Small To Medium-Size Business Cyber Security best practice

October is here and it is also Cyber Security Awareness month! As part of our contribution, we have decided to share some insights into the world of Cyber Security and what could be done to reduce the Cyber Risks businesses face.

How can your business avoid being a victim of a cyber-attack? The media seems to be filled with ever-increasing numbers of articles spreading fear, uncertainty and doubt when it comes to Cyber Security. Cyber incidents seem to be a daily occurrence, and most businesses, irrespective of size or geographic location, are coming to terms with the fact that Cyber Security cannot be ignored anymore. Just recently, Kapsersky Labs released statistics showing that Malware attacks in South Africa increased by 22% in the first quarter of 2019 compared to the first quarter of 2018.  This translates into almost 14 000 attempted cyberattacks per day. According to the World Economic Forum's Global Risks Report 2021, 39% of respondents highlighted cybersecurity failure as a threat that presents a clear and present danger in the next 2 years, placing it top of the technological risks and the fourth most likely risk that will become a critical global threat. It is clear that we need to adopt new digital behaviours to address cyber security, and everyone has a role to play.

Covid 19 forced many SMEs to transform their businesses in a very short time, adopting new technologies and implementing new processes to cope with a remote workforce, all done to ensure business continuity. Due to the speed at which these transformations were done, security concerns were not always at the forefront of conversations. Not all businesses have significant resources to throw at the problem, and for most SME’s, cyber security seems impossibly complex, littered with all types of stumbling blocks and endless pitfalls. The main obstacles faced by small businesses are the lack of security expertise, time and cost. There is a significant shortage of security skills in the market, and in most cases, these resources are just not available to small businesses. The cost to acquire these resources is steep, and some of the security technologies can be pricey. The cost should also be considered in the context of a breach that can cause significant downtime, extortion demands, reputational loss and/or regulatory fines. For instance, noncompliance to the recently implemented POPI act in South Africa can result in fines up to R10 Million!

There are several control frameworks that can help guide organizations in managing their Cyber Risk (NIST, ISO27000, COBIT, CIS controls). There are also regulatory frameworks that require specific controls that need to be considered (POPI, GDPR, PCI-DSS, etc).  It might not be feasible nor practical for a small business to implement these comprehensive risk and control frameworks. There are however basic security controls that can be implemented to protect SMEs and reduce the risk of security breaches. This list is by no means exhaustive but can serve as a good basis to improve your organization's resilience against cyber attacks.

1. Create a complete asset register of hardware and software as well as critical data storage locations. You cannot protect and manage that which you are not aware of. A proper register forms the basis for any good cyber risk program and allows the organization to track a variety of data points such as patch levels, vulnerabilities, licensing requirements, third-party dependencies, old and legacy equipment, regulatory requirements relating to data (POPI, GDPR, PCD-DSS), amongst others. Asset discovery scans can also be an effective control in identifying shadow IT (use of information technology systems, devices, software, applications, and services without explicit IT/management approval.)
2. Apply software and hardware patches as soon as they are released by the respective vendors. Where possible, this process should be automated. In more complex environments, testing of patches before rollout should be considered to minimize the impact of potential downtime. Recent incidents of supply chain attacks show how dependencies on third-party software updates could expose your organization to significant risk. Testing is important but should not prevent you from applying patches. The risk of not patching still outweighs this consideration.
3. Perform regular backups of data. The frequency and type of backups depend on a variety of factors, such as risk appetite, the amount of data generated, the criticality of data, recovery time objectives, etc. Backups are also a focus area for numerous data privacy regulations and should be used as a guide and departure point in terms of specific controls required. For actual backups, follow the backup rule of three. That means at least three copies of your data, that are stored on at least two different media types, and one copy stored off-site. Ensure that the backups are stored securely in order to maintain the integrity of the data. Backups should be tested regularly to ensure that the company can restore its information in case of a cyber event.
4. Install and regularly update anti-virus and anti-malware software on all hosts. Depending on the endpoint solution, ensure that virus definition files and application updates are updated regularly.
5. Ensure all email is scanned for malicious links and attachments. Emails should be scanned on the local machine by anti-virus software. If the organization uses a hosted services provider, obtain a list from the provider of controls implemented as part of the service offering to determine to what extent reliance can be placed on those security controls. Humans tend to be the weak link, so as a rule of thumb, the following should be communicated as part of your email security awareness program, targeting all staff that has access to company email:

• Do not click on links received through email.
• Verify the reply-to address before engaging with the sender.
• Do not download files or open attachments in emails from unknown senders.
• Protect your personal information, including your usernames and passwords. Legitimate businesses will not send you an email to ask for your login information or sensitive personal information.

6. Implement a cyber security awareness and training program. Staff should be encouraged to flag anything out of the ordinary if they think it could be cyber-related. The awareness program should focus on the areas deemed most at risk to the organization. There are various resources available on the internet that can help identify awareness program focus areas applicable to your area of business.
7. Encrypt sensitive data, in transit and at rest. Regulatory frameworks will govern the way personal customer data should be managed, but care should be given to all types of sensitive data within the organization. The organization should take special care in managing the encryption keys.
8. Use network and host firewalls.
9. Segment your IT network to ensure you can contain an attack in case of compromise. Segmentation will also allow you to apply various levels of defense in depth mechanisms to protect critical hardware, software and data.
10. User access management. The ideal would be to adopt an approach of least privileged, which assigns just enough privileges to a user to perform their respective duties. Consider the following:

• Admin privileges should be restricted as far as possible.
• Use multifactor authentication: (i) something you know (e.g., password/personal identification number); (ii) something you have (e.g., cryptographic identification device, token); and (iii) something you are (e.g., biometric). Use at least two or more different factors to achieve authentication.
• Enforce strong passwords, with strong passphrases where possible.
• Enforce regular change of passwords (shortest acceptable timeframe for password changes).
• Avoid reusing passwords for multiple accounts.

11. Restrict remote access to your network. Consider installing and using a virtual private network (VPN) that will secure and encrypt your communication data.
12. Monitor your network to detect anomalies and signs of possible compromise.
13. Have an incident response plan detailing a set of instructions to help detect, respond to, and recover from network security incidents. This must be a living document and should be tested and reviewed regularly.

By implementing these proposed controls will contribute significantly to the reduction of the Cyber Risks faced by your business. It is important not to stop here, as Cyber security is not a destination but rather a never-ending journey. As technologies evolve and the attack landscape expands, threat actors will no doubt refine and expand on their attack vectors. Stay informed and evaluate the risk continuously to ensure you do not become another statistic. I leave you with the wise words of Confucius, " Success depends upon previous preparation, and without such preparation, there is sure to be a failure”.

References:

https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2021.pdf
https://kaspersky.africa-newsroom.com/press/tag/south-africa
https://www.cisecurity.org/controls/
https://www.nist.gov/
https://www.27000.org/
https://popia.co.za/
https://gdpr-info.eu/
https://www.pcisecuritystandards.org/
https://www.isaca.org/resources/cobit