Cybersecurity in your business starts with you

As a business owner in the digital age, one of the best things that you can do to gear yourself for the future of your industry is to learn how to protect your business and its interests from cyber threats that could lead to damages on a large scale.

One of the most frequent minor inconveniences we face in the modern age is waiting for a program to update before we can use it again. You might find it frustrating if your anti-virus program wants to perform an update every other day, but these updates are vital to your continued safety.

These updates are necessary as every moment that goes by is another moment in which a cybercriminal is attempting to exploit vulnerabilities in the digital universe. In fact, everything we know about cybersecurity right now is already outdated. Do not let it come as a shock or induce panic, though, as there are many practices/steps that you can implement to essentially eliminate all cyber-threats to yourself and your businesses.

Start with yourself

The best leaders learn before they teach others to follow. This is not to say that you need to learn everything there is to know about cyberinfrastructure and cybersecurity before you start speaking to your employees about it. But the only way that those in your employ will trust you enough to listen and take to heart what you say, is if you lead by example.

Take time to familiarise yourself with cyber threats to your business. As a business leader, you are best equipped to identify the areas of your business most susceptible to cyberattacks. Once you have identified the most valuable information your business possesses, you can ramp up your security measures in the right areas to repel or prevent attacks against your company.

Focus on re-learning

As people who have grown up in a society where technology has grown in leaps and bounds over the years, we must not be as naïve as to think that what we knew 10 years ago is still as valid today. Cybersecurity, from now until the indistinct future where we transcend the need for a digital world (which will not be anytime soon), will constantly need to be revised, unlearnt, and re-learnt.

Therefore, from the outset, it is necessary to take a systematic approach to cyber education that constantly revises its practices and implements new safety measures against the multiplicity of threats out there.

Know about the array of cyberthreats out there 

To be best equipped for a cyberattack, you need to be aware of the various avenues for attack that exist and how these points of attack may present themselves to your business.

Web-based attacks 

Web-based attacks make up the largest proportion of all cyberattacks (49%). These attacks are conducted while you are browsing the web and can take a variety of forms: from clicking a hyperlink to a malicious website, to enabling malicious web-scripts, to inadvertently installing malware.

Phishing 

The second largest proportion of cyberattacks (43%) is phishing attacks, which often starts over email. Phishing is a method of cyberattack by which cybercriminals entice you to divulge sensitive information while purporting to be reputable sources.

Spoofing 

Spoofing is when someone or something pretends to be something else in an attempt to gain a victim’s confidence, get access to a system, steal data, or spread malware.

Malware 

Malware is a kind of malicious software that compromises a network/device/system. These include, but are not limited to, adware, viruses, trojan horses, and spyware.

Put the infrastructure in place to minimise your risk

As cyberattacks become more sophisticated, so do anti-virus programs (and other cybersecurity tools). Make sure you have the kind of infrastructure in place to maximise your security. Here are some considerations for improving your cybersecurity:

  • Implementing firewalls between datapoints
  • Investing in reputable (paid) anti-virus/anti-malware solution
  • Encrypting the data you store on your servers
  • Installing a Virtual Private Network (VPN) on your devices

Teach your staff cyber (street) smarts

The vast majority of cyberattacks require at least some kind of human interaction for it to be successful. While your infrastructure can do a lot to minimise risk, it can never eradicate it. That is why you need to invest in continuous staff training. Make sure to include cybersecurity training as part of your onboarding processes, while continually helping your staff make the best decisions while working online.

Cybersecurity smarts are not only worthwhile in the office, but they are also becoming a necessity outside of the office. Promoting cyber-security as a habit could go a long way to protecting your employees and company no matter where they are.

Test your security

One tactic that many companies have been using to assess their risk of cyberattacks is that of co-ordinating mock security breaches in which employees are targeted with a cyber ‘threat’, which demands a response from them. Those who fail the test must be alerted to the real damages that could have been borne from threats to security and what the consequences of their actions may have been if there was a real security threat. Although it may seem a little drastic, it could very well serve as a much needed wake-up call for those who are naïve in their online activities.

References

This article is a general information sheet and should not be used or relied upon as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your financial adviser for specific and detailed advice. Errors and omissions excepted (E&OE)

Test your knowledge on cybersecurity

How well are you equipped for handling cyber threats to your business? Take the quiz below to test your knowledge on cybersecurity.

  1. You just received an email from a client telling you to attend to an urgent financial matter with a link to help you.

Do you… ?

a.) Click the link provided to sort out the problem as quickly as possible.

b.) Delete the email because all emails like these are scams.

c.) Carefully assess the sender address and content, and contact the sender via a previously used channel.

