The digital space has transformed how we interact with people and how we do business. It has allowed us to do more than we ever thought possible and has enabled us to connect with clients, partners and employees irrespective of geographical boundaries. On the flip side, it is also introducing us to new and unforeseen risks.
There is a dangerous misconception that cyber-attacks are only launched against big corporations while the truth is that 43% of cyber-attacks are targeting small businesses; 60% of which go out of business within 6 months of a successful attack.
Even if you survive the financial impact of a cyber-attack will you be able to survive the reputational damage?
Another major misconception relating to cybersecurity is that you need to have a dedicated cybersecurity team and invest large amounts of money to protect yourself. Whilst it is true that a company should spend at least the same amount of money protecting their information as they do their physical assets but there is a lot that you should be doing to make yourself a less attractive target to a potential attacker and may well motivate them to try and compromise someone else.
In the cyber threat landscape information equates to currency and is targeted by attackers for the potential value in selling or holding it for ransom
The following are some zero to low-cost cybersecurity improvements that should be implemented by those who may not have the advantage of a dedicated Cyber/Infosec expertise.
Free improvements:
Passwords: Enabling a password on your laptop or computer costs nothing and adds the first line of defense in the event that your device is stolen. You will need to adopt good password habits to further harden this defense mechanism. Make your password complex, change the password often, do not share passwords between applications and systems and never divulge your password to a 3rd party.
Enable 2-factor authentication: MFA, 2FA, two-step authentication all refer to the offering of online services where you register your cell phone number or use a third-party application to receive a one-time pin when signing into their service, in addition to supplying your credentials.
Encryption: Encrypting your devices adds a second level of security in the event of devices being lost or stolen. A properly encrypted device will prevent information from being extracted from storage media if it is removed and inserted into another host. Windows 10 Home offers device encryption as part of the operating system and Windows 10 Pro offers Bitlocker full disk encryption. The latter also allows you to encrypt removable media such as portable hard drives and flash disks.
Updating your systems and software: Vulnerabilities are often addressed in software updates. Updates for your operating system are free and you simply need to enable automatic updates. It is important to not neglect to update the other applications that you use such as your Microsoft Office while you are setting up updates. Updates should be installed as soon as they become available.
Awareness: Having cyber aware users offers protection against phishing attempts that technology cannot buy. A complete overview of phishing exceeds the scope of this article but being able to identify fraudulent emails before engaging with an attacker will go a long way to protecting your systems and information. There are many good resources available on the internet that will help you strengthen your cyber awareness.
Call first policy: Whenever you receive an email or message from a client or colleague requesting any form of payment to be made, always confirm this telephonically before doing anything. The same applies to an email requesting you to listen to a voicemail or download a document if the sender is from a known person or company. If the sender is unknown or the email is unexpected simply delete it.
Enable your firewall: Your operating systems likely comes with a built-in software-based firewall. Enabling the firewall will make your device harder to detect / probe and protect against non-standard network traffic.
Safe browsing habits: This could be compared to staying out of dodgy areas to avoid getting mugged. Keep your web browsing safe by using the internet for legitimate purposes. Avoid visiting torrent websites to download content and do not search for unsavory content.
Make local backups: Use an external drive to back up your important information.
Avoid free and public Wi-Fi: As far as possible try not to use free or public Wi-Fi such as the kind offered at airports, hotels and coffee shops. Even if the access seems to be secured public spaces offer a great platform for attackers to create Wi-Fi hotspots that mimic that of the establishment you are visiting. A better alternative is to use a mobile hotspot that you own or to tether from your cell phone.
Low-cost improvements:
Invest in a 3rd party Antivirus: Many operating systems come with a free very basic antivirus system, which was adequate when threats were very basic. The reality is that threats have and continue to evolve to become increasingly complex. In order to protect your system, you should get a proper next-generation antivirus. Some technologies that your antivirus should include are host intrusion prevention system (HIPS), sandboxing, real-time scanning, reliable and regular updates as well as some form of automated analysis (oftentimes incorrectly branded under the term artificial intelligence). Many of these products come with an internet protection module that monitors and protects against web threats. These packages are subscription-based and cost in the range of R300 per year.
Subscribe to cloud storage for backup: Cloud storage is cheap. Spend a few Rands and subscribe to a cloud storage service to save regular backups of your important files. Cloud backup services often offer versioning, so you are able to restore to a specific version of a file. If you are on office 365 use OneDrive to save your work, it is included in your subscription.
Adapt your hiring process: Even small businesses should include basic background checks as part of their hiring process. Many significant cyber risks are introduced from inside, often inadvertently but sometimes maliciously. A basic background check could raise red flags before it becomes a crisis.
Consider cyber insurance: No matter what you implement to reduce your cyber risk exposure you will likely be left with some residual risk. You have two choices with the residual risk you can either accept the risk or you can transfer the risk by purchasing some cyber insurance. Depending on your needs this may cost less than you would think.
While the above tips are not comparable to a mature cybersecurity program, they will go a long way to increase your defenses against potential cyber-attacks and are a great start in getting your company, client information and personal information protected. Considering how little they cost, could you really afford not to?