While there are endless products available that promise to deal with cyber-attacks, they will all tell you that they don’t guarantee 100% security. The fact is that the nature and scope of cybercrime is so vast that there is no solution that can do everything, even the ones you pay a fortune for.
When it comes to the SME (small to medium enterprise) market, the cybersecurity issue is worse. These companies have restricted budgets and rarely have the skills required to effectively manage their cyber risks. Henk Olivier, MD of Ozone IT Distributors recently did some research into what the main vulnerabilities in this sector are.
While Olivier can list pages of risks and vulnerabilities related to hardware and software used in these companies, he found that the primary cyber risk SMEs face is a lack of knowledge and understanding of how to do the basics to reduce your cyber-attack surface.
Olivier provides the example of phishing, one of the most common and easiest ways for cybercriminals to get into your systems. Many employees don’t understand what this is and how they can identify it. Moreover, many bosses don’t take it seriously either. Taking it further, many of these companies don’t have a basic IT usage policy that stipulates what can or can’t be done on the company’s IT systems, or what is expected of employees using the company’s technology. This is a problem in as many as 80% of SMEs.
Restricting access and email data
Another common problem relates to Wi-Fi connections. Most SMEs have Wi-Fi connectivity due to its convenience and ease of use, however, they have one password to access the Wi-Fi network and staff use this to connect their own devices – such as smartphones, personal laptops and so on. This is a risk as any malware on those devices can easily be transferred to the company’s IT systems and disrupt the business. This is especially true in smaller companies without the skills and cybersecurity tools to protect themselves.
In addition, staff often subscribe to newsletters and do online shopping using their work email addresses. While this may seem innocent enough, if the company behind the shopping site or newsletter is hacked, the criminals know something about your company, i.e. your domain and a user name.
What makes this more dangerous is that people have a nasty habit of reusing passwords. So if the hackers get the user’s email address and password, the first thing they do is see if the password will get them into the SME’s server.
The ideal, according to Olivier, is to educate staff not to use their work email addresses for any non-work purposes. There are plenty of free email services available they can make use of. Basic education in terms of not reusing passwords and choosing complex passwords will also go a long way to mitigating the cyber risks the company faces.
It should be noted that education is as important to the directors and owners of the business – if not more so as they will have to deal with the fallout and losses associated with a cyber breech (and it is incorrect to assume small businesses are not in the line of fire). And now that PoPIA (Protection of Personal Information Act) has an official start date, owners and directors will be held accountable for breeches that expose sensitive data.
Three controls the SME needs
As noted, there are endless options to choose from when it comes to cybersecurity tools, however, Olivier says there are three controls SMEs should see as essential.
1. Every desktop and laptop must have an antivirus program installed that is updated daily.
2. For business connectivity to the Internet, the SME must have a firewall. This doesn’t mean just having a firewall, but also configuring it correctly to meet your business’s security requirements. Fortunately there are managed services options that allow companies to use firewalls that are remotely managed by professionals.
3. Wi-Fi control is critical for the SME as this presents an easy way into your network. Companies should not have an open Wi-Fi network that anyone can connect to. There are many solutions available today that allow companies to set up a separate network that is connected to the Internet only, but not the company network. This can be made available to guests, while the primary network is limited to staff.
While this is a good start, Olivier also notes that there are many tools in the market, some of them available for free, that can conduct a vulnerability assessment on your network. The results of these assessments never cease to shock business leaders.
Ozone supplies a range of tools to assist in cybersecurity. Some of these are:
• GFI Languard: A network security scanning and automated patch management application that allows companies to discover and fix vulnerabilities while also auditing the network and the attached assets.
• Kerio Control Firewall: Available as software or hardware device, Kerio is an all-in-one solution incorporating a network firewall and router, intrusion detection and prevention (IPS), gateway antivirus, VPN and content filtering.
• Exinda: A bandwidth management and network optimisation solution that helps reduce network costs and enforces policies relating to the appropriate use of the network.
• Nuix: This includes a set of tools that allow for forensics investigation as well as network visibility.
• Progress MOVEit: An application that enables companies to securely transfer data, providing encryption and a full tracking of the data.
© Technews Publishing (Pty) Ltd | All Rights Reserved