IERP® Team No Comments

The spectre of cybercrime is more than an inconvenient truth that will not go away; it is a growing phenomenon that threatens to engulf whole businesses and disrupt entire industries, whether or not people choose to ignore it.

The threat of disruption is not an idle one, nor is the possibility of obliteration for small businesses. Cybersecurity is gaining traction because more and more businesses are recognising how ironic it is that the component expected to boost business – technology – may also be the major cause of its downfall. We are talking, of course, about technology that facilitates business, and taking it to the level where we become so successful that we would have nothing to do except luxuriate in our automated homes and laugh all the way to our online bank accounts. But that hasn’t happened, or at least, it hasn’t happened the way it was supposed to. Instead, the much hoped for improvements to the way business is done, facilitated by technology, may prove to be its ultimate undoing.

While technology has been applied very successfully to improve business, streamlining processes and generally spurring commerce and hastening the revenue stream, it has become increasingly misused and abused in the name of profit and competitiveness. This has resulted in the rise of fraud and corruption, as those with questionable morals use basically neutral technology to enrich themselves at the expense of others who are perhaps a little more trusting and a little less tech-savvy. There have been more incidents of data breaches, identity theft, online fraud, credit card scams and general parting of the gullible and their hard-earned money, than there are people to count them. More alarmingly, syndicates and organised crime have also got on the technology bandwagon.

Cyberspace is enabling crime to cross boundaries; a hacker in one country can cause banking chaos on another continent without leaving the comfort of his/her own home. Cybercrime is usually quick, anonymous and extremely painful; it leaves its victims reeling, literally not knowing what hit them. At its least destructive, it causes embarrassment; at its worst, it can rack up millions in damage, from actual physical destruction of equipment, to denial of service that causes losses to businesses, to legal costs stemming from breach of contract, and the loss of confidence of investors and stakeholders. So how can firms confront this virtual menace? It starts with vigilance.

For instance, are some employees with access to critical or confidential information logging in at odd hours? The firm may be unknowingly facing an internal threat. Firms need a cybersecurity policy; they need to know the regulatory landscape pertaining to crimes committed in the virtual world, which impact on the real one. When it comes to technology/IT, the things that need fixing can seem virtually impossible to prioritise. But firms can start with an inventory of their assets which may be vulnerable to cyberattack, and determine how to protect these first. Proper documentation is imperative, and records should be kept updated to identify who is responsible for the safety and maintenance of the assets, and what this entails.

What else do companies need to keep a close eye on? Obsolete technology, say some cybersecurity specialists. Old technology needs to be updated or replaced as it is more likely to be breached in the event of a cyberattack. Many systems are interdependent so it may be in the interests of the firm to establish extensive firewalls to protect everything, even if certain sectors are considered no-risk areas and unlikely to be targets of cyberattack. These less obvious, usually low-level security sectors are often overlooked by management, but may offer the best and least-noticed means of entry into a company’s systems.

One item on everyone’s cybersecurity list is awareness – awareness of what exactly the business of the organisation is, and how a cyberattack will affect it. Understanding the business’s vulnerabilities will go a long way to identifying how to keep it safe. Above all, be proactive about managing the firm’s cybersecurity measures, including running simulations of the systems’ performance in the event of a breach. Besides giving everyone a taste of what cyberattacks can be like, simulation exercises help to identify shortfalls that would otherwise slip under the radar. This will allow the firm to make adjustments and be better prepared in the event of a real cyberattack.

Employees need to know how to recognise the signs of a cyberattack, and how to manage it once it has been identified. They need to know how to contain it, the chain of command, and how to escalate the matter to the next level to be dealt with. In most cases of cyberattack, time is of the essence; employees therefore need to be empowered – and knowledgeable enough – to make the right decisions at the material time. This level of awareness can only be developed through the appropriate training, which means selecting the right talent for the job. First line responders, particularly, should be more aware of the possibilities of system attacks, and operate with increased vigilance.

It’s not just the organisation’s staff who need to be aware either; suppliers and contractors down the line should be apprised of the firm’s cybersecurity policy (so make sure your company has one) as security measures which are put in place are in their best interests as well. Ultimately, organisations will have to leverage on partnerships with others, in order to keep themselves safe – and that implies developing a culture of safety and security that permeates the organisational consciousness, so that for all levels of staff, from the groundskeeper to the Chairman of the Board, cybersecurity becomes second nature.