Secure your firm against cyber crime
Q: I’ve been reading a lot about cyber security threats to SMEs. What are some of the most common threats to SMEs and what trends do you expect to see emerging over the next year?
A: Cyber security should be top of mind for small businesses. The good news is, as small business owners you are close to your business and in the best position to invest wisely to address the threats you face.
Increasingly, SMEs across New Zealand are taking advantage of technology advancements in mobility and cloud services. Along with these new ways of working and enhancement to your business comes new risks. So we’ve identified some of the common cyber security threats and tips on how to manage them.
Access control: Do you have a policy or guideline around password security for access to systems and accounts, and is it enforced? Usernames and passwords should not be shared in the office, because it removes any traceability and ownership associated with the actions of individuals.
Improving the complexity and stopping people using the same passwords, as well as using multi-factor authentication are simple ways to improve security without breaking the bank.
Password applications are available as apps or downloads to help generate and store strong passwords and many service providers have convenient multifactor options such as texts at no charge.
No matter how small the business is, it is worth setting some non-negotiable rules about accessing information in the firm, because passwords with dictionary words are easy to crack.
Social engineering, phishing and fraud: Have you ever suspected identity theft or fake transactions?
Instances of someone posing as a senior member of the business, asking for information to be released or payments to be made are common.
Often backgrounds can be researched and email addresses can be easily found or guessed in order to send a legitimate looking email. They tend to make business as usual or small requests that wouldn’t alert staff.
An effective step to protect your business is to define a simple rule around authenticating the source of requests before performing financial transactions, particularly those from email and texts, even if it is just a code word that changes frequently.
Ransomware: Are you prepared for someone locking you out of your systems and data? While patching your systems and having a reputable anti-virus package on all your devices reduces the risk of getting infected by ransomware, it is no guarantee.
It’s worth making sure you have offsite back-ups and exploring whether cyber insurance is something worth investing in.
Critical information and privacy: Have you thought about the intangible assets that need to be protected? These might include company credit cards, the business brand and your customer data.
Know what’s really important to your business and how much it is worth before deciding how much you are willing to invest in technology, process and advice.
The common thread through all of this is that educating yourself and your staff is a good investment, as are secure methods of storage and dissemination of information.
Ensure that your staff understand what is important to your business. Be on your guard against privacy breaches and remember that the technology you use needs to be configured and well managed.
A small investment made upfront to get this right and external help should be weighed up against the time and energy you would have to invest to do this yourself.
You can start by checking that your cloud provider has sufficient controls that meet your needs and that these are specified in your contract or agreement.
The Cloud Security Alliance Star program is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings. Adrian van Hest is a PWC partner and cyber practice leader