Subscribe
About
  • Home
  • /
  • Security
  • /
  • Fighting shadowy criminals in a neo-gangland world

Fighting shadowy criminals in a neo-gangland world

Cyber criminals can, and will, attack from any corner of the world at any time of the day or night, using social engineering techniques to target the heart of your business.
Tim Wood
By Tim Wood, Executive head, information systems and technology, Vox.
Johannesburg, 05 Nov 2021

Imagine this scenario: a well-run organisation, with clearly-defined objectives, working with skilled research and development teams incentivising third-parties to operate on its behalf. It is focused and resourced.

Now imagine a shady scene from a 1920s gangland Chicago movie and superimpose it onto a SciFi movie, where the gangs no longer have to walk in dark alleyways, but can move freely in a parallel world that you know exists, but one where shadows don’t exist and footprints are almost impossible to trace.

What if you were told that the well-run organisation is, in fact, the mastermind behind the neo-gangland movie scene? And then, just to give you sleepless nights, you’re told this movie isn’t fiction, but a real-life documentary and that you, sitting there right now, reading this − whether you are in Cape Town, Johannesburg or on a farm in the Karoo − are the intended target?

This is the world we find ourselves in. We live in an age where shady, underworld inhabitants of the dark web are almost untraceable and untouchable. We know their names: think REvil or Conti. We know they are there, we know they are trying to catch us and our employees, we know how they operate, yet they continue to thrive.

These criminals can, and will, attack from any corner of the world at any time of the day or night. They use sophisticated social engineering techniques to gain specific information about your world and then use that to gain access, and then attack the very heart of your business.

Their favourite targets are often small to medium businesses that have started to grow and have taken their eye off the security ball. They have, for lack of a better description, been caught with their pants down, vulnerable, unable to defend themselves, with their reputation on the line.

Perhaps the most frightening aspect of these criminals’ modus operandi is that your biggest asset is your biggest risk. Your people. This is how they take you down. People are empathetic, curious and gullible − this is fertile ground for a phishing expedition.

What can you do?

With this bleak backdrop, how does a small to medium business respond to this threat? Importantly, how do you allocate IT budget and balance investment in revenue generation versus self-preservation, in the form of security?

Starting today, work towards understanding what the immediate risks are, where they are and where the business is in its maturity cycle. Choose an appropriate technology and security partner to help map out a security plan by running audits on the current environment.

We live in an age where shady, underworld inhabitants of the dark web are almost untraceable and untouchable.

This doesn’t mean you can, or should, do everything at once. The risks identified − and they will be there − can be ranked according to levels of urgency in order to provide a base from which a security roadmap can be implemented.

If any one or more of these risks are deemed to be high or critical, budget needs to be released and they must be addressed immediately.

If you were in gangland Chicago and you knew criminal gangs were stalking the streets at night and climbing through unsecured windows, would you leave yours open without security bars?

How much should you spend?

There’s no simple answer to this question, but as would be expected, the size and complexity of an organisation will determine how much should be spent on security.

The prevailing rule of thumb is that a business should be allocating between 1% and 13% (with an average of around 6%) of IT spend to security. This is a ballpark, to give you an idea, and this can be blurred somewhat as there is a component of security spend built into many other IT costs, such as networking equipment, software licensing, software application development, training, and more.

It is a rough guideline and should not override the priority given to risks that need immediate remediation.

A business cannot implement a comprehensive IT security strategy overnight. So, having a documented, committed plan will go some way towards meeting the IT governance responsibilities for which business owners are legally and morally accountable.

A practical response to remediation can often be considered without huge expense, while outsourcing key IT functions or subscriptions to software-as-a-service offerings should be considered as part of this security plan.

Ten-point security gameplan:

  1. Find an appropriate technology and security partner.
  2. Run security audits.
  3. Remediate high and critical risks immediately.
  4. Educate your people.
  5. Define priorities and determine a security roadmap. This is unique to each business. Start with a base level, then the next level, and then at the end, security office monitoring − the highest maturity level. The base level on the other extreme includes things such as an anti-virus and patching of operating systems.
  6. Identify quick wins that are easy to implement and don't break the bank.
  7. Bolster the IT team by outsourcing key functions. It is expensive to have appropriately skilled people cover every aspect of the business. Partners that offer managed IT services bring the benefit of top skills at a fraction of the cost.
  8. Identify functions that can be delivered by a low-cost service offering, such as partners that offer software-based user education programmes or test-phishing expeditions.
  9. Define and commit to a security maturity plan.
  10. Monitor progress, review gaps and prioritise remediation continually. 

Share