Cybercrime is a growing concern for local businesses.
In the Global Economic Crime and Fraud Survey 2018 South Africa published by PwC, 26 percent of respondents said that cybercrime will be the most disruptive economic crime to affect organisations over the next 48 months.
This is bad news for local businesses, especially smaller SMEs.
“Our claims data and global research is showing that cyberattacks directed at SMEs are steadily increasing. As a group, SMEs tend to devote inadequate resources, time and funds to cybersecurity with fewer than 3% of all SMEs having cyber insurance,” says Professional Indemnity and Cyber Underwriter at Chubb Insurance South Africa, Jenny Jooste.
Jooste goes on to say that SMEs are a popular target because more often than not, they don’t have the same safeguards larger firms do due to financial constraints.
“Criminals target these companies because their IT controls are not as sophisticated as large corporate companies, and the skills for dealing with these threats are often not specialised, making them perfect targets,” says Jooste.
Cybercriminals have a wide array of tools at their disposal when it comes to committing crimes and as such the best defence against the crimes is a good offence, or at the very least a good cyber risk management program.
There is no such thing as being “unhackable”. The simple truth of the matter is that there are far more criminals than those fighting off the criminals and as such cybersecurity has become a case of mitigating risk rather than removing it completely.
The first thing every company should do when creating a cyber risk management plan is to focus on the basics.
Chubb Insurance and Jooste recommend calling in a cybersecurity consultant and asking these key questions:
- Does IT know at which point you want to be alerted regarding a breach?
- Do you have a specific person with responsibility for Information Security (IS)?
- Is there a formal IS policy in place? How often is it reviewed and by who? Are recommendations acted upon?
- Have you implemented user security awareness training? How often? How relevant is it to your business?
- Is an audit report done on potential areas of risk on operational (non-financial) systems?
- Is someone tracking the evolving cyber-regulatory environment?
- Will someone monitor decisions made by regulators in response to cyber incidents?
- Do you have an appropriate cyber insurance programme in place and do you know how it will work?
- Is your data encrypted?
- Is IT conducting forensic readiness assessments?
- Are incident response plans being tested?
- Has the quality of the back-ups been tested?
- Are effective “real-time” monitoring processes in place?
- Is the type of data and the impact of breach understood? Have you identified critical information security risks and put in place appropriate monitoring and controls?
- Have information resources been classified according to sensitivity and criticality? Have corresponding levels of security been implemented?
- Is dual authentication required for access to critical Information Systems?
- Are users required to regularly update passwords? Criteria?
- Are laptops protected by personal firewalls?
- Is antivirus software installed on ALL systems and are updates monitored?
Education plays a vital role
Many cybersecurity experts will say that people are the weakest point in a firm when it comes to cybersecurity. For this reason education of a workforce is vital
“Employees should be aware of the role they play in preventing a cyber breach, especially when company laptops or other devices are used offsite. They should gain access via VPN sign on procedures and never use USBs. Establish positive and secure habits with regularly scheduled training and education by empowering the IT department to send regular “tester emails” to staff to see who can identify phishing emails,” explains Jooste.
Most importantly, employee education must be done constantly and they must be made aware of what risks are out there.
This seems obvious but all employees in a firm must practice good password hygiene. Passwords should be changed frequently and a mix of letters, numbers and special characters should be used.
It’s also vital that employees who are no longer with a firm are removed from the network as soon as possible.
Update or face the music
Updates are a pain but running outdated software could prove to be incredibly risky.
As we saw in 2017, WannaCry ransomware tore through the UK’s National Health Services thanks in part to outdated software that had not, or could not be updated.
Updates can contain vital patches to holes that cybercriminals could sneak in through. Insure that your hardware (including fax machines and printers) and software is up to date and be aware of who has access to your network and what privileges they have.
Planning for the worst and recovery
We’re combining two points into one here but both a cyber incident plan and disaster recovery plan are vital and feed into each other.
A business should have a plan in place to address incidents and additionally have a team in place to put that plan into action.
The goal is to have a short response time underpinned by quick resolution of matters.
Should the damage be extensive however, a disaster recovery plan will allow a firm to mitigate downtime and bring the business back up to running pace. As a bit of a tip, print this plan out and have it in an easily accessible place so employees can find it. In the event of a real disaster accessing any company documents might prove tricky.
Cyber insurance is a must buy
Insurance is a dirty word for many so apologies for the offence we might’ve caused.
Just like your other company assets however your data whether it’s customer data, operational data, or just office emails should be protected. This has become vital with legislation such as PoPI and General Data Protection Regulations in Europe not having adequate protection in place could end up costing millions should you be breached.
“It is evident that the threat of cyber-crime is not going away anytime soon and the cost of a breach can be crippling to a small business. Businesses that embrace the necessary safeguards, together with other measures outlined by their insurer and broker are putting themselves in a strong reactive position to recover with their bottom line and reputation intact,” concludes Jooste.
Mitigating cyber risk is a constant battle but once you have the basics in place it becomes a matter of maintaining the measures that have been put into place.
It might be hardwork but it’s less work than if your firm were to suffer a breach without these measures being in place.[Image – CC 0 Pixabay]