Weaknesses in an organisation's IT security are more often than not the fault of humans as opposed to machines, said Merlin Knott, director for business analytics at SAP Africa, at the Enterprise SAP Security Monitoring Executive Forum organised by DeltaGRiC and ERPScan in association with ITWeb in Johannesburg on Thursday.
"It's not the software. It's the people," said Knott.
Employees too often use the same passwords for personal and professional use, meaning if a hacker can extract a password from a social network profile or a flimsily protected personal device, they can use it to attack the user's company, he explained.
Threats essentially come from connecting ERP systems to the Internet, said Alexandre Polyakov, Co-founder and CTO of ERPScan, president of EAS-SEC.org project. Yet this is increasingly critical, as ERP systems require connectivity to systems or devices in other locations, he added.
In addition, many security vulnerabilities are not necessarily engineered by hackers, said Knott. Some are built into an IT system at the hands of those who implemented it, and thus are often overlooked during vulnerability scans, he said.
Furthermore, outdated, "siloed" approaches to IT can create an environment in which internal conflict can overcome the benefit IT systems are meant to provide, Knott continued.
Rather than expecting to patch all vulnerabilities and block all attacks, organisations should identify and prioritise which vulnerabilities are the most critical, and hence which are worth the time and money expended on addressing them, said Knott.
Real-time monitoring of events across an organisation's IT infrastructure is also important, he said. Many organisations provide "some form of IT logging, but it's more of a reactive process," so they are less likely to catch cyber-attackers in action, he added.
Visibility into the hacking process can not only help assess and address a cyber-attack, but help to isolate the attacker, Knott continued. Obtaining their IP address could help track down their location and have them apprehended, he suggested.
Share