The simple answer is NO.

There is no such thing as a 100% secure environment, especially when you are connected to the Internet.

To have near 100% protection, you would need a team of security specialists with a wide range of disciplines, from network, systems to applications. The cost of hiring and maintaining them in itself will be a financial deterrent for most small-medium sized companies.

Hence, cybersecurity for SMEs is at best on a best effort basis.

An IT network is like a human body

A company IT environment is like the human body. It composes of many parts.

Like each human organ with its own ailments, each component in the IT network has its vulnerabilities.

While we try our utmost to stay in the pink of health by working out and eating right, our body will nonetheless be susceptible to some ailments. A case in point is the recent COVID19 virus outbreak. The outbreak affected everyone, both the healthy and the unhealthy.

This analogy applies to a company’s IT environment. While all can be done to prevent it from an attack, if there is a new virus or there is a deliberate focus attack on the network, the network will be compromised. There have been many cases of such breaches even in an organization with sophisticated cyber security defense.

Vulnerabilities everywhere

Vulnerabilities exist all over the entire IT landscape, from network infrastructure, systems, to applications. Even the people working on it is a vulnerability.

Let’s begin with perimeter defenses like firewalls, ports could be accidentally be left open, allowing savvy hackers to use it to enter the network.

All computing devices and servers needs an operating system. These operating systems themselves are notoriously buggy. You can tell by the number of updates you need to do per year.

A savvy hacker could easily launch an attack at the core of these operating systems, and no one would know anything about it including the software vendors themselves.

This is true for all other applications too.

This issue exists because software development companies were traditionally more focused on application functionality and usability. They were also pressed to launch their products quickly. Application security was not part of their initial design priorities. Hence security gaps abound.

To make matters worse, companies across the board are adopting more technology than ever. Hence there will be more and more vulnerabilities for cybercriminals to exploit.

When IoT becomes pervasive connecting everything, the malaise of cyber breaches and its impact will increase exponentially.  It will then be a cybersecurity nightmare.

[thrive_leads id=’505′]

Lack of priority

In most small-medium size setup, the need to have a baseline cybersecurity defense is not a priority with management, unlike sales, profitability, and operational matters.

They are typically more concerned about sales, profitability, and operational matters, rather than security matters.

However, this attitude needs to change as the likelihood of a breach increases every day as cybercriminals become more sophisticated.

The situation is more pressing with privacy laws put in place.

In most privacy laws, directors of companies are held responsible for any breaches involving personal data. This is regardless of whether they were directly involved or not.

Implementing a baseline cybersecurity solution and having an education program for employees is more critical than before.

Not many companies are aware of the cost of implementing a cybersecurity solution is a fraction of the cost of any ransom payment or fines. Bosses should consider looking into how to improve their company’s cyber posture.

Shall we have a conversation?

The information security policy is gaining importance as more and more of a company’s internal processes become digitized, and outsourced. As a company relies more and more on automation, more software applications are onboarded into a company, the risks of a cyber incident increases . This would un-nerve stakeholders like bankers.

With an information security policy, it gives assurances to external stakeholders the management’s commitment to in mitigating against a cyber attack and data breach. Even if you are a small business owner, having an information security policy is needed to document what you have in place to safeguard confidential data, especially private personal data.

The trend of employees working remotely also adds to the risks of a cyber incident. Sometimes, users would be working over 3^rd party networks, whose security could be lacking. While transmitting unsecurely on these 3^rd party networks, they run the risk of being compromised through a “man in the middle attacks”.

In the last few years, many countries across the world have been erecting privacy laws to protect the privacy of its citizens.

In the event of a data breach, there will be an investigation by the regulators. One of the things they would request is the company’s information security policy. The existence of an information security policy will provide the regulators with an idea of the management’s commitment of taking cybersecurity seriously. If a information security policy is lacking, the company runs the risks of attracting a hefty fine.

Just like any other policies in the company, understanding the content of the information security policy should be made mandatory. Every employee should comply with it to insulate themselves and the organization against regulatory fines and civil suits.

With the increased chance of a cyber incident, companies need to start preparing themselves for one. Careful consideration of how to defend and respond to one is more important than ever. The information security policy is an excellent place to start in improving a company’s cyber posture.

We can help in drafting one for your organisation, shall we have a conversation?

Today the Internet plays a crucial role in businesses. The Internet has gone from just being a communication platform to one where transactions are made daily. Along with the latter, personal data like credit card details are indiscriminately captured, manipulated, and even sold.

Governments all around the world are stepping in to protect the privacy of its citizens. Besides internal corporate policies and business legal documentation, regulators are introducing requirements for companies to have policies and documented procedures to safeguard personal data of their users.

Below is a list of policies that generally all corporate and online vendors should have on their website and internally within their organization.

On every website, below are some baseline policies you would want to include on your website. The first three would be a requirement by law.

• Cookie acceptance bar

• Cookie policy

• Privacy policy

• Terms of Use

Within an organizational, the following internal policies would supplement the above policies.

• Human resource policy

• Information security policy

• Data Privacy policy

If you are running an eCommerce business, you might further need to have the following policies

• Listing policies

• Payment policies

• Refund policy etc.

Do note the above list is not exhaustive as each industry have their own sets of governing regulations which would require them to take domain-specific policies. Take, for example, if you are in the financial sector, you need to further comply with Anti-money laundering policies as required by respective financial regulators.

This post was written to enlighten and help our reader in understanding what some of the legal documentation and policies they need to have in place to safeguard their online presence are. The list outline in this post should not be viewed as the final and complete listing of all policies and legal documentation need internally within the organization or on the website. Ultimately all companies have different business models and offer various services operating in different industries.

