5 Basic protocols that can help protect your business against cybercrime

The very act of thinking that your business is too small and tucked away to be the target of a cyberattack makes you a more attractive target for cyber criminals. This is exactly because they prey on the complacency that comes with a “it-could-never-happen-to-me” thinking, says Luyolo Ndinisa, IT Security Specialist at Business Partners Limited.

Cyber criminals have low overheads and are located all over the world and online all the time. They range from large state-sponsored troll farms to one guy with a laptop for whom stealing a couple of thousand rands from a small business bank account is totally worthwhile.

There are many reasons why small businesses are such desirable targets for cyber criminals: They don’t have dedicated IT departments or specialists even though their information is kept online. They use email as the main medium of business correspondence, which is still the main delivery vehicle of malware and phishing attacks. Hacking a small business won’t draw the same attention as a successful attack on a large organisation, allowing the criminals to keep operating in the shadows without much fear of being caught.

But the main factor is complacency. Most owner-managers are aware of the existence of cybercrime, but given all the problems of business growth that they face, it is certainly nowhere near the top of their list of concerns.  And somehow the word “cyber” gives it the feel of something too glamorous, too sophisticated to have anything to do with their little low-tech business.

Unfortunately, cybercrime is way more commonplace and mundane. In fact, cybercrime’s main method by far is to target the user of the computer system, says Luyolo, rather than hacking into the computer system itself through some clever computer coding. Known as phishing, it entails the hacker manipulating someone inside the business into divulging passwords, downloading malware or making wrongful payments.  They do this mostly by sending fraudulent emails in which they pretend to be a legitimate supplier, client or even colleague, asking you to click on a link, to type in your password information, download a file, or even make an urgent payment.

Luyolo says one form of cybercrime that has been increasing lately is known as business email compromise, where a hacker manages to gain access to the emails of a business. Typically, the hacker would intercept a large invoice to a client, and reply to it pretending to be the client, saying that their banking details have changed, and would the business be so kind as to pay the amount into the new – false – bank account number.

In the past, such fake emails could sometimes be spotted by its language mistakes or odd phrasings. Not anymore, says Luyolo. The use of AI text generators has made the fake emails of even the most non-grammatical hackers so much more convincing.

There are a few technical barriers that a small business can erect to protect itself from these scams, but in the eternal arms race between cyber security experts and hackers, the latest anti-hacking software will always be outsmarted.

A much more important armour against cybercrime is awareness and vigilance in the staff members of a business. That is why business owners should embrace October as cyber security awareness month as an opportunity to strengthen their businesses, says Luyolo.

He urges business owners to hold regular staff meetings about the threat and to remind everyone to implement the basic protocols:

1. Phone to confirm any unusual text or email, even from a trusted source. Yes, announcing a change of bank details certainly counts as an unusual message. So is a request to fill in your username and password in any form other than on the official home page of your bank or ISP (Internet Service Provider).
2. Don’t click on sent links unless it has been verbally confirmed by the sender. Avoid scanning QR codes anywhere. Unless necessary, and you have confirmed their legitimacy from trusted sources.
3. Set up an automated backup system of your business information. If you use cloud services, download and encrypt regular backups to keep offline.
4. Keep all your devices and software updated.
5. Implement multi-factor authentication for all sign-ins, through which your usual username and password are strengthened with one-time pins sent via mobile.