target. Instead, use a cheap and above all else non-descript bag instead.

Stick like glue to your laptop. If you are holding it then the only way a thief will get it is if they mug you. If you leave it unattended on your desk, in a conference room, the floor of an airport lounge, on the seat next to you on a train, things become a lot easier especially for the opportunist thief.

Consider marking your equipment to make it both easier to identify and harder to sell. So-called invisible marking systems such as ’smartwater’ forensic liquid will leave a unique chemical fingerprint on your hardware that is all but impossible to remove, but easily viewed by the police using specialist equipment.

At the opposite end of the marking scale, hugely visible customisation (think business logos and slogans, impossible to remove identification tags and the like) which will help to prevent a casual thief from making an easy sale and a quick buck from your loss.