Thereafter: Assume compromise of EVERYTHING
Unless your company deals with national secrets, valuable transactions the likelihood of your company being targeted by hackers is small. Likelihood will be spray and pray attacks from hacker using phishing and business email compromises (BEC). Hackers offer phishing and business email compromise online as a service and utilize AI to increase volume and precision. Email addresses, phone numbers etc. they have from numerous data breaches.The best defense against this is creating awareness among your family, employees, about digital hygiene, which includes:
- Questioning any request of data by following a link in a SMS. (Log on directly to the bank, Tax services, etc. and respond to queries there)
- Do not announce on e.g., Facebook that the whole family is on vacation.
- Double check odd requests from family/employees/bosses by a separate comms channel, e.g., use WhatsApp if the request came from email.
- Review your password reset procedures and include call-back, send the reset password to the employees' manager, so identification can be verified.
- Data privacy acts e.g., GDPR(EU), POPIA(ZA) applies basically to any organisation, so at a minimum this has to be addressed.
- Only install SW that is downloaded from the vendors website and minimize browser plug-ins. (Take extra care if you let your kids use your laptop/smart phone.)
While not 100% guarantee for security, enabling multi-factor-authentication (MFA) will raise the defenses and hackers will potentially move on to the next potential victim.
Finally, make sure your IT-department and/or IT Service provider is updated on SW Security patches as vulnerabilities are published.
Thereafter: Assume compromise of EVERYTHING
In august a hosting company with 300 clients was hacked and everything was encrypted (including backups) and held for ransom, as a result several companies have declared bankruptcy with more to come. In the end the owner(s) are responsible and lesson #1 is to take data backups (systems can be re-created) and store the files at a different location.
Recreation can take time days/weeks, so consider what is absolutely critical data/information required to continue production/operations for e.g., a week and make a plan for that. Thereafter test the plan.
If you use cloud providers e.g., MS 365, do not assume they automatically backup your data. They can, but typically it is a separate billable service!