There are many cybercriminals out there who are intent on gaining access to company secrets and sensitive information. Whenever an email reflects a sense of urgency and demands immediate action, it is usually a good time to pause and assess all the facts. Fraudsters are known to use seemingly legitimate addresses that mimic real email addresses to lure individuals into clicking malicious links and giving away sensitive information. Whenever you receive an email with an unsolicited link or that presents itself with great urgency, it is best to contact the sender through a known channel to ascertain whether or not their request is legitimate (most of the time it will not be). Be vigilant to avoid this kind of cybercrime known as ‘phishing’.

  1. strange popup just came onto your browser window.

Do you … ?

a.) Reach for the“X” (close)button and click it as quickly as you can.

b.) Inspect the pop-up without clicking anything, and exit the website if the pop-up is unexpected.

c.) Just click accept because you don’t believe that pop-ups can harm your computer.

There are many websites that run scripts that are malicious or have the potential to be malicious. While it may feel instinctual to just reach for the first sign of an exit button, be wary not to click on a malicious link. Many illegitimate and fraudulent ads, pop-ups, and notifications exist on the web that mimic legitimate messages. Always inspect a pop-up and if it is unexpected (especially if it relates a sense of urgency) it may be best to exit the website altogether. Many aids, such as anti-virus and anti-malware software, exist to help users identify bad or potentially hazardous sites.

  1. You’re setting up a new computer and new accounts for an employee.

Do you … ?

a.) Only install the operating system, and give your employee easy to remember passwords like 123CompanyName and trust the basic pre-set antivirus software

b.) Set up the computer with all relevant software, already-strong passwords, and premium security software?

Whenever you set up a computer for an employee or set up new accounts for your employees, it may be tempting to simplify the process. However, making sure that you uphold a high level of security from the start is vital to ensure maximum protection. Set up new accounts with strong passwords that cannot be easily guessed and contain an array of lowercase, uppercase, numeric, and special characters. While pre-set antivirus programs like Windows Defender are not completely useless, they cannot provide the same level of security that dedicated anti-virus software can.

  1. You’re working away from home and find yourself seated in a coffee shop.

Do you … ?

a.) Connect upto your own mobile router because you think that is the safest option

b.) Connect to the first available open Wi-Fi network with a name like FREE WIFI

c.) Use a VPN before connecting to any network in the public space

d.) Buy a coffee and just people-watch because you can’t work safely from a coffee shop

Open Wi-Fi networks are extremely dangerous as they have no protocols in place to prevent anyone from reading the data shared on the network. It is not advisable to connect to an open network, and where open networks are used, make sure that they are legitimate (in the scenario above, you might ask a waiter for the coffeeshop’s Wi-Fi name and password – if the Wi-Fi is password protected) and use a VPN program to encrypt the data sent from and to your device. It should be noted that although VPNs are largely effective in hiding data from cybercriminals, it is not a failsafe as there may be delays in the connection between the network and connection to the VPN (in which your details could be briefly exposed). It is always best to use a trusted network.

  1. A new employee has just joined your company.

Do you … ?

a.) Educate them on things to look out for online and teach them to practice online safety

b.) Let them read through a policy and hope they understand the security measures that you have in place

c.) Trust them to know good security practices because their generation knows internet security a lot better

Proper cyber-security in your business relies on adequate training and retraining — regardless of age and experience, you cannot rely on the new employee to be aware of all the security threats that your business may face. While online safety policies may provide guidance and give you a method of keeping employees accountable for digital safety, it doesn’t physically provide that safety. Always keep educating and retraining your employees (even established ones) on cybersecurity practices, thereby establishing a company-wide reverence for digital security best practice.

  1. Your employee does not have a personal computer and wants to use their work device for personal purposes.

Do you … ?

a.) Tell them that the device is only for work purposes and is not to be used for personal tasks, leaving them disappointed

b.) Avoid being a spoilsport and let them go to town with the device

c.) Tell them that it’s okay to use it for personal tasks as long as they take strict security measures

Even if you want to exude a ‘cool’ attitude and have your employees like you, letting them use work devices for personal use is highly irresponsible. If you do not set strict boundaries regarding the use of company assets, you open up yourself and your data to a world of unnecessary risk. Even if you have the utmost faith in your employees, you should always designate company devices for strictly professional work. You may also want to add administrator privileges to ensure that your employees are unable to install/uninstall any software that you have not authorised.

[Answer key: 1.c, 2.b, 3.b, 4.a (or c), 5.c, 6.a]

This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your financial adviser for specific and detailed advice. Errors and omissions excepted (E&OE)