Thursday, November 21African Digital Business Magazine

Hacking and your business: not if, but when

South Africa is experiencing a massive surge in internet crime. A shocking 78% of South African organisations were struck by a ransomware attack last year, up from 51% the previous year. And, according to INTERPOL’s 2022 Africa Cyberthreat Assessment report, South Africa leads the continent in the number of cybersecurity threats identified with 230 million threat detections in 2022 (in second place was Morocco at a mere 71 million). Othelo Vieira, Technical Product Manager Lead at Tarsus On Demand, says that, unfortunately, no one is safe. “All businesses, no matter their size, need to learn to operate from the point of ‘when I get hacked’, not ‘if I get hacked’, and set up their security and back-ups to mitigate that risk and possible resultant damage.”

He says there are several reasons for the surge in cybercrime. “Hybrid work has encouraged bad security habits such as reusing passwords or visiting websites that aren’t work-related. In addition, load shedding forces workers to log in via multiple access points, which can expose systems to bad actors. Criminals also tend to take advantage of security gaps in developing economies.”

These gaps are more commonly found in small and medium enterprises. As large businesses invest more in cybersecurity, hackers are increasingly targeting SMBs, according to the US Federal Bureau of Investigation (FBI). An employee of a small business with less than 100 employees will experience 350% more social engineering attacks than an employee of a larger enterprise. Vieira says this is because SMBs often don’t have the technical know-how to set up security. “There are so many security options these days that it can be overwhelming. Many smaller businesses also mistakenly think only big corporations will be targeted by hackers when that’s not the case at all. And, unfortunately, they often realise this only after the worst has already happened.”

By then it might be too late. A cybersecurity breach can lead to loss of business operation, financial losses, and damaged reputations – if the business can recover at all. Says Vieira: “These days, hackers look for an enterprise’s backups first and destroy it before asking for ransom, which often forces the business to pay. Ransomware can completely shut down a business with no protective measures in place. Even with safe backups off-site, it can take weeks to get back to normal operations after an attack.”

So, what steps can businesses take to ensure they are protected? Vieira says the best defence is to engage with a Microsoft partner like Tarsus On Demand, who can make the best recommendations for your unique needs and streamline security into your daily business operations. “Specialised services are no longer only accessible to large corporations. Today, there are packages available to meet anyone’s needs and using an expert service takes the guesswork and hassle out of it.”

Should you, however, choose to take on the task yourself, Vieira shares these top tips:

  1. Create a password policy that encourages good practices such as not reusing passwords, using strong passwords, and never sharing passwords. When people leave the company, remove their access.
  2. Set up multi-factor authentication (MFA) for log-ins, which is far safer than simple passwords.
  3. Implement company-wide password changes on a regular basis – at least for frequently used or very important programmes, sites, and apps.
  4. Provide training on social engineering such as phishing and risky behaviours.
  5. Be sure to comply with laws such as the Protection of Personal Information Act (POPIA). Cybersecurity stacks often have features to protect sensitive data such as credit card information – use them.
  6. Use attack simulators to show security weak points. Microsoft 365, for example, has a secure score feature that assesses your environment and then makes suggestions you can implement.

Most importantly, says Vieira, security should become a part of company culture. “Remember that your security is only as good as the weakest link. It takes one person thoughtlessly clicking on a phishing link to expose the entire company, so it’s essential to make security everyone’s responsibility. It might be a hassle at first, but after a while it will become a part of business operations – the same way you get used to switching on your house alarm at night or locking your gate behind you. Making security a part of daily business operations is the best way to stay protected.”