Your SME Guide to Cybersecurity

In today’s business landscape, where data plays a crucial role, it’s never been more important for businesses to safeguard themselves from cyberattacks to achieve long-term sustainability and growth. Today cybersecurity is part of doing good business in what is an increasingly risky digital landscape. Particularly for SMEs, the risks and threats associated with cybercrime are steadily growing. In South Africa, the consequences of such attacks range from financial loss, reputational damage, and lost money and employee time spent on recovery efforts. 

Over the last couple of years there has been a major increase in the number of reported cyber incidents in the country. The State of Ransomware 2021 report, revealed that 24% of South African companies had experienced some sort of ransomware attack in the past 12 months. It also estimated that the average cost to recover data stolen in industrial ransomware attacks in South Africa was $447 097 (R6.8 million). This is backed by research by the South African Banking Risk Information Centre (SABRIC), which shows that South Africa loses $157 million – R2.4 billion – a year to cyberattacks

There is a common misconception that small companies are less susceptible to cybercrimes due to their perceived lower value as targets. However, the reality is that SMEs are increasingly facing cyber attacks. 

There are various reasons why small businesses are targets. To start, many SMEs underestimate the security dangers they face today. In addition, they lack knowledge about the major risks that cyber threats present or how it affects their bottom line. As a result most small companies fail to invest in adequate cyber security measures, such as cyber risk insurance cover, which leaves businesses vulnerable to attacks. 

Small businesses are vulnerable because of limited cybersecurity resources and a lack of knowledge in this area. The shift to remote work arrangements has further intensified the potential security risks faced by these businesses.

Below is a guide of some common cybersecurity threats that are prevalent in South Africa that SMEs should be aware of:

Phishing Attacks: Phishing attacks involve cybercriminals using fraudulent emails, text messages, or social media messages to trick employees.  Commonly, the recipient is tricked into clicking a malicious link, which can lead to the installation of malware or the freezing of the system as part of a ransomware attack or the revealing of sensitive information such as passwords, credit card numbers, or login credentials.

Malware: Malware is software that is designed to damage or disrupt computer systems. McAfee states that malware is usually distributed through malicious websites, emails, and software. Malware can also be hidden in other files, such as image or document files, or even in seemingly innocuous files, such as .exe files. Users can be tricked to install malware when they click on a link in a phishing email, or when they download and install software from a website that is not reputable. Malware can also be installed on a computer when the user plugs in an infected USB drive, or when the user visits a website that is infected with malware. 

Ransomware: Ransomware is a type of malware that encrypts files. The victim is then forced to make payment in exchange for the decryption key and recover a personal file. Small businesses are often targeted by ransomware attacks because they may be more likely to pay the ransom to regain access to their data.

Password Attacks: The goal of password attacks is for cybercriminals to gain access to small business systems. To do this, cybercriminals either use brute force attacks or password guessing. According to OneLogin, password attacks are one of the most common forms of corporate and personal data breach and are the result of weak passwords or reused passwords.

Insider Threats: Insider threats are security risks that come from within an organisation. Employees with access to sensitive data can intentionally or unintentionally leak or steal data, causing significant damage to the business.

Third-Party Risk: This typically occurs when a current or former employee, suppliers or third-party vendors, such as cloud hosting or payment processing, with user credentials, misuses their access leaver networks, systems and data at risk to attacks.

Unpatched Software: Small businesses who neglect software updates and patches because of limited resources are unprotected from security vulnerabilities within a program or software. 

Experts recommend that all businesses have a cybersecurity strategy and best practices to protect business and customer data from growing cybersecurity threats.

This guide explores practical tips and best practices that small business owners can implement, including using strong passwords, enabling two-factor authentication, and conducting regular software updates.

Understand what you’re up against – The first step is to understand the cyber threat landscape. Business owners must keep up to date with the latest security threats and cybercrime tactics that are continually evolving. It’s equally important to stay up-to-date with your business’s compliance status, particularly PoPI.

