Be proactive about your cyber security
The threat of cyber attack is increasing exponentially in our digital world. Enterprises seeking to avoid becoming another crime statistic need to be proactive in how they implement cyber security.
There can be no doubt that in today's digital world, a cyber attack can be extremely costly for a business. Firstly, such a breach may well inflict financial damage to the organisation, owing to business being lost after the fact, or because of the cost of remediation. The other side of the coin is the potential for massive reputational damage. A cyber attack may lead to a loss of customer trust in the company, while having a reputation for poor security will make it tougher to win new contracts.
Worse still is such attacks are only increasing in frequency and severity. Just locally, there have been several high-profile breaches in the past couple of years, including the personal records of nearly a million South African drivers, allegedly from online traffic fine Web site ViewFines. Most people will also remember when seven million people were compromised after Ster-Kinekor was breached. And they will remember when over 60 million South Africans' personal data, from ID numbers to company directorships, were affected when Jigsaw Holdings, the holding company for a number of real estate agencies, was breached in the largest local attack recorded to date.
Pedro Maia, managing director of IntDev, points out that with highly sophisticated attacks now commonplace, enterprises would be better off assuming they will be breached at some point, and therefore implementing the tools required to help them detect and respond to such malicious activity proactively.
"There are multiple reasons why cyber security threats are growing significantly. Not only are hackers becoming more well-funded and highly skilled, but the increasing availability of hacking tools and programs online means even lesser-skilled individuals can create havoc for your business," he says.
"Moreover, it's not only cyber criminality that is driving increased investment in cyber security. A growing body of legislation, including the EU's General Data Protection Regulation (GDPR) and our own Protection of Personal Information (POPI) Act, is also forcing organisations to take security more seriously than ever, or face heavy fines."
Maia adds that the key to effective security lies in being proactive, rather than reactive. It is, after all, better to fix the hole in the boat than to continuously try to bail water out of it. Being proactive allows your business to get ahead of the problem and address the issue at its core, instead of merely treating the symptoms.
"For those organisations seeking to be proactive, my advice would be to firstly assess your current security status, in order to know where you stand. Once the existing playing field has been established, the company can focus on establishing comprehensive security against data breaches.
"To begin with, a proactive security approach will require the full support of top management, which in turn entails getting your executives to understand the scale of the threat, along with the potential consequences of inaction. Another critical step is to ensure your organisation utilises continuous or real-time backup, to mitigate against losing or being locked out of your systems."
Maia suggests that encryption is a very powerful tool when it comes to keeping corporate data safe from outsiders, so corporate-wide encryption is a vital arrow in your proactive security quiver. He also advises putting together some form of 'living' security policy to co-ordinate the enterprise's various security efforts. By 'living', he indicates that the document should constantly be updated and in continuous evolution, as the security landscape itself changes.
"In today's climate where 'bring your own device' (BYOD) is virtually standard practice, it is also more critical than ever to ensure that employees from the reception desk to the C-suite understand the basics of security, such as the risks inherent in sending and receiving unencrypted e-mails, clicking on e-mail links and opening attachments. Regular, company-wide training on this subject should therefore be a given.
"Finally, in the modern world, security simply has to be implemented in a layered approach. Today, having a firewall and antivirus programs in place is simply not enough on its own. Organisations should also be putting in place breach prevention tactics, which encompass everything from internal intrusion prevention devices and anti-malware gateways, to anti-phishing e-mail systems and any number of others. In the end, the best breach prevention system will document and mitigate risk, and will also provide network access control and quarantine high-risk, rogue and infected devices," he concludes.