We strongly recommend that you check with your legal team or a specialized third-party legal service provider to ascertain what are all the complete set of policies and documentation needed.

For the longest time since the birth of the Internet, there was no requirement for websites to have the secure transport HTTPS protocol to display web content over browsers like Google Chrome. Traffic and data requests from sites without HTTPS were transmitting information in the clear.

However, with the rise of cyber criminals’ activities, increasing financial transactions, and issues around personal data, the need for secure transmission becomes critical.

With effect from July 2018, Google’s web browser, Google Chrome, started flagging out websites that are not HTTPS compliant. Google requires data and traffic information to be encrypted and transmitted from the browser to the web server and vice versa over HTTPS. In this manner, both the website and users will not be prone to an attack.

Website owners who handle transactions online started implementing SSL certificates to give their site visitors peace of mind that they are conducting their purchases on a secure site.

With privacy laws quickly being implemented by many countries, companies and organizations soon followed sue to enforce the HTTPS protocol to safeguard private data provided by their customers over the web.

Mixed content occurs for websites that were designed and uploaded under an HTTP URL and later converted to HTTPS via way of implementing a SSL certificate.

Mixed content is a security loophole. It exposes your web traffic during transmission.

Despite the HTTPS web link, some content on the website, such as videos, images, and scripts, are, however, still transmitting over the not secure HTTP connection.

Hence you have an issue of mixed content from HTTPs and HTTP, loading on a page.

Any data transmitting over the non-secure HTTP exposes the website to attacks through “man in the middle attack” techniques. By intercepting these unsecured transmissions, cybercriminals can now gain access to your data like login credentials and credit card details.

This mixed content issue must be quickly fixed to ensure ALL content is transmitted through the secure HTTPS protocol before a data breach occurs.

As a site owner, you want to fix this before it is too late.

As part of our web security offering, we can scan and fix these mixed content issues.

Shall we have a conversation?

.

Prior to the GDPR, websites would drop cookies onto their visitors’ browsers without their knowledge or consent. However, all that changed with the GDPR legislation. Recital 30 of the General Data Protection Regulation considers cookies as part of personal data. It requires websites to obtain valid consent when collecting personal data from its users. The law now gives its citizens rights over their data.

Why do we need cookies?

Cookies are lines of code that a web server sends out along with the requested website the very first time it is called out by the browser. Once in the browsers, these cookies transmit data like user ID, session ID, and settings, back to the web server. The cookies will remain in the browsers until it gets flushed out through the “clear cookies” action.

Cookies help to improve user experience on the site. They stored information to identify you and provide personalized content and settings.

For example, one of the significant backend applications that use cookies is Google Analytics.  Google Analytics uses cookies to monitor site traffic information and user behavior.

Why do the regulators care so much about these cookies?

Like all things good, cookies can be misused in the wrong hands. While cookies can be convenient for website users, they can turn sinister by tracking and remembering user behavior for monitoring and marketing purposes.

Regulators aim to make users conscious of what they allow, rather than granting marketing companies unrestricted access to collect personal data. Users should be given the opportunity to refuse cookies when they visit a site. Hence, the rise of cookie consent and its management.

How does one be GDPR-compliant with regard to cookies?

For starters, you would need to have a prominent cookie consent banner on the front of your home page. The purpose of the consent banner is to inform your visitors that you are using cookies on your website. The visitor then has a choice of whether to accept and proceed. Should they disagree on the use of cookies, they would not be able to proceed further and have to exit the website.

The banner could be either a pop-up or a banner bar. The bar could be either at the top or the bottom of the page. The pop-up or the banner should have clear and precise information about the purposes of cookies that are placed on the user’s browser. Pre-ticked boxes for cookie consent are now allowed. What regulators would like to see is affirmative action like “accept” or “reject”.

Next, you need to have a cookie policy to inform visitors what cookies are being used on your website and their purpose. This provides visitors with some knowledge and comfort of how their data will be used.

Next, you have to keep a cookie consent log to document cookie consent for proof of compliance in case you come under regulatory scrutiny.

If you need help in implementing any of the above, let’s connect.

Today, almost every country has regulations to protect the privacy and personal data of its citizens. The European Union (EU), is no exception.

On the 25th of May 2018, the EU released its version of the data privacy law. It is called the General Data Protection Regulations or better known as GDPR. Any company caught flouting the rules of the GDPR is liable. They can be fined up to 4% of their annual revenue or 20 million euros, whichever is higher.  

While the geography of most country bounds the privacy laws of the country, the EU’s GDPR is unique. The GDPR is not restricted by geography at all. As long as the personal data of a citizen of any of its member states is collected leaked,  the organization collecting the data would be held liable and fined under GDPR. Under GDPR, the organization or company will be prosecuted even if they do not have a legal entity in the EU.

One of the significant areas of violation for companies is the company’s very own website. The website is a very public application and has such everyone has a view of it, including regulators

In the event of a personal data breach, privacy investigators will inspect your website. They can very quickly ascertain whether you have taken the regulations seriously and put in place measures to be compliant.

Hence to understand whether you would be prosecuted under GDPR, you need to ask yourself the following questions :

• Does your website allow a visitor to add or submit information on your website?

• On any part of your website, can your visitors leave any comments?

• Does your website accept any form of payment?

• Can your site visitors chat with you directly?

If your answer to any of the above questions is yes, then you will be impacted by GDPR if there is a personal data breach. Moreover, you never know which country your website visitor could be a citizen of.

Even if you are not actively doing any business with the EU, you need to understand your GDPR obligations to protect yourself and business.

Let’s have a conversation if you need assistance in this area.