Businesses rely mostly on technology to improve their cyber security posture and often overlook a major chink in the cyber security armour: the human factor.
Cyber security professionals agree that people can be a liability when it comes to strengthening security frameworks. This is because untrained and unsuspecting employees are not equipped to identify threats – or in the event of an attack, they are caught unawares and cannot take appropriate action. Despite repeated warnings, workers still open attachments from unsolicited e-mail or freely share personal information over unsecured channels. They are unfamiliar with company policy and fail to report suspicious activity.
The situation undermines a business’ ability to protect their environments and respond effectively to a threat or breach. It is top of mind for international insurance law firm Clyde & Co, the exclusive legal services sponsor of this year’s ITWeb Security Summit.
The legal firm says businesses must integrate their HR management with their cyber security framework. All policies, processes and procedures linked to security must be communicated with a clear explanation of the role of the employee.
This is the main point that Christopher MacRoberts, a partner at the firm, will raise in a panel discussion at the Summit focused on the state of cyber security in South Africa and what more needs to be done.
Clyde & Co’s One cyber team believes that cyber security is everyone’s responsibility and it’s a message that local businesses need to hear.
This message is the catalyst for a change in company culture and mindset: from one in which cyber security is regarded as the exclusive domain of the tech team and considered only when a problem arises, to one that encourages staff training on cyber threats, cyber security posture and international best practice related to user behaviour.
MacRoberts says cyber security threats in South Africa are on the increase, but so too is public awareness of cyber security. “This is driven by awareness of data breaches, awareness of global events related to cyber security and legislation that has come into play over the last few years.”
He says the Protection of Personal Information Act (PoPIA) and the Cybercrimes Act shows that government is taking more concrete action to improve cyber security.
This bodes well for the country’s ability to improve its cyber security posture. However, the shortage of cyber security professionals remains a challenge.
“There is a big market developing for cyber security professionals in South Africa, which is under-resourced in our view,” says MacRoberts, who adds that the situation is exacerbated by emigration and migration of available skills.
Despite this MacRoberts remains optimistic and says the country’s private sector will continue to fill gaps within its public sector and supply solutions. “We are already seeing it … the private sector will be a force for good in driving solutions.”
Clyde & Co predicts that cyber security spend will increase this year as businesses familiarise themselves with Artificial Intelligence and OpenAI’s ChatGPT, for example.
MacRoberts believes there is an opportunity to utilise the intelligent technology for cyber security solutions. “You can harness AI-based solutions for threat detection, patch management and networking monitoring. There is a lot of potential for those tools to be used in a positive way.”
But he also acknowledges that AI can be used in nefarious ways, one of which is the use of ChatGPT to generate material and simulate conversations based on stolen identities.
Under ransom
MacRoberts says ransomware remains the most serious threat to businesses and this has a lot to do with complacency.
Many businesses still operate under the impression that they are too small or unattractive to attackers, but any business with data is a target.
“South African companies are typically not equipped to deal with ransomware and that’s because they underestimate the scale of the threat,” says MacRoberts.
This is another example of the impact of the human factor.
According to Clyde & Co, irrespective of the type of attack, there is inevitably a human action or reaction that forms part of it – from clicking on attachments to someone failing to spot unauthorised access into the network or failing to patch.
“Although all attacks are technology driven, there is almost always a human factor which enables the attack,” MacRoberts adds.
According to Clyde & Co, it is important for South Africa to prioritise training and also conduct random simulated attacks to test the efficiency of a company’s security posture and buy-in of employees.
These simulations can range from general operational simulations, such as simulated email attacks, to full-scale incident scenarios targeting C-suite executives to test an organisation’s incident response plans and security posture.
“Companies are also not necessarily conscious of the value of the data they have… the size of the business doesn’t matter, nor what industry or sector it’s in… if it has data, it’s a target,” MacRoberts adds.
Clyde & Co is the exclusive legal services sponsor of this year’s ITWeb Security Summit.Clyde & Co’s One global cyber risk solution helps clients navigate cyber risks, data and privacy protection through Readiness, Response and Recovery.