By Rob Rafferty
In my previous article, I discussed the false sense of security when it comes to cyber insurance, and the need to complement such insurance with certain prevention practices in your business.
There are simply too many cyber threats out there to carry on without an approach specifically focusing on prevention of cyber threats. In fact, I would go so far as to identify a specific partner or director to take responsibility thereof, to implement a program and report thereon.
In order to prevent a cyber-attack, you need to understand what it is. Simply put, it is the exploitation of your system or network, and the manner in which you are compromised and could include theft or leaking of data, ransoming your data (being held hostage), identity theft or fraud (imagine the banking details being changed on your invoice), compromising your computers, and so forth.
I believe that the most important prevention practices are the following:
– Does your staff know where to save their documents? (If your answer is on their desktops, then it is wrong, since that desktop does not get backed up to your server.)
– Do you have important documents saved on your desktop?
– Do you know which programs each staff member has on their computer? And have you physically checked?
– Do you know how many staff members know the Wi-Fi password? And have you physically checked how many mobile phones are on your Wi-Fi?
– Do visitors get the same Wi-Fi password?
– Have you physically checked whether social media is being accessed via your network?
– Are you confident someone in your office will not click on a dodgy e-mail?
– How many staff access their work e-mails via their mobile phones?
– Do any of your staff still have Windows 7 on their machines?
I can carry on for days with similar questions, but you get the idea. Start at the start and ensure that your rules are in writing. This can be encompassed in a policy which you can call a ‘Network Access Policy’ or something similar. Make sure your staff know the content (the ‘I did not know’ defence) and make sure they have signed it. Lastly, monitor your network to confirm they are adhering thereto.
The first time our business ran a simulated exercise containing ‘fraudulent’ e-mails with various degrees of finesse, the results were horrifying. People simply do not think when it comes to dodgy e-mails, and some links really look legitimate to an untrained eye. This is why staff awareness is so critical and so efficient.
At every month-end staff meeting, our business runs a cyber-attack awareness session that must be attended by everyone. We actively run through different scenarios and questionnaires. I know this takes effort, but it is critical that you implement a regular awareness training program in your business, which must at the very least include –
– how to ascertain the authenticity of a link or attachment;
– how to ascertain the authenticity of the sender’s e-mail address;
– how to identify certain risk identifiers (for example, urgency); and
– practical examples, and yes, which staff got it wrong.
At the end of the day, you need to tweak your staff’s common sense and instil a sense of suspicion and awareness when it comes to e-mails, WhatsApp’s, SMS and even phone calls.
– Do you know what the staff member’s home environment looks like? For example, are there children or a spouse using the work computer for their homework or social media?
– Do you have specific software in place to manage the access of these remote devices?
– Do you have rules in place for remote access? For example, may your staff log on to the coffee shop Wi-Fi when remoting into your network? Are these rules in writing?
– You have a firewall in your business. Know its name, and Google how effective and reputable it is. Decent firewalls are extremely effective.
– Create a password policy listing the password rules that may be used. Minimum length and differing characters are critical. Ensure that your information technology (IT) team enforces these password rules en masse via Windows server domain Group Policy.
– Create a Wi-Fi policy. Limit who may have the password and for what use. Ensure that your Wi-Fi is split between guest access and business access. Never allow guests on your business access.
– Access your own network via your staff’s computers as a test. Ensure that staff may only have access to the specific drives, which they are supposed to have access to. It is scary how many staff members have ‘stumbled’ onto salary slips of other staff.
– Get software that can check your network for unapproved programs. There is some great freeware that can do this for you. Then delete those unapproved programs.
– Have a long hard look at how you are backing up your servers. Know how often backups occur, where the data is stored, and for how long the copies are kept. If the backup is on a removable drive, you are under a false sense of security. There are great cloud hosting backup solutions available.
– Consider your physical security of your local servers and laptops. Have rules in place who may access what, in your business. Fiercely enforce the locking of sensitive rooms like the server room, finance and human resources office, directors’ printer room and offices when not in use.
Please do not get paralysed or overwhelmed. Do the effort to understand the products your IT has installed or get an independent IT audit. Make it someone’s duty to implement these processes and ensure that feedback becomes a reportable item on your month-end directors’ meetings. Every little bit helps.
Rob Rafferty BProc (UFS) LLM (UNISA) Adv Tax Cert (UNISA) Post Grad Financial Planning CFS (UFS) ISO 27001 Practitioner Certificate is a non-practising lawyer, director, and the CFO of FutureSoft in Centurion.
This article was first published in De Rebus in 2024 (March) DR 13.
De Rebus proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media, which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website at www.presscouncil.org.za or e-mail the complaint to enquiries@ombudsman.org.za. Contact the Press Council at (011) 4843612.
South African COVID-19 Coronavirus. Access the latest information on: www.sacoronavirus.co.za
|