By Sandro Bucchianeri; Absa Group Chief Security Officer
The global COVID-19 storm has transformed the way the world conducts business and, more specifically, what can be accomplished digitally. And while we all long for the human touch and personal interaction, a post-pandemic world of greater online functioning is unfolding before our eyes. But, with greater digital dependency and reward, comes greater risk in the form of cyber threats.
Major corporates have sophisticated and multi-layered internal security systems to safeguard sensitive and valuable data, and to protect clients and customers. However, many small to medium enterprises (SMEs) across the continent don’t have access to, or budget for, sophisticated IT security infrastructure and highly skilled IT teams. It is also these small businesses that that are most at risk, viewed as easy targets by cybercriminals, especially during lockdown - a period of prevailing uncertainty and financial decline. Here are some of the latest scams and tactics that all small business owners should be aware of:
Phishing works by duping users into thinking that they are logging into a legitimate site (through spoofing), only to have them (unintentionally) share their private credentials or banking details with cybercriminals. Dubious links can be sent via email, SMS or WhatsApp and can give criminals access to mail systems, servers, customer data and the like. Employees working from home are particularly vulnerable as they may think that instructions come directly from employers. Make sure you encourage employees to immediately flag any suspicious correspondence, and educate customers about some of the currents scams that may be out there.
2. Supply chain attacks
The risk comes with third and fourth parties and so on, who are just as exposed to the rise in cyber-attacks brought on by the pandemic. Corporates deal with thousands of suppliers and vendors, all governed and managed through strict frameworks and protocols. The situation is obviously vastly different for SMEs who need to realise that the moment a third party has access to business information, owners relinquish control. It is like giving the keys to your house to someone you trust. It’s great if this is a reliable person but what if that individual passes the keys on to someone else? How far does the trust extend? Make sure you have done your due diligence around external parties, including asking questions around data storage and privacy as well as cyber risk procedures.
3. Human error and social engineering
The biggest problem is us – humans - and it will always be. From a Neurolinguistics Programme (NLP) perspective, humans are conditioned to react to certain prompts or signals. Even more so during lockdown, when fear and doubt are rife. If someone calls saying that he/she is contacting you from your financial institution and begins to list and ask details such as your business’ email address and passwords, your defence goes down. That is why we make customers aware that the bank will never ask you any of these questions, if you do receive a call like this, it is most certainly a criminal attempting to gain access to your critical information. If unsure, rather end the call and contact the bank directly (using official numbers). At Absa, we have enabled secure calling from our banking app, which also includes authentication. Social engineering also comes into play because most people use the same passwords across multiple platforms and applications. Make sure that passwords are hard to guess (but easy to remember), change them regularly and make use of a robust password management system.
4. Data vulnerabilities
Ransomware (where access is restricted to a digital asset until a ransom, often in bitcoin, is paid) is also on the rise, with criminals taking full advantage of the current circumstances. These activities range from denying companies access to their servers, or a user to his/ her phone. Ultimately, the most important thing is making sure your data is secure and that you have a full backup. We are fast moving to what is called a Zero Trust Model, where stringent verification will be required for any device or person (internally and externally) attempting to access company resources or networks. Major corporates have virtual private networks (VPNs) with correct and certified configurations, two-factor authentication and a host of additional layers of security, which are continuously monitored and reviewed. Most SMEs won’t be in position to lay out significant security investments (especially now), as such, secure cloud services are an ideal and affordable option to allow data to be shared safely.
While the pandemic has exacerbated cyber exposures, criminals are constantly coming up with new online schemes. Long-term business sustainability and growth will depend on sustained risk mitigation. The first step would be to assess your business data and how effectively it is secured. Next, would be installing reputable antivirus software where possible, backing up files on a regular basis, making sure vulnerabilities are patched and updated routinely, and always carefully scanning the emails you receive. The golden rule of “if it seems too good to be true, then it usually is” still holds true.