Cybercrime is on the rise in South Africa and there seem to be more frequent reports of yet another company falling prey to a cyberattack. Recently companies like Dischem, Transnet and TransUnion have both reported breaches in their security.
With the exponential rise in digital transformation, it shouldn’t be surprising that the risk of cybercrime has also increased. Data is an expensive and invaluable asset no matter what industry you are involved in. Storing data is a key element of any business and that data is constantly susceptible to cybersecurity breaches.
Risk management – your cybersecurity’s new best friend
Mitigating your cybersecurity risks is almost impossible without a sound risk management framework. Risk management is imperative when it comes to establishing effective controls, procedures and policies to protect your company against those potential cyberattacks.
Implementing a cybersecurity risk management strategy starts with identifying the key threats to your business and then building strategies around those threats. Every company is exposed to cybersecurity risks during the course of their business. A risk management framework will help you identify acceptable levels of risk and how you can implement controls to mitigate those risks as far as possible.
Risk management isn’t about making it more difficult to conduct your business, it’s about streamlining your process with a set of predefined procedures and controls. It’s all down to exposing those weaknesses that cybercriminals are on the lookout for and closing the gaps.
Without those predefined risks and solutions, how will you be able to ensure your employees are on the same page? Employees are often unwilling participants when it comes to creating security risks for your company. And that’s simply as a result of a lack of communication around what the risks are and how to prevent them.
Protecting your data and the importance of security has to be the responsibility of everyone within an organisation. You can have the best risk management system in the world but unless your employees understand the threats and are following your procedures, it isn’t going to be effective at all.
Basic risk management – where are the threats?
We often associate cybersecurity with those intricate plans we see in the movies – hackers in high-tech rooms surrounded by top-of-the-range computers running algorithm after algorithm but in all honesty, cyberattacks are often a lot simpler!
Your company can have the latest cybersecurity in place but what happens when your employees are working outside the security of your network? This is an area where many risk managers are focusing more of their attention.
With the rise in remote work and hybrid work models, educating your employees about cybersecurity has never been more important. Establishing guidelines around working outside your secure network is key and often overlooked.
Just think about how coffee shops are always inundated with people on their laptops – especially during load-shedding. When your employee logs into a public or private network they open themselves up to receiving malicious software which then finds its way onto your network as soon as they reconnect.
When it comes to taking work home, briefcases have been exchanged for laptops and there is a tendency to have this false sense of security when logging into the company VPN because it’s safe and secure. But home networks and devices that aren’t properly secured will still pose that unwanted security risk.
Keeping up with cybercriminals
Keeping up with the latest trends in cybersecurity is a full-time job. There always seems to be a new threat on the horizon leaving IT departments scrambling for the latest patch. But recent research has shown that cybercriminals are reverting back to those more traditional types of attack – the ones we have forgotten about, like SIM swapping and USB attacks.
According to a report by PWC, at the beginning of 2022, the Nigerian Communications Commission warned of ransomware infections occurring through infected USBs. They advised that USB drives were being mailed to many organisations in the hope that people would plug them into their laptops.
Cybercriminals using USB attacks only need one person in your organisation to connect that infected USB to their laptop. The malicious software is installed as soon as they connect and generally, the software is programmed to enable the attacker to gain remote access to the relevant computer. As you can well imagine, the results can be disastrous.
A USB attack can easily occur if your employees are not educated, and you don’t have the necessary risk management guidelines or procedures in place.
SIM swapping is another oldie that’s recently reared its ugly head again and was highlighted in the same PWC report. Initially, it may not appear relevant to your business but if your employees use their mobile devices to receive emails or to store any work-related content, it’s relevant!
SIM swapping involves criminals persuading mobile carriers to perform a SIM swap from your mobile number to a number they have in their possession. Once the SIM has been swapped, all texts, calls, etc. are diverted to the attacker and they can easily reset passwords or carry out account recovery requests.
Many companies make use of multi-factor authentication and mobile devices play a critical part in receiving passwords and pins.
Keeping your data safe
Cybersecurity and risk management work hand in hand. IT departments can only work effectively and mitigate risks that they are aware of. A sound risk management framework identifies and prioritises those risks and together you can create viable procedures and controls.
When it comes to keeping your company assets safe, whether it is data, strategic plans, or intellectual capital, your employees are your first line of defence. Employees are at the forefront of your business and when educated around the potential risks and the procedures to follow if a breach occurs, can save your business from unnecessary downtime.
In the heightened digital age we now found ourselves in, investing in sound risk management practices is no longer something that can be ignored.