The world is changing rapidly due to technological advancements. This affects risk and with this comes uncertainty, but also opportunities. Failing to take advantage of upside risks, is becoming as risky as not dealing effectively with downside risks.
Cybersecurity can be described as the digital or human measures an organisation can take to reduce the risk and harm to a business’ information and information-based systems through theft, alteration or destruction.
Cybersecurity is more than ensuring you have the latest security technology in place – it’s also a business and broader risk-management issue. These days, businesses and their customers, vendors, distributors, suppliers, partners and advisors, among others, are all interconnected. These parties have various access points to a business which increases your exposure to a cyberattack.
Even companies that put great emphasis on securing their business processes can become victims of cybercrime.
Cybercrime can manifest itself in many ways, from theft of intellectual property to theft of other highly sensitive business information or payment card information. The resulting cybercrime could have a significant impact on the business’ brand, reputation and shareholder value.
In the Western Cape we have seen an alarming increase in cybercrime that’s carried out by either organised crime or an insider and even at times a combination of both (see figure 1 for the various parties that can target businesses). Companies are attacked using a variety of methods, but the most prevalent are phishing emails, ransomware, malware and the use of social engineering.
What are your information assets?
Wine cellars must determine what their most valuable information assets are, where they are located at any given time and who has access to them. The most valuable information assets or processes are those which, if stolen, compromised or used inappropriately, would cause significant hardship to the business. Examples include product designs, wine manufacturing process (recipe) information, new market plans and executive communications.
Too often, wine cellars apply a one-size-fits-all model to protect their information assets. This simply doesn’t work. Wine cellars must hold business executives accountable for protecting these assets in the same way they are accountable for financial results and other key business management metrics.
Wine businesses can manage cyberrisk by:
• Actively engaging in discussions around the business’ cybersecurity programme to ascertain whether it protects the business’ most valuable assets across the board and establishing if it’s getting the appropriate level of attention, resources and leadership.
• Discussing the IT budget, including the IT security budget, with management and understanding the state of the IT infrastructure as delays to software upgrades or the replacement of legacy IT infrastructure can create greater risk exposure to cyber-attacks and ballooning costs over time.
• Ensuring cyber-risks are built into the business’ entity risk management process with appropriate board level review.
• Reviewing the board composition to ensure the directors have sufficient knowledge to help manage the company’s risk. In the event of a breach, a business may face a crisis and should therefore have a crisis-response plan in place. It’s also important to test the plan to improve the likelihood of effective execution.
Explaining the jargon
Phishing: The attempt to obtain sensitive information such as usernames, passwords and credit card details, often for malicious purposes, by masquerading as a trustworthy entity in an electronic communication.
Ransomware: Malicious software that encrypts the victims’ files, making them inaccessible, and demands a ransom payment to decrypt them.
Malware: An umbrella term used to refer to a variety of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware and other malicious programs. It can take the form of executable code, scripts, active content and other software.
Social engineering: The attempt to psychologically manipulate the user to perform actions or divulge confidential information. A type of confidence trick used for the purpose of information gathering.
Cybersecurity issues have also arisen due to employees not being aware of the risks they could expose their company to. Take for instance the number of times employees plug their smartphone into a work computer to charge it. This seemingly innocent act could open the door for an employee’s computer to be infected with ransomware through a malicious app on their phone. The ransomware encrypts all the information that the user controls, including information on network drives, and only allows them to access it after payment of a ransom, often in the form of bitcoins. Ransomware often also gives a fixed time period by which the ransom must be paid, for instance 72 hours, failing which the data will be lost.
Organisations big and small are increasingly feeling the pressure to be better prepared and equipped by for instance implementing bring-your-own-device (BYOD) policies and ensuring well-tested backup and restore plans are in place to combat ransomware attacks. Another example where employees could unintentionally expose a business to a cyber-attack would be by responding to a spoofed email. Spoofed emails, where an email address is forged so it appears to have come from someone else, rely on methods of social engineering to trick the user.
“I made the payment as you requested,” Jane confirmed in an SMS to her financial director who was on leave. This type of message could be the first sign that the company has experienced a cyberincident. Just before Jane sent the SMS she’d received an email from someone purporting to be the financial director and asking her to pay the supplier. Everything in the email made sense
– he delegated the task to her while he was on leave, he provided the banking details and mentioned he’d forgotten to arrange the payment before going on leave. So Jane made the payment as instructed. She even went a step further and SMSed the financial director to inform him she’d completed the task.
Once the money leaves the account the criminals act quickly to withdraw it again. In many cases the money is deposited into the account of someone on the street. This person is almost always unrelated to the criminals and is offered payment for this single transaction to pass through their account. The above-mentioned example again highlights the importance of not only technology, but also training so staffers can identify suspect emails and their security awareness in general is improved. This ensures a business can have the utmost confidence in its teams’ ability to help minimise the risk involving these kinds of cybercrimes. w