In 2012, the hacktivist collective Anonymous broke into the mail server of Syria's Ministry of Presidential Affairs and accessed the e-mail accounts of a number of officials. A few months later, over 2.4 million e-mails from that attack were given to Wikileaks.
In 2013, Barack Obama's Facebook and Twitter accounts, and the e-mail accounts of his staffers, were hacked by the Syrian Electronic Army. In a non-related story, the Twitter accounts of Burger King, Jeep and Top Gear presenter Jeremy Clarkson were among others compromised during the year. Ironically, in 2013, Anonymous' Twitter account was also hacked.
In 2014, as millions of soccer fans were watching the Brazilian football World Cup, a much smaller number of local hackivists were taking down the Web sites of supporting organisations including the Brazilian Intelligence System, Hyundai Brazil, Brazil's Football Confederation and Bank of Brazil.
More recently, Hollywood's Jennifer Lawrence and Kirsten Dunst, along with The Big Bang Theory's Kaley Cuoco and countless others, all had nude pictures taken from their iCloud accounts and splashed across the Internet. And it's not only 'big names' who are targeted by cyber criminals. It's said that more than 600 000 Facebook accounts are compromised every day.
There are, of course, many more examples, but it's clear that cyber security issues have developed into significant problems that now require government and top-level corporate consideration.
A holistic approach is required to mitigate against cyber threats, requiring advanced and evolved identification, protection, detection and response capabilities across the organisation. Is it going to be expensive? Probably. But it's still less costly than the cost of reparation once security has been breached. And Microsoft's strategy is to assume breach. Assuming breach requires a shift in mind-set from prevention alone to containment after breach.
As such, managing risk is an important element of your cyber security approach; but before risk can be managed, it needs to be identified and prioritised. Elements to consider are whether these risks are being assessed and addressed accordingly and are your staff sufficiently informed of the latest cyber threats? Do you have a cyber security strategy for your business and do you enforce it? Would you truly know if you have been breached? Can your business systems detect the undetectable? Are you doing enough?
With increasingly strict regulations about the safeguarding of information, cyber security is certainly now a board-level issue. Businesses tend to think the risk of attack is relatively low, but if it does happen, the impact can be significant.
The outlook is clear: businesses need a proper cyber risk strategy that focuses budget on a holistic approach, one that complies with the five silos of security (identify, protect, detect, response, recover) as identified by the National Institute of Science and Technology. There will always be an element of risk. All people, processes and technology need to be covered by that risk mitigation strategy. And then - and only then - can your business be assured it has an effective and resilient security architecture.
In this, the second issue of Transformer - the official publication of the CIO Council of South Africa, we take a long, hard look at cyber security, how it interplays with key megatrends, and related issues such as the POPI Act. We also look at some of the considerations behind a security strategy, what to do in a crisis and how to handle one of the least well-documented threats - the sysadmin going rogue.
We hope you find this publication interesting, useful and thought-provoking.
Please let us know your feedback or questions at uweitz@microsoft.com.
Marius Haman and Herman Opperman
Guest editors
Share