In the latest in our series of 'all you needed to know but were too afraid to ask' articles, we offer some simple cybersecurity tips for the smaller entity
Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.
This article was first published in the July/August 2018 Africa edition of Accounting and Business magazine.
Has your business been hacked or lost your clients’ personal data? If the answer is yes, you’re far from alone.
The global average cost of a data breach (when sensitive, protected or confidential data is copied, viewed, stolen or used by an unauthorised individual) in 2017 was US$3.62m, according to research from IBM and the Ponemon Institute. The average cost to the hacked organisation for each lost or stolen record containing sensitive and conﬁdential information was US$141.
The average size of a data breach (the number of records lost or stolen) was 1.8% bigger than the previous year. The country with the highest cost, both per record and per incident, was the US, while Brazil and India had the lowest cost per record and per incident.
Africa too has a cybercrime problem. The latest Africa cybersecurity survey from Nairobi-based consulting firm Serianu puts the continent’s cybercrime losses at US$3.5bn in 2016 and notes that cybercrime is escalating in African cities where internet connections are faster.
Here, then, are some top tips on making sure you’re protected.
You don’t need to deploy a large IT budget to minimise the cybersecurity threats to your organisation. Business and technology groups, including ACCA, offer training and advice on cybersecurity.
Do a review
List everything in your business that could be at risk from cyber attack, such as money, IT equipment, pricing information and product designs. Then work out what form these threats could take – for example, theft or unauthorised access of computers, laptops, tablets and mobiles; an external attack on your IT systems or website; criminals gaining access to information through your staff.
Next, estimate how cyber attacks could affect your business: financial loss, fines from regulators, loss of business due to reputational damage.
Finally, try to fix gaps in your IT security, such as by updating anti-virus software and improving security training for your staff. Review your cybersecurity procedures and technology regularly.
Back up data
The loss of data critical to the running of your business can have serious consequences. This need not necessarily be from a cyber attack; it could also be from hardware or software failure.
Identify data you need to back up (eg documents, photos, emails, contacts and calendars in common folders). Keep backups separate from your IT systems.
Consider using cloud services, which store data online in a location away from your offices/devices. You’ll also be able to access it quickly, from anywhere.
Check that your data backup supplier has good IT security. Back up data daily. Most network or cloud storage products can automatically back data up.
Get malware protection
Malicious software (malware) infects legitimate software. The main defence against it is anti-virus software. Install and turn on anti-virus software for all computers and devices. Install approved anti-virus programs only.
Prevent users from downloading unauthorised third-party apps.
Make sure you keep IT systems up to date by applying patches from software and hardware suppliers. Most security software will have an option to automatically apply a patch whenever a new one is released.
Remember to replace software and hardware that’s not supported by suppliers because it’s too old.
And ensure that you switch on your firewall (the security device that monitors incoming and outgoing traffic in your organisation’s computer network and decides whether to allow or block traffic based on a defined set of security rules). Most operating systems incorporate firewalls.
Businesses are increasingly reliant on mobile technology. But mobile devices and systems can be your organisation’s weak link. Make sure you:
- switch on password protection
- can track, lock and wipe lost or stolen devices
- keep your mobile apps and operating systems for mobile devices up to date
- don’t use unknown wifi hotspots.
Be smart with passwords
Passwords can help prevent unauthorised access to devices and networks. Apply these golden rules:
- Switch on password protection.
- Use two-factor authentication for important accounts. This requires the user to submit another type of information in addition to their password. It is often an item of personal information, but biometric data (such as a fingerprint scan) can also be used to verify identity.
- Avoid using easily guessable passwords, such as family names or things like ‘pa55word’.
- Change default passwords.
Prepare for phishers
Phishing is a type of fraud in which criminals send emails claiming to be from reputable organisations such as banks. Phishing fraud is becoming more devious as well as more common.
Make sure that you do the following:
- Configure accounts to reduce the impact of successful attacks by giving your employees the lowest possible level of IT privilege (the information they can access and change) for them to do their job.
- Educate staff to spot requests that are unusual – for example, sending a large, one-off payment to a supplier, or providing their passwords or credit card details.
- Be aware of what to look out for. Although phishing emails are becoming more sophisticated, there are usually still signs that they are dodgy – for example, incorrect or inappropriate email addresses and poorly worded messages.
Train your staff
Encourage staff to report all cyber attacks. Knowing that you have been attacked enables you to manage the recovery. If you’re unsure about any aspect of cybersecurity, consult an expert. Don’t leave it to chance.
ISO/IEC 27032:2012 is an international standard for cybersecurity. It is a set of guidelines that cover information security, network security, internet security and the protection of ‘critical information infrastructure’. Make sure your business complies with it.
Take out insurance
First-party insurance covers your business’s assets. It may include:
- loss or damage to digital assets such as data or software programs
- business interruption
- cyber extortion, where third parties threaten to damage or release data if money is not paid.
Third-party insurance covers the assets of others – typically, your customers. It may include:
- security and privacy breaches, and the investigation, defence costs and civil damages associated with them
- multimedia liability, to cover investigation, defence costs and civil damages arising from defamation and breach of privacy
- loss of third-party data, including compensating customers.
Plan for an emergency
Have a plan for responding to a serious cybersecurity attack. It should include verifying the extent of damage caused by the attack and mitigating it, reporting the incident to the relevant national authority, and testing your data backup and business continuity systems.
Nick Huber, journalist
CPD technical article
"Businesses are increasingly reliant on mobile technology. It can be the weak link in your organisation’s cybersecurity"