Why SMMEs need cybersecurity.

Data is at the centre of everything in today’s digital era, and cybercriminals continuously get better at stealing it. Therefore, it comes as no surprise that data privacy and improved cybersecurity have become key business issues, says Microsoft’s SMB lead, Nick Keene.

Keene, who spoke at SAICA’s recent Cloud in Practice conference, says it is imperative that business need to understand the importance of keeping data secure, as they will be held more and more accountable for non-compliance. Accounting professionals and other businesses and organisations who work with personal data will in future not only have to comply with South Africa’s Protection of Personal Information (POPI) act, but may also be affected by the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018 in the European Union.

The GDPR regulates the collection, storage, use, and sharing of “personal data”, which is defined very broadly as any data that relates to an identified or identifiable natural person. “Because of the broad definition, data can reside in places that can easily be overlooked, such as customer databases, feedback forms filled out by customers, email content, photos and CCTV footage. Loyalty programme records, HR databases, IP addresses, cookies, file shares and cloud storage are other places where personal data can be found,” Keene explained.

According to Keene, the GDPR codifies and unifies the data privacy laws across all the EU member countries. “It is not only applicable to citizens and organisations within the EU, but also applies to any company or organisation doing business with a citizen of the EU. It also regulates EU organisations processing personal data anywhere in the world, whether it is for goods or services offered, and independent of whether payment is required or not. It is applicable to organisations of all sizes and all industries, whether private business, government agencies or non-profit organisations. In practice this will mean that any South African auditing practice doing business with somebody from an EU country will fall under the GDPR, no matter how small the practice. Once you collect data from that customer because of a business transaction, you are subject to the rules and regulations of the GDPR. There are no exceptions for enterprise, size or scope, and one of the requirements is timely reporting on data breaches.”

Keene explained that the enforcement of the GDPR will result in enhanced personal privacy rights, an increased duty for protecting data, mandatory breach reporting and significant penalties for non-compliance, and that businesses must make sure that they are compliant.

But being GDPR compliant is not only bad news for business. “It is an important tool to learn what your organization’s data footprint is. Not only can it show data flows and maps, but also how ‘hygienically’ and securely the data is kept and handled. It can also show which data can be minimised, deleted or anonymised because it’s not being used.”

Keene said the GDPR could be a powerful business enabler. “There are key business advantages to being compliant, which include credibility and trust, something which creates a compelling differentiator. Companies may choose to only do business with those already GDPR compliant.”

Improved or documented information governance and cyber resilience is another advantage of being compliant. “It can provide excellent return of investment due to appropriate prioritisation, and it can empower employees by clearly defining their roles and responsibilities.”

There are various factors impacting on a company’s trustworthiness when it comes to doing business in the cloud. Keene therefore warned against what he called DIY IT solutions. “Rather trust cloud providers like Microsoft with your data. They can do IT better and are geared to minimise vulnerabilities.”

When choosing a cloud provider, make sure they are committed to principles worthy of your organisation’s trust. “A trusted provider like Microsoft will implement strong security measures to safeguard your data while providing you with control over it to help keep it private. They will also help you meet your specific compliance needs and explain what they do with your data in plain, clear language.”

Keene gave a short interview of the security threats of the last decade or two. He explained that as attacks are getting more and more sophisticated, organisations have to guard against unpatched vulnerabilities, misconfigured systems, weak passwords and social engineering.

“People are often the weakest link in a company’s security and the easiest target for hackers, as in the case of phishing scams. With advancing security solutions, hackers are more apt to go after easy targets through social engineering. They are constantly evolving their tactics for maximum efficiency,” Keene warned. “Popular tactics for luring people through phishing scams include asking them to click on email links and attachments, domain spoofs and domain impersonations, user impersonations and links to fake SaaS apps. Microsoft detects an average of between 180 and 200 million phishing emails per month.”

Another way through which cyber attackers can infect and take control of computers, are botnets. “Bots are programs that allow attackers to infect and take control of computers, and botnets are a network of those bots controlled by command-and-control (C&C) servers.”

Being GDPR compliant is unavoidable, says Keene. “But trusted cloud providers see protecting customer data as a priority. We design our products and services with cybersecurity in mind and have systems in place which can immediately detect any breaches. We also continuously monitor and respond to changes in the threat environment, and partner with others who can help us combat online crimes. Our job is to protect, detect and respond.”

Author: Kulani Chauke, Communication Coordinator: Corporate, SAICA Brand division. This article was first published on www.saica.co.za