What does cybersecurity mean for your organisation? And what can your organisation do to protect itself against cybersecurity threats?
We are already more than a year into the COVID-19 pandemic, and throughout the pandemic we continued to see a rise in cyber-attacks. In a world where technology is the new way of living, there is no doubt that cyber-attackers are taking advantage of this, and will continue to do so, and that this will only accelerate as we see emerging technologies growing.
For a number of years it was believed that cybersecurity threats will only impact organisations such as banks or major IT companies. But the reality is that any organisation at any time is at risk. The COVID-19 pandemic has proven this, with organisations, big or small, in a variety of fields being affected. Every organisation has valuable data that could be affected in the event of a cyber-attack. The impact of a cyber-attack can be tangible costs, such as stolen funds, legal costs and compensation, to affected parties. But even worse are intangible costs like loss of integrity due to compromised assets and loss of customer and client trust. In extreme cases, organisations may run out of business.
What if your organisation is under attack?
With the discovery of an attack, an organisation is required to think fast and act immediately. Technical teams are required to investigate the root cause of the breach and management need to get communication out to all affected parties (staff, stakeholders and possibly regulators) as soon as possible. Upon an attack, effective communication is a key factor, as this is the underlying principle that will assist in containing panic. Slow and ineffective communication can lead to reputation damage, loss of clients, and even large legal costs. As part of business continuity plans, management need to ensure that cybersecurity is a key feature and a detailed plan is made available.
On the next page is a checklist of the top five priority items that every organisation can use to help their business become a bit more cyber-savvy:
Does your organisation have regular cybersecurity awareness programmes?
Creating awareness around cybersecurity ensures that employees have some level of understanding of cybersecurity.
Cybersecurity awareness programmes should focus on the key areas of concern within organisations. These include password security best practices, phishing awareness training, malware identification training and testing employees’ preparedness through simulated cyber-attacks.
|2 Has your organisation checked the correct levels of access?
As an added security measure, limit employee access to data, systems and software to those who require them in their role to reduce the risks of a data breach. For example, supplier specialists will require access to supplier information and not access to human resources information.
Setting up the correct level of access can reduce security breaches and will assist in protecting sensitive information. The last thing you want is data falling into the wrong hands.
|3 Has your organisation implemented SSL data encryption?
SSL (Secure Sockets Layer) is the standard security technology used for establishing an encrypted link between a web server and a browser, ensuring that all data passed between the server and browser remain private.
Not sure if your organisation’s website is secure? A good way to check is if you see ‘https://’ at the start of the URL in your browser.
|4 Have your employees been prompted to change their passwords?
An interesting fact is that 52% of users have reused their passwords, and cyber-attackers can crack this in 10 guesses. Another interesting fact: the most common password used is ‘password’.
A secure password is unique and incorporates numbers, special characters and a mixture of upper- and lowercase letters that should be updated on a regular basis.
|5 Has your organisation done a cybersecurity assessment?
Simply because there are cybersecurity controls in place does not mean that this is effective. Performing an in-depth cybersecurity assessment will assist your organisation in identifying vulnerabilities and establishing an action plan to eliminate them. A deep dive into cybersecurity measures within your organisation will ensure that vulnerabilities are identified at an early stage.
The assessment can look into business continuity plans. The business continuity plan should be treated as an emergency plan in the event of a cyberattack and include the names, phone numbers, and after-hours contact information of key incident response stakeholders such as the business owner, relevant IT professionals, finance team leadership, and any other figures critical to your business operations.
Creating a culture around cybersecurity awareness in the organisation doesn’t mean that you’ll be eliminating the risk of data theft or cyber-crime to your business, but cybersecurity readiness is the combination of knowing and doing something to protect an organisation’s information assets. Cyber-attackers are lurking all over and you never know, your organisation could be the next target. Take action today towards creating a safer cyberspace.
Author: Pranisha Rama CA(SA), Auditing Lecturer, University of Johannesburg