How digital transformation is driving cyber security evolution
In a news environment dominated by political and economic shifts, the devastating effects of cyber crime and data breaches go largely unreported. Yet, for small to medium-sized businesses (SMEs) in South Africa, which arguably form the backbone of a teetering economy, cyber crime and data theft are undermining growth and sustainability.
While reliable statistics are nearly impossible to obtain, it is clear that SMEs are falling victim to hackers on a weekly basis. Why? Business leaders have clearly not stayed abreast of a cyber risk landscape that has changed dramatically over the past decade. Not only have the nature and scope of the risks evolved, but so too have the tools and strategies required to mitigate them.
For SMEs, it is critical to understand this evolution and to bring the organisation in line with current (and future) trends, says Colin Thornton, MD of Turrito Networks.
A simple question of software
When looking back 10 to 15 years ago, cyber security for SMEs generally equated to a decision around which anti-virus software to choose. As long as the anti-virus was reputable, and kept up to date, business leaders could tick the cyber security box. In most cases, this box was probably located towards the very bottom of the business agenda… and budget.
As businesses began to embrace more seamless and accessible Internet connectivity, the cyber threat level began to rise. Employees gained access to social media platforms, and started to harness these platforms for business as well as personal communications. The use of e-mail within organisations became paramount to productivity, along with other emerging connectivity tools such as Skype.
New barriers needed
With employees becoming increasingly ‘plugged in’, hackers and fraudsters soon identified newbie Internet users as soft targets for online scams and phishing. Along with the unwanted tides of advertising and ‘junk’ mail, these scams prompted businesses to install spam filters along with the trusted anti-virus software.
In addition to targeted attacks, business leaders very soon had to contend with the peril of dodgy Web sites. As employees delighted in newfound connectivity and Web surfing freedom, they blundered their way onto infected sites and unsecured environments. This forced businesses to invest in firewalls as well as more sophisticated anti-virus software.
Mobility, endpoint security emerges
Over the past several years, smartphones, laptops and other mobile devices have become integral to modern working environments. Particularly for SMEs and start-ups, being able to work and communicate remotely has proven critical to survival. Yet, with the proliferation of mobile devices that connect into sensitive business platforms and environments, the cyber risk naturally intensifies. Another way of thinking about it is that as ‘entry points’ to business information and systems multiply, so too do the risks.
To combat this heightened risk environment and the emergence of mobile working solutions, businesses embraced the concept of ‘endpoint security’. In techie terms, endpoint security is simply a security approach that focuses on ‘locking down’ endpoints (think individual computers, phones, tablets and other network-enabled devices) in order to keep networks (businesses) safe.
Along with the focus on endpoint security, the heightened risk environment also sparked off interest in penetration testing and vulnerability assessments. Penetration tests are designed and intended to exploit weaknesses within IT networks and thus to determine the degree to which hackers can gain unauthorised access to business information and assets. These tests can be manual or automated and are performed by IT security professionals. Even as recently as five years ago, regular tests such as these were considered a nice-to-have but were fairly far down the IT task list. Nowadays, they should be near the top.
The devil is in the data…
While the reality of hyper connectivity has deepened the complexity of cyber risks, this connectivity is also fuelling the creation of data. As we have seen in recent years, data has been likened to the new ‘oil’ of the global economy, and as such, it has become an asset that needs vigilant and well-structured protection. Notably, in the World Economic Forum’s Global Risks Report 2019, “massive data fraud” was ranked the number four global risk facing organisations of all kinds.
For SMEs, which are just as likely to fall victim to data breaches as their larger counterparts, data security now demands a full strategy of its own. To begin with, SMEs have to harness tools such as SharePoint to implement secure document management. Such tools ensure that employees not only store data in a safe and organised way, but that they can also collaborate on files and safely share information with outside parties. Moreover, with legislation such as the Protection of Personal Information Act 4 of 2013 (POPI) and the General Data Protection Regulation (GDPR) coming into effect, businesses of all sizes will have to enforce strict data governance frameworks, or else risk falling afoul of the law.
Moving beyond silos
When assessing the current cyber risk environment for SMEs, perhaps the most significant element of the digital evolution is that cyber security has become everyone’s responsibility: it does not simply fall to the business owner, the tech guy, the manager, etc… every employee has become a target, and similarly, everyone has a role to play. This means education and internal training has to be the first and most fundamental part of any cyber security strategy. Today, businesses are still allowing staff to save sensitive data on their own laptops, memory sticks and consumer cloud platforms like Dropbox, for example, which immediately places the business at risk of a data breach.
As the risks continue to change and evolve, so too do business owners and employees have to elevate their own awareness and online behaviours. Digital transformation continues to propel business and innovation forward, but the dark side of cyber security is casting a formidable shadow.
About the author
Colin Thornton founded Dial a Nerd in 1998 as a consumer IT support company, and in 2002, the business-focused division was founded. Supporting SMEs is now its primary focus. In 2015, his company merged with Turrito Networks, which provides niche Internet services outside of the local network. These two companies have created an end-to-end IT and communication solution for SMEs, from supplying a laptop right through to designing and delivering a fibre-connected geo-redundant hybrid-cloud solution. This type of end-to-end service was typically only possible for enterprise customers, but now SMEs, mid-market organisations, homes and schools can benefit too, for a fraction of the cost. Thornton has subsequently become the Managing Director of Turrito.