In a news environment dominated by political and economic shifts, the devastating effects of cybercrime and data breaches go largely unreported. Yet for small to medium sized businesses (SMMEs) in South Africa, which arguably form the backbone of a teetering economy, cybercrime and data theft are undermining growth and sustainability. While reliable statistics are near impossible to obtain, it is clear that SMMEs are falling victim to hackers on a weekly basis.
Why? Business leaders have clearly not stayed abreast of a cyber risk landscape that has changed dramatically over the past decade. Not only have the nature and scope of the risks evolved, but so too have the tools and strategies required to mitigate them.
For SMMEs, it is critical to understand this evolution and to bring the organisation in line with current (and future) trends....
A simple question of software
When looking back ten to fifteen years ago, cyber security for SMMEs generally equated to a decision around which anti-virus software to choose. As long as the anti-virus was reputable, and kept up-to-date, business leaders could tick the cyber security box. In most cases, this box was probably located towards the very bottom of the business agenda – and budget.
As businesses began to embrace more seamless and accessible Internet connectivity, the cyber threat level began to rise. Employees gained access to social media platforms, and started to harness these platforms for business as well as personal communications. The use of email within organisations became paramount to productivity, along with other emerging connectivity tools such as Skype.
New barriers needed
With employees becoming increasingly 'plugged in', hackers and fraudsters soon identified newbie internet users as soft targets for online scams and phishing. Along with the unwanted tides of advertising and 'junk' mail, these scams prompted businesses to install spam filters along with the trusted anti-virus software.
In addition to targeted attacks, business leaders very soon had to contend with the peril of dodgy websites. As employees delighted in newfound connectivity and web surfing freedom, they blundered their way onto infected sites and unsecured environments. This forced businesses to invest in firewalls as well as more sophisticated anti-virus software.
Mobility & Endpoint Security emerges
Over the past several years, smartphones, laptops and other mobile devices have become integral to modern working environments. Particularly for SMMEs and startups, being able to work and communicate remotely has proven critical to survival. Yet with the proliferation of mobile devices that connect into sensitive business platforms and environments, the cyber risk naturally intensifies. Another way of thinking about it is that as 'entry points' to business information and systems multiply, so too do the risks.
To combat this heightened risk environment and the emergence of mobile working solutions, businesses embraced the concept of 'endpoint security.' In techie terms, endpoint security is simply a security approach that focuses on 'locking down' endpoints — think of individual computers, phones, tablets and other network-enabled devices — in order to keep networks (businesses) safe.
Along with the focus on endpoint security, the heightened risk environment also sparked off interest in penetration testing and vulnerability assessments. Penetration tests are designed and intended to exploit weaknesses within IT networks and thus to determine the degree to which hackers can gain unauthorized access to business information and assets. These tests can be manual or automated and are performed by IT security professionals. Even as recently as five years ago regular tests such as these were considered a nice-to-have but were fairly far down the IT task list. Nowadays they should be near the top.
The devil is in the data...
While the reality of hyper connectivity has deepened the complexity of cyber risks, this connectivity is also fuelling the creation of data. As we have seen in recent years, data has been likened to the new 'oil' of the global economy, and as such, it has become an asset that needs vigilant and well-structured protection. Notably, in the World Economic Forum's Global Risks Report 2019, "massive data fraud" was ranked the number four global risk facing organizations of all kinds.
For SMMEs, which are just as likely to fall victim to data breaches as their larger counterparts, data security now demands a full strategy of its own. To begin with, SMMEs have to harness tools such as SharePoint to implement secure document management. Such tools ensure that employees not only store data in a safe and organised way, but that they can also collaborate on files and safely share information with outside parties.
Moreover, with legislation such as the Protection of Personal Information Act 4 of 2013 (PoPI) and the General Data Protection Regulation (GDPR) coming into effect, businesses of all sizes will have to enforce strict data governance frameworks - or else risk falling afoul of the law.
Moving beyond silos
When assessing the current cyber risk environment for SMMEs, perhaps the most significant element of the digital evolution is that cyber security has become everyone's responsibility: it does not simply fall to the business owner, the tech guy, the manager, etc...every employee has become a target, and similarly, everyone has a role to play. This means that education and internal training has to be the first and most fundamental part of any cyber security strategy.
Today, businesses are still allowing staff to save sensitive data on their own laptops, memory sticks and consumer Cloud platforms like Dropbox, for example - which immediately places the business at risk of a data breach.
As the risks continue to change and evolve, so too do business owners and employees have to elevate their own awareness and online behaviours. Digital transformation continues to propel business and innovation forward, but the dark side of cyber security is casting a formidable shadow...
By Colin Thornton, MD of Turrito Networks.