The first and arguably most important cyber resilience measure is always employee education and training. Employees are inevitably the weakest link when it comes to cybersecurity. Every business should, therefore, train and educate staff around cyber threats – and around how to avoid a potential breach. This includes the intelligent and careful use of individual/personal social media accounts and online platforms. Depending on the business, employees might accidentally share business data with competitors…and hackers. Given today’s high threat environment, employees need to be informed around best practices when sharing data about the business – and themselves – online. Additionally, it is critical to develop and implement robust policies around how employees should handle and protect personally identifiable information and other sensitive data. Furthermore, it clearly outlines the consequences of violating the company’s cybersecurity policies.
Minimising software and data security risks:
While every business needs to take proactive measures such as installing anti-virus software and educating staff, leaders must also ensure that the business has recourse in the event of a data breach. So, for example, the business can take out cyber insurance – which has become an affordable option for the SME market. Additionally, leaders need to ensure that they have robust document management and data governance frameworks in place. Then, if there is a breach or the business runs into data compliance issues, leaders can run immediate searches on enterprise data (e-Discovery) and implement an internal audit with a minimal business interruption. The importance of taking these proactive steps cannot be emphasized enough – it is simply a matter of time before a business is targeted! This applies to SMMEs, startups and major corporates alike.
Protection against viruses and malware:
The first and most fundamental step for businesses is to keep their anti-virus software up to date. Importantly, all the devices on the business network must have an anti-virus installed (especially if staff use their work computers at home). Make sure to configure the anti-virus software to install updates automatically. When combating malware, it is also important to try to understand where the business is vulnerable. Today, the growth of Shadow IT is arguably putting many businesses at risk. Shadow IT refers to the use of IT-related software or hardware by a department or individual without the knowledge, control or explicit permission of the organisation’s IT department. Perhaps the most obvious current example is the general use of WhatsApp – people have become so accustomed to using this messaging platform outside of the office, that using it in the workplace (for business communications) is almost second nature. For business owners, and particularly those in the SMME space with fewer IT resources, Shadow IT can present a significant security vulnerability. According to research firm Gartner, by 2020, one-third of successful cyber attacks experienced by enterprises will be on their Shadow IT resources. To tackle this security risk, businesses can enforce a pre-approval process before anyone downloads or brings any device onto the network. Managers can then enforce it with a software-based Group Policy which simply doesn’t allow software or hardware onto the network. Another aspect to look at is BYOD – some organisations segment their network so that these devices have their network that won’t negatively impact the business.
Passwords and encryption:
Employees must be encouraged to use strong passwords, and to change them often. Consider using multifactor authentication that requires more than just a password entry, for a start. Importantly, make sure that all of your suppliers and contractors (such as your bank) use multifactor authentication. Mobile devices that are connected to your network represent a major vulnerability. If employees need to connect to the network via their mobile, then make it a requirement that their phones are password protected. Also, ensure that their data is encrypted and that they have robust security software installed on their phones.
Local, remote and internet data backup systems:
It is imperative that as a business, you regularly back up the data on all computers and devices. Important data includes everything from simple word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Ideally, backup data automatically, or at least weekly – and store the copies either off-site or in the Cloud.
Security challenges from Industry 4.0
As more and more devices become connected and begin ‘speaking’ to each other, the cyber risk will intensify. Indeed, as the Internet of Things (IoT) becomes integrated into industrial and enterprise processes, the amount of data being generated – and shared – will skyrocket. As with most technology development today, innovation and connectivity will have to be tempered by data security. Given the risks involved, security will arguably have to form the foundation of any IoT rollout or initiative. Anything that is connected needs to be protected. Adding more devices, sensors, and things to any network automatically increase the attack surface. In most cases, IoT platforms are intricately linked to business-critical processes and therefore require a comprehensive cybersecurity framework. This aspect may naturally increase the costs associated with IoT rollouts as well as the expertise required. Interestingly, the rollout of IoT across sectors is driving innovation around hardware-based security networks and placing greater emphasis on actual device security. As such, one could argue that the IoT is fuelling innovation and investment into an additional, hardware-based layer of cybersecurity.