BusinessDesk is proud to publish The Reset series, made in association with our trusted commercial partners and designed to supercharge your business in 2021. In this article Matthew Evetts, director of cybersecurity at Datacom looks at why keeping your business safe from cyber attack is critical for success.
The year has barely begun but already we’re seeing news emerge of cybersecurity attacks on not only large companies but also vital institutions such as the Reserve Bank.
Last year, there were dozens of high-level attacks impacting tens of millions of users at a time. Whether it was Facebook, Estée Lauder or the Marriott Hotel chain, customers’ personally identifiable information (PII) was stolen on a scale never seen before.
In New Zealand, we’ve largely been immune to many attacks simply because we’re not on the radar of those wanting to sow mischief and mayhem.
But what about those who are simply looking for vulnerabilities in our defences regardless of where we are?
What about the increased risk of staff working remotely?
It’s a threat we can no longer ignore, as the number and severity of attacks increase and the impact grows.
Cybersecurity for companies large and small varies a lot but the basics are the same whether you’re a small business that can get by without any online presence and only a few systems or a multinational that needs its online presence to survive and manage hundreds of systems.
[the-reset]
People are your weakest link
It could be someone in your organisation who can access your bank accounts and pay money. There can be a risk of them being phished or socially engineered, or the weak link could be anyone who has email and clicks on a link that turns out to be ransomware. People who have access to your systems or facilities are always a major risk vector for your organisation.
That is not to say people shouldn’t have access, but how often have you checked to see who has access to what and whether the levels of access and permissions are appropriate for the roles and people? Maybe you should think about having two people sign off payments over a certain amount to ensure you don’t pay a fake invoice, as Team New Zealand’s America’s Cup organisation did last year.
Process is your friend
If you don’t have a process in place for payments, for adding software to your IT systems, or for on-boarding and (even more importantly) off-boarding staff, then you’re opening yourself up to potential problems.
Staff are often given standard passwords or default-system permissions when they first arrive at a company. This might seem efficient because it gets them up and running quickly, but the first thing they should do is change their password and learn about your cybersecurity requirements, even before they hand over their tax and contact details. It’s also critical staff are only given the access they need and not permissions that are just a copy of existing profiles or user accounts.
Likewise, when staff leave, make sure their permissions are rescinded. It’s all too easy to think that your company Instagram account isn’t that important, but don’t wait until a disgruntled former employee starts writing about your business practices in public. Have a strong security process in place for on-boarding, off-boarding and everything in between. Too often we see processes stop with a single system like Microsoft Active Directory – with many other systems remaining untouched.
Patch and upgrade
In 2017, the UK’s National Health Service (NHS) was devastated by ransomware infecting a large number of machines simply because the NHS hadn’t upgraded to the latest software patches. The collateral damage ran into the millions of pounds and the lack of access to health records had dire results for some patients.
It’s easy to think “I’ll get to that later”, but even easier still is checking the ‘automatically update my system’ button wherever you can. When it comes to systems that can’t be automatically updated, you’ll need processes in place to patch them as rapidly as possible. Doing this in hours rather than days is ideal. Sometimes your window will be very small.
People are your strongest link
While people are the weakest link, they are also your best line of defence against the nefarious world of hacking. Empower your people to ask questions. For example, “Would the CEO really ask me to approve an invoice via LinkedIn?” Your people should challenge each other about basic device safety and avoid bad practices such as sharing system credentials. Undertake regular compliance and security training and you’ll find you have a company full of security experts before you know it.
Security, privacy, hacking, ransomware, state-level actors – it’s the stuff of movies and spy novels, but it’s also a reality today’s business owners and leaders have to embrace and understand. While it might seem daunting at first, there are experts who can help and ensure you’re doing what you need to protect your business and stay viable in the online world.
Every business needs a security roadmap highlighting its biggest risks and priorities, while showing the way to a stronger and more resilient future.
Matthew Evetts is the director of cybersecurity for Datacom. Bridging the worlds of business and technology, he leads a team focused on monitoring and identifying risks, delivering visibility and increased maturity, and the seamless integration of cybersecurity into Datacom’s customer environments.
Discuss your issues to win
Our authors want to hear from you and help you. Fill in the form below and you'll get a free consultation on your issues, with no sales pitches guaranteed.
Contagion is offering an hour-long chat with their marketing, creative and media experts. Sign up below and they will be in touch. Then, one lucky business will receive $20,000 worth of Contagion services and a $20,000 BusinessDesk advertising campaign.
MyHR is offering a 30min chat with an HR expert to discuss any current employee issue you may have. Sign up below and they will be in touch. Then, two lucky businesses will receive a $5,000 credit towards a 12-month MyHR membership.