As recent headlines prove, South Africa is no stranger to data breaches - not even massive ones. If you still think you won’t be a target, you’re setting yourself up for a nasty surprise - one that could destroy your business. Other than hefty fines and lots of downtime, you risk losing trust among your customers and could even expose your business to lawsuits. So the ‘wait and see’ strategy towards cyber defence is not smart at all.
Cybersecurity is very necessary today. It can’t be an afterthought and should be part of your enterprise’s daily operations. How do you make this happen? If you can get all hands on deck, it’s not as daunting as it may seem...
Create company-wide responsibility
Many companies still make security the problem of the IT department. But this actually makes little sense because company data is important to the entire business. It’s also dangerous because cybercriminals don't think in that way. They don’t just target the IT people: they target everyone. If everyone’s a target, everyone needs to fight back!
Security awareness should be on the agenda for all company leaders. It must be a board-level discussion, with the CEO setting the tone and lead for the topic. It should be part of risk and strategy discussions and implemented early on.
Identify the crown jewels
Trying to protect everything in the business can be too much. But the good news is that criminals aren’t after the cleaning roster or Monday morning joke emails. They want your company’s crown jewels: financial records, customer databases, trade secrets, R&D reports, client accounts…
Your business needs to decide what those assets might be, as well as how they are reached. Identify which people have access or how someone could track their way through your business to get to these assets. This process may require you to also start classifying data, which is a necessary step if you ever want to use predictive analytics or other data services. So in a way security can help you get your data to work for your business.
Secure the necessary assets
Once you know what it is that criminals will be after, you should take steps to make sure they are protected. This can be done in a variety of ways, depending on what you want to protect. For example, you’ll want to put security on user devices such as laptops and smartphones (called ‘point security’) to stop any successful phishing, ransomware or malware attacks. At Vodacom, we secure our and customer devices using Norton security.
You want to segment your network to make it harder for attackers to move around. A secure parameter isn’t enough: assume bad guys can get in and roam your systems. So make that harder through segmentation and monitoring tools. Also, consider adding two-factor security to crucial accounts. Finally, be sure to have a disaster recovery system in place to repair any damage.
Create incident response plans
Assume that at some point you’ll be breached. While you should do everything to avoid a breach, it’s impossible to do so entirely. So be prepared by creating and testing incident response plans.
Let’s say someone accidentally clicks on a link that installs ransomware. Your files are rapidly being encrypted and made useless. But if you have a response plan you know who should be in charge, what is under attack, how to stop the spread and how to undo the damage. This is because the plan appoints the right individuals, which will be both security teams as well as leaders from the departments being affected. The plan also stipulates quarantine procedures, thus helping stop the spread.
Of course, if you had no plan, none of that would happen and you’d lose the data.
Your employees are often the unintended source of breaches: they click on bad links, get duped by clever emails and sometimes even do it on purpose - such as what happened at Tesla. It may be tempting to get rid of people, but that is unwise. People are also your eyes and ears: if they are aware-enough, they can spot an attempted attack better than any machine.
This requires user education: train them on both basics such as good passwords, as well as risks specific to their roles. For example, executives might be targeted through ‘spear phishing’, which is when criminals tailor trap emails specifically for individuals (such as an email pretending to be for their child’s school fundraiser). Another example is social engineering: criminals phoning in or even showing up in person, pretending to be someone else. Don’t underestimate how dedicated and focused cybercriminals can be: catching your people unaware is their job, so make sure security awareness is part of your people’s jobs.
Conduct regular tests and audits
Is your staff trained? Are your plans ready? Have your security measures been put in place? Great job! But security is not just a box you check. As mentioned, cybercriminals evolve and plan every day to find new ways to your data. In some cases, such as the Facebook/Cambridge Analytica scandal, it could simply be a failure of company policy and not even a breach at all. There are many ways your data can be stolen and abused.
The best way to find those weak spots is through tests and audits. Run different scenarios to see if a plan works. Send dangerous emails to see if employees are paying attention. Use the services of penetration testers to see if your systems can catch and block people trying to sneak in.