In the previous post we outlined the huge challenge of cyber attacks on businesses, institutions and individuals. In order to come with solutions, we spoke to a cyber security expert – Christian Nkanyanga, the Founder and CEO of Cyber Sentinel, a Johannesburg based cyber security firm.
Companies are being hacked regularly, but what makes a difference is the consequences of the breach and the seriousness of the regulator in enforcing the legislation. In July 2018 there was a hack at Liberty, the financial services company, it appears that the data breach affected emails and attachments. As POPI was not in full effect, the regulator could not enforce the fine- that could be have up to R10 Million or result in 10 years imprisonment for the responsible executives as well as potentially compensating the affected parties. On the other hand, British Airways was fined £183m (+R35 billion ) by the Information Commission Officer after the information of almost 500 000 customers was harvested by attackers, as their systems were not robust as required by the GDPR.
According to Christian, organisations of different sizes have different risks, resources and requirements. ” South African businesses with presence in Europe are subject to GDPR compliance, and they have the capacity to set up the systems. The most vulnerable businesses are the small and medium businesses that do not have the budget or specialised expertise to address the issues.”
Christian advised that small and medium companies should be do the following:
- Keep all systems updated/ “Patched” to the latest version : When Windows send you the reminders to update your system you should do it immediately.
- Make use of a company wide Password Manager. Password managers encrypt your password database with a master password. Therefore the only password that needs remembering is the master password.
- An antivirus is still important: A free one is better than none, just make sure it is legitimate.
- Use a VPN: A VPN encrypts your data so you can transfer information on the internet.
- Undertake an Information Classification exercise : To establish which information is Confidential, Secret and/or Private. This will determine the extent of the measures to be taken to protect the data.
- Bonus: Phishing is a threat that needs use awareness training to help employees identify phishing emails.
The majority of information that is stolen is personally identifiable information – which includes process data, transaction data, financial information, financial records, etc, therefore individuals need to also be vigilant in this regard. Christian recommends that individuals must consider taking the following steps:
- Don’t make Google Chrome remember passwords! Make use of a Password Manager to protect identities.
- Although phishing campaigns are old school, they are still effective.
- Do not use the same passwords for everything.
- Clear cookie browsers regularly as cookies retain a lot of information.
- Avoid visiting shady websites.
We wanted to keep this article short and pointed so that you can start implementing the action points shortly after reading this email! In addition, Christian has published A Guide to Modern Cybersecurity which freely available for download on the Cyber Sentinel website. In addition, if you want to find out the status of your security measures, get in touch with Christian to set up a consultation