Remote work –  It’s essential to provide employees that work from home security tips and guidance or policies on being a secure remote worker. Additionally, ensure that staff working from home have a comprehensive antivirus suite. These protect computers from malware, spyware, and viruses, trojans and worms, phishing scams, including those sent via email. 

Strengthen password protection – There are a number of simple ways to strengthen your password such as increase password difficulty and uniqueness with a mix of lower- and uppercase letters, numbers and special symbols, and utilise reminders that prompt you to update passwords regularly. Two-factor authentication provides an additional security for sign-in processes. The same password should also not be used for different web services.

Employee training – Employees should be educated about best cybersecurity practices, such as keeping employee and client information safe, carefully checking email addresses of senders and damage-control procedures staff can follow should a breach occurs. Staff should also be trained on the PoPI Act and how to maintain compliance.

Update devices – Updating your device and applications can repair security holes and address new security concerns,  as well as add new features to your devices. This includes regularly updating software, operating system and web browser updates to shield desktops, laptops, tablets and cellphones against the latest security threats.  

Create backups regularly – Businesses should make it standard practice to complete routine backups (daily, or at least weekly) of all important information stored on company computers. Copies of backup files should be stored in the cloud, as well as on an offline hard drive to be extra-safe. Experts recommend that both copies be encrypted.

Install an on-premise managed firewall – Firewall devices guard internal networks from threats on the Internet. An on-site firewall offers around-the-clock, all-inclusive and enterprise-grade protection .

Embrace cloud solutions – Cloud technology is extremely beneficial in ensuring businesses protect their data and remain compliant with data protection laws. Most cloud services offer some sort of back-up or archiving solution– if on-site data is compromised, the back-up can be easily accessed. More advanced options allow users to remotely wipe devices of information in the case of theft. 

Small businesses should carefully evaluate their cybersecurity needs and choose the tools that are most appropriate for their specific needs and budget. There are various cybersecurity tools that small businesses can use to protect their systems and data, such as antivirus software, firewalls, and encryption tools.

Antivirus software: Antivirus software is designed to prevent, detect, and eliminate malware and viruses. Many antivirus software programs also include additional features such as firewalls and email filters. 

Firewall: A firewall is a network security tool that monitors and controls incoming and outgoing network traffic with the purpose of allowing non-threatening traffic in and keeping dangerous traffic out. A firewall can also help prevent unauthorised access to a small business’s network.

Virtual Private Network (VPN): A VPN protects sensitive data when employees access the internet, including from remote locations. This is done by creating a secure, encrypted connection between a small business’s network and the internet. The VPN hides your IP address, this means your Internet Service Provider (ISP) and other third parties cannot see which websites you visit or what data you send and receive online.

Password Manager: Password managers work to strengthen password protection by helping users to generate and store strong, unique passwords for each of their accounts and store them in a safe space. Most password managers are accessible across different platforms and devices, making password management hassle-free.

Encryption software: Encryption software can be used to encrypt sensitive data so that it can only be accessed by authorised users. Encryption software can help protect small businesses from data breaches.

Backup and recovery software: Backup and recovery includes onsite and cloud-based technology solutions that automate and support backup and recovery in the event of a cyber attack or other data loss event. this process, enabling organisations to protect and retain their data for business and compliance reasons.

There are regulatory and compliance requirements that small businesses must adhere to when it comes to cybersecurity, such as the Protection of Personal Information (POPI) Act.

PoPI, according to ENS Africa, “places an obligation on the responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information”. Businesses that fail to comply face potentially business-crippling fines when a cyber breach event occurs.

This guide highlights some of the actions that business owners can take to ensure they are compliant. 

Have a policy – SMEs should have a policy that controls where and how sensitive information is stored and processed within the business and then enforce and report on compliance with these policies. Your policy should also cover information security and device and data usage.

Data encryption – To ensure adequate protection it’s important for businesses to ensure that data is encrypted. Data that is encrypted end-to-end means PoPI compliance is maintained, even in the event of a data breach. 

Tech tools –  Technology tools such as cloud service providers are essential in the management of the data and must cover specific business and legal requirements. Any solutions the business adopts, must not only improve operations but also ensure compliance with relevant laws and codes, including PoPI.