South African businesses need to take a hard look at their existing IT security, systems and processes. Make no mistake, it is not only major multinationals that fall victim to large scale attacks – businesses of all sizes, including SMEs and startups, are vulnerable to wily hackers. Just look at what happened to comedy agency Goliath & Goliath…. the company lost thousands of rands in what appeared to be a phishing-type attack.
Statistically, it turns out that humans are often the weakest link, and the first step, therefore, is to educate employees about the risks in cyberspace and enforce regular training and testing. Besides, there are very practical steps to take that SMEs can immediately implement to make their business more secure – without breaking the bank.
Keep Your Anti-Virus Updated
First things first, all the devices on your network must have an anti-virus installed (especially if staff use their work computers at home). Always make sure that all devices have the most up-to-date anti-virus software and definitions installed. There are many good anti-viruses available, but be sure to choose a reputable, well-respected one (beware free offers). Also, make sure it installs updates automatically.
Secure your Perimeter
Ensure that your Internet connection is protected – install a firewall and follow recommended security standards to close ports which don’t need to be open or ports which are often targeted (like the standard RDP port 3389). If ports have to stay open for access make sure that any accounts needing this access have complex usernames and passwords. Also, make sure your firewalls password is complex and change the username to a non-dictionary name ie. User123.
Establish robust IT security policies & procedures
Develop and implement firm policies around how employees should handle and protect personally identifiable information and other sensitive business data. Almost all business data in the public domain should be restricted no matter how innocent it may seem. Establish firm social media policies as social hackers utilize social media for most of the data they gather in the lead up to an attack. Furthermore, clearly outline the consequences of violating your business’ cybersecurity policies. Lastly make sure staff understand what they are and are not allowed to do with business data, for instance, you may only allow access to business data on business devices. Copying data on to a memory stick could be prohibited and enforced with technical policy.
Educate your staff & hold them accountable
Train staff around cyber threats and around how to avoid a potential breach. This includes the intelligent use of business and personal social media accounts and online platforms but also clicking on links or opening attachments. Given the evolving high threat environment online, employees need to be informed around best practices and kept up to date.
Make sure all resources are (highly) protected
Employees must be encouraged to use strong passwords, and to change them often. Consider using multifactor authentication that requires more than just a password entry, and regardless of whether a user is within a network or without. Importantly, make sure that any online portals, from suppliers, partners, contractors (such as your bank), use multifactor authentication.
Implement regular back-ups and data-continuity
It is imperative that as a business, you regularly back up the data on all computers and devices. Important data includes everything from simple word processing documents, electronic spreadsheets, databases, emails, financial files, human resources files, and accounts receivable/payable files. Ideally, backup data daily, or as often as possible, and store the copies both on-site and in the Cloud. When creating a backup policy don’t just consider how secure it is, but also how long it would take to restore.
Create a mobile device plan
Mobile devices that are connected to your network represent a major vulnerability. If employees need to connect to the network via their mobile, then make it a requirement that their phones are password protected. Also, ensure that their data is encrypted and that they have robust security software installed on their phones. Many encryption programs are included free with operating systems.
Today, no business can afford to ignore the massive threat that hackers represent – and it is up to everyone within the enterprise, from CEOs to interns, to stay on high alert!