By Quentyn Taylor
Recent rapid digital transformation and reliance on cloud-based solutions has made businesses – in Africa as in the rest of the world – more vulnerable to cybercrime. In today’s global village getting hacked or being the victim of cybercrime inevitable.
The shift to hybrid working has expanded network perimeters, which now include the core office location as well as employees’ homes. Mobile and remote work can be beneficial to productivity but does open up new threat vectors with device management. The enormous growth in the use of connected devices – such as laptops, printers and phones – results in more entry points for possible attacks.
At the same time, cybercrime is evolving and becoming increasingly sophisticated. It’s shifted from trying to infect as many devices as possible to looking for weak links which can enable criminals to steal data or hold corporate systems to ransom.
A mistake or omission by a single employee – or even a third-party provider – can potentially bring down a whole company.
When employees work remotely – at home or in public spaces – they operate outside of the company’s usual controls; existing security measures may no longer be applicable or effective.
The risk is universal; even large, well-resourced companies have failed at times, often against basic attacks.
Typical attacks vectors include malware, ransomware, identity theft and email phishing, possibly the most prevalent approach in Africa. Messaging apps like WhatsApp have also been used to compromise victims.
The financial impact of cybercrime can be enormous; the European-based Pathé cinema chain lost over $ 21 million to a Business Email Compromise (BEC) scam and in the US, CNA Financial paid out $40 million in ransom in 2020.
Such costs can be crippling, particularly for small and medium enterprises (SMEs) that may not have the financial resources to recover. The ‘infosec poverty line’ is a reality – many small businesses, the backbone of most African economies, simply cannot afford to employ dedicated IT professionals and the massive increase in the cost of cybersecurity and cyber insurance puts them out of reach for many.
While you are never able to completely eradicate risk, there are simple steps to take that can build the cyber-resilience of almost every business. Work with your reality – whilst IS issues are global, they manifest differently in different areas; there isn’t a one-size-fits-all solution. Focus on the basics, develop a plan and lead for success. Don’t attempt to force people to do as they are told, adjust the message dynamically to fit the actual situation. The priority is to lead in a way that keeps your business and your customers safe.
The first step is to check the internal and external IT perimeter for gaps. A single-entry point can allow an attacker in, rather like an open window is an invitation to an opportunist thief. In today’s fully connected workplace, every device is a potential entry point for criminals.
Everyone’s security and every piece of equipment needs to be on par.
You may have a partner who can assist – at Canon we offer our partners comprehensive assessments to help mitigate security vulnerabilities.
Look for third-party service providers with built-in security and a good track record, you may have already paid for security services through your email and internet provider; check what you already have and plan from there. Working at scale allows them to incorporate many security features a much more reasonable cost.
Most importantly, ensure your employees turn on security features in the software and devices they use. Multi-factor authentication is offered on almost all social platforms, is usually free and is one of the easiest ways to give your security a dramatic boost.
Ultimately, people are both your strongest and weakest link. It only takes one errant click on a phishing mail to open the company to risk. Educate employees on basic cyber hygiene and encourage them to come forward and share mistakes. If an error is out in the open, it can be fixed. Your defence strategy is only effective if breaches are reported.
Develop processes and systems that protect against loss if one person’s email is compromised.
You don’t need to be the most secure business; you just need to be more secure than your neighbours. Most criminals are opportunists, looking to attack easy targets. It’s not about spending; some companies invest heavily in IS but haven’t turned on email multi-factor authentication.
By taking control of your information and network and educating all your employees, you can keep one step ahead of cyber-criminals and continue to serve your customers with confidence.
(Quentyn Taylor is the Director of Information Security at Canon Europe, Middle East and Africa).