Cyber security: how to protect your business
Year on year, we see the growing threat of cyber attacks, with various public breaches taking centre stage, highlighting not only the existence of this threat, but its costly nature to businesses across the world.
A study conducted by the French Insurance Federation and the World Economic Forum found that in 2018, cyber risks ranked number one in a list of hazards incurred by companies.
According to the PWC Global Economic Crime Survey of 2018, 31% of businesses experienced cyber crime in the past two years, making it the second most frequently reported fraud in the world, behind only asset misappropriation. Other studies have shown that cyber risks are now among the top concerns for large and small businesses alike.
Bringing it closer to home, according to a Cliffe Dekker Hofmeyr study, due to our high Internet connectivity rates and poor levels of cyber security, South Africa is said to be a top target for cyber crime in Africa. Fewer than 35% of South African businesses have a cyber incident response plan, and it takes, on average, 200 days for businesses to identify a cyber security breach.
Economically, South Africa loses approximately R5.7 billion to cyber crime annually. With these kinds of numbers, it is imperative for companies to prioritise its IT security control measures. Here are some tips to help keep your data safe.
Passwords are a crucial gateway to access sensitive information, therefore, having a strong password policy is imperative. Measures such as password length, not using easily guessable passwords, lock-out after failed authentication attempts, disabling/deleting or changing passwords for all default installation accounts and, where possible, implementing multifactor authentication, should all be considered in safeguarding your business.
Firewalls should be implemented at all breakouts to external networks as well as to segment and further protect more sensitive systems and data on the internal network. Modern firewalls have a host of functionality built into them; use of a next-generation firewall should be a minimum. Experts should be enlisted to configure and manage firewalls to prevent them effectively being expensive boxes with blinky lights.
Mobility and the evolving threat landscape has highlighted the importance of securing the endpoint. Securing the endpoint via traditional signature-based anti-virus has matured to next-generation anti-virus and more advanced solutions such as endpoint detection and response (EDR) and now XDR solutions.
Good news for the consumer is that competition in next-generation solutions such as EDR is fierce, meaning such solutions can be purchased for reasonable prices.
The effectiveness of encryption is often underestimated. Many studies have shown that extensive use of encryption is one of the most effective mechanisms to reduce data breach damages. It stands to reason that even if somebody can gain unauthorised access to data, if they can't interpret it, the resulting impact and damages are greatly reduced. Areas to encrypt include wireless network traffic, data stored on backup drives, portable devices as well as e-mails.
Awareness and training
Creating a security mindset, promoting vigilance and understanding the value of a company's data and assets is a valuable tool in protecting the business. Many hacks are done by exploiting the lack of awareness of cyber threats by employees. Creating a culture whereby all staff, including management, are informed of cyber risks is imperative in securing your business. Awareness and training programmes need to be meaningful as well as test and track comprehension. There are many solutions available which can be used to manage awareness and training campaigns, making awareness and training more effective than generic mailshots, which nobody reads in any case.
At the end of the day, even the best IT security solutions can be breached as hackers gain more skill in breaking a business's defence. This is where insurance can assist to lessen the extent of a crippling cyber breach.
A fundamental aspect of good corporate governance and a resilient risk mitigation programme should include a cyber insurance policy. Cyber insurance, more than any other insurance, allows access to the correct channel of service providers needed to manage and recover from a cyber incident.
Typical cyber insurance policies provide for:
* Costs to respond to a systems security incident, including incident triage, forensic investigation, legal, crisis communication, public relations and credit monitoring;
* Costs to restore, re-collect or replace data lost, stolen or corrupted due to a systems security incident;
* Defence and settlement of liability claims arising from compromised information;
* Defence and settlement of liability claims resulting from a system security incident affecting systems and data, as well as causing harm to third-party systems and data;
* Loss of income and increased cost of working because of a systems security incident;
* Fines and penalties to the extent insurable by law;
* System downtime and consequential loss of earnings; and
* Costs to investigate and mitigate a cyber extortion threat and, if required, costs to comply with a cyber extortion demand.