Carey van Vlaanderen, Chief Executive Officer, ESET South Africa
South African small businesses are particularly vulnerable to cyberattacks. Why? Business owners aren’t taking the necessary precautions to protect their digital assets, often with dire financial consequences.
In fact, some reports indicate that more than 60% of all data breach victims are businesses with under 1,000 employees.
In a business environment where every cent counts, preventative measures must be weighed against the costs of not having IT security protection in place. Threats are becoming more prevalent, as there is a rise in online activity and hybrid working across the globe and here in South Africa.
Secret password attacks increased by an alarming 104 percent in less than a year, according to ESET’s 2021 threat report. That equates to 55 billion new attacks detected in less than six months. The latest statistics make for sobering reading and underscore the high probability of South African businesses being targeted by sophisticated criminal networks. The sheer number of attacks means it’s a question of when, not if, a compromise is launched on any given business network, regardless of size.
Ransomware attacks are also on the rise with massive consequences for organisations of all sizes. Just one example is a supply-chain attack that leveraged software vulnerabilities in an organisation’s IT management system. This ransomware event was accompanied by a USD$70 million ultimatum to regain control of the company’s digital assets and operational control.
Digital compromises occur in mere nano-seconds. The price-benefit analysis is obviously relative to the cost of digital business disruption. Estimates suggest that more than half of businesses fail within six months after a hack, making this phenomenon a critical component of business survival and success.
So what is the solution for organisations with large security demands, but small security budgets?
Installing the first (and, often, least expensive) anti-virus program you can find is not enough. In today’s highly connected world, a robust, company-wide cyber-security policy is essential.
This policy should outline your organisation’s cyber-security defense strategy, which should include what assets must be protected, the threats to those assets and the security controls required to mitigate such threats.
Partner with an Insurer you can trust
In an uncertain financial climate, our client-centric approach of developing strong relationships with partners and clients, while boasting a deep understanding of their business, helps us to create unique solutions.
Centriq’s insurance subsidiaries are authorised financial services providers
Here are some important points to consider:
- Security systems: Outline which controls are implemented and the threats they address, such as anti-virus software and firewalls. These controls are essential and, today, there are many cost-effective products on the market specifically designed for SMEs. Include guidelines on how updates and patches will be applied, such as how regularly browsers and operating systems will be updated. Software providers regularly release patches to fix identified vulnerabilities, and these should be implemented as soon as possible.
- Training: A chain is only as strong as its weakest link and it can take just one mistake from an unassuming employee, whether an executive or an intern, for criminals to gain access to your systems. Your policy should outline how employees will be trained in identifying suspicious situations and protecting confidential data. It should also address what happens when an employee doesn’t follow protocol. In most cases, staff error isn’t an isolated incident, but rather a sign that training isn’t adequate.
- Remote access: Employees’ home connections are usually less secure than internal company networks. As such, these employees should either be supplied with secure equipment and networks, or prevented from accessing sensitive company information. The solution will depend on the company’s unique situation.
- Password requirements: Weak passwords are one of the biggest security threats, so system-generated password requirements or password rules are essential. These should contain a combination of at least eight upper- and lower-case letters, numbers, and special characters.
- Back-ups: Company data must be backed up regularly, and preferably encrypted with multi-factor verification access so that work can continue if systems are compromised.
With the groundwork of a carefully thought-out policy in place, it simply becomes a matter of adhering to and enforcing it. The pay-off is the peace of mind that even though you may be small, your company’s assets, and the employees who rely on it, are as safe as they can possibly be.