A storm of cyber threats is hitting South Africa in the form of increased malware attacks, primarily on businesses. Organisations around the world - and in South Africa - have been crippled in the latest attacks. In view of the numerous recent incidents, one must conclude that cyber security is as much a priority as physical security, says Parsec Senior Product Manager Jaco Botha.
From a business or personal point of view, the theft of personal, financial and health records is disturbing, however, the business impact of a ransomware or similar denial of service attack could be devastating. It's now more vital than ever that businesses and their employees should be educated about the importance of being secure against attacks.
Botha says: "Simply put, cyber security is around protecting everything while you're online, including people, devices, assets, data and pretty much everything that's connected, against all sorts of threats that are present in a hyper-connected world."
Which poses the question, why are organisations suddenly being hit by this onslaught of cyber attacks and why are the attacks so successful? Is it because businesses have neglected cyber security until now? Botha believes it's more complicated than that. He says: "Although some sectors, as well as small to medium enterprises, have under-invested, it's also a case that some of the investment wasn't spent wisely. Complacency is also a huge contributing factor."
He continues: "If I look at what corporates spend their security budget on, most of it goes towards being compliant. So while companies will invest in cyber security, they do it because they're legally obliged to, not because they truly understand the threats that they're defending against."
He cautions companies against investing in a cyber security solution that promises to be a silver bullet, saying: "All too frequently, people invest in a solution but don't end up with an environment that's significantly more secure, especially against some of the threats that are now prevalent. For example, a business might invest in an expensive firewall, but then be on the receiving end of a simple phishing campaign - there's no real attack on the systems or the network itself, it's an attack on the people within the company. In our view, the biggest threat in cyber security is the human element and this is what's actually been neglected, to a large extent."
Stephen Robson, Product Manager: Security Products, Parsec, proposes a different way of looking at the current situation that businesses find themselves in. He says: "If you consider that until now, a big focus for most solution providers has been usability and getting products to market in an era where security wasn't really a big focus. This is especially true in the industrial space, for example, where the industrial control networks were traditionally kept completely separate from the rest of a company's networks. Today, those industrial control networks are increasingly connected to the Internet, but the underlying protocols used by the devices on those networks weren't designed with any kind of security in mind. And that's where the risk lies. One can argue that the world is now in the position it's in because security was never a priority until now."
Is the industry doing enough?
Botha says: "There's a lot more awareness nowadays, with the press creating more hype around cyber threats, but I'm not sure that it's spurring companies to action."
Robson agrees, saying: "There's a lot of noise around cyber security that perhaps makes it difficult for people wanting to improve their security posture to understand what they need to do. We're hearing a lot of mixed messaging from cyber security vendors claiming they can solve the problem, but obviously there's no single solution. In my opinion, filtering and making sense out of the noise is going to be a big challenge."
Something that Parsec has been considering is how to educate and inform organisations and help them to change employee behaviour so that they adopt better habits around security. Robson says: "In addition to providing a technical solution, we are designing training courses and providing education to help people to change their behaviours."
Security awareness is vital for everybody who's connected to the Internet, as all employees are also connected to the Internet in their private capacity. Not only do employees bring their own devices, but they bring their own passwords too, so they tend to use the same password for their home e-mail that they use for their work e-mail, putting them at risk.
This is where education is so important, according to Robson. "There are plenty of attack vectors that you can mitigate against through proper education of your employees, with phishing e-mails being a perfect example. You need to warn people not to click on a suspicious link or how to identify rogue Web sites before they enter their user name and password on the resulting Web site, and that they need to be careful when opening attachments, and they shouldn't give their credentials to a person over the phone. These examples all tie into the human aspect of cyber security."
Botha suggests that companies educate employees about cyber security and how to protect themselves by sending them on cyber security awareness courses. "In addition, there are good solutions that test the security posture of a company, including its vulnerability to things like social engineering attacks." He also recommends that children learn about cyber security at school, so that they're aware of potential threats from an early age.
The hyper-connectivity trap
People are constantly connected to systems and one another through devices such as smartphones, tablets and computers. A cyber security challenge arises, according to Robson, when people use the same login credential across several devices. He says, "When you share your login credentials across many devices, you just need a vulnerability on one of them and the cyber criminals have access to all your accounts. Password sharing leads to a major increase to the attack surface."
Even more concerning is it's not only devices that people carry around or use on daily basis that are at risk; with the Internet of things, there are more than twice as many devices connected to the Internet as there are people. Each of those devices has some kind of login and username password combination, which is often set at factory default, which is a huge vulnerability. With everything being connected, your password and login lie across so many servers that hackers could potentially access your account from anywhere in the world. The average person has in the region of between 24 and 100 logins, including social media, online banking and other accounts. Even if we conservatively calculate the number of logins per person to be 25, then we are looking at roughly 100 billion passwords in use. The threat surface is enormous as a result of hyper-connectivity.
According to Botha, throwing money at technical solutions will not be enough. Companies must approach cyber security with a strong emphasis on the human element.
He also recommends that companies consider whether it's in fact necessary for everything to be connected to everything else - by creating islands of connectivity, you can drastically improve your security standpoint. Simply put, the most secure network is one that isn't connected to the Internet.
Share