Keeping any business secure is a tough but necessary task, particularly for smaller businesses that don’t always have the funds to put sufficient cybersecurity measures in place. Many companies think they are too small or obscure to become cybercrime victims, however, the Council for Scientific and Industrial Research (CSIR) estimates that cybercrime costs the South African economy R2.2 billion annually, much of which is from targeting individuals and small businesses.
Like a mugger waiting in a dimly-lit street, cybercriminals are opportunists. According to Gerhard Swart, CTO at cybersecurity company, Performanta, criminals most often choose their targets based on security weaknesses. These criminals use automated scripts and bots to sniff out companies with poor security, and then find a way in. Some criminals specialise in only breaching, while others prefer stealing data or extracting payment from victims.
“The most common attitude I encounter at a breached company is ‘Why me’? The owners often think it’s personal, that they were targeted for specific reasons. There are definitely reasons that make a target more appealing to criminals, but in almost all cases, companies were attacked because their security was lacking. It’s as simple as that: the bad guys found a gap and exploited it. So, it’s logical to make your business as unattractive a target as possible,” says Swart.
How can companies become unattractive to online criminals? It’s the same logic as securing physical areas: make it complicated by creating numerous obstacles to overcome. These obstacles include security software and services, but also staff training and basic security hygiene.
Such measures cost money and skills, which cash-strapped businesses struggle to afford, but there are ways to get ahead of the bad guys and put those obstacles in their way.
1.Basic cybersecurity training for owners
Astute business owners and managers need a diverse range of knowledge. They take courses on bookkeeping, labour rights, industry trends, and so on. Do the same for cybersecurity: there are many cheap courses that give a good foundation in cybersecurity fundamentals. Visit services such as Udemy or LinkedIn Learning for options. Also, check with local business and professional groups to see if they offer cybersecurity courses or advice.
2. Train staff proactively
Companies can have excellent security, but they will become a target if their staff isn’t prepared. And a company with weaker security but alert staff can be harder to breach than what security technologies can achieve on their own. People are both the weak spot and strongest countermeasure. Help educate them (maybe send them some of the courses mentioned above). Find employees who will champion security and spread good habits. Above all, use collaboration, not punitive measures. Scared employees are not as effective as invested employees.
3. Have a plan
If your house catches fire, do you know what you will grab while you escape the blaze? If you anticipated a fire, you would likely put all your valuable documents in one place for easy extraction. The point is that when trouble hits, you don’t have time to make plans. Create a security process plan. Identify your most important assets (such as customer information),and mitigate risks by having backups and procedures to get those assets back online. Also, designate people for roles such as who will lead emergency triage, clean-ups and investigations.
4. Establish security basics
Many companies fall victim to online crime because they didn’t cover the basics. A little bit of policy can clear that up. Mandate strong passwords (and regular password changes), add multi-factor authentication (often already an available feature in business software), regularly patch software, use firewalls and antivirus software, and identify and de-risk the most crucial business assets. Encourage user awareness and discuss security challenges in your sector with peer businesses.
5. Consider Managed Security Services
Security is a business cost, and while it’s unwise to underspend on cybersecurity, you can be frugal and gain maximum value for your budget. Managed security service providers offer services that run security on your behalf. They are typically modular and easy to customise, so you can be very specific about where to focus your security priorities and costs. Managed security services are also an excellent way to add security skills to your protection without hiring people internally at a greater cost.