Spotlight on information security

Organisations should be proactive about information security, and not wait for an incident to occur before something is done.

This is according to Ugan Naidoo, MD of CA Southern Africa Security, who says improper access to systems and data leakage is a major issue that needs to be elevated to a higher priority level in most organisations. “Technologies are readily available that can easily stop this problem,” he adds.

In line with this, ITWeb in partnership with CA Southern Africa, recently revealed the results of its Information Security survey. The survey showed that there are vulnerabilities when it comes protecting information among organisations in SA.

The survey was carried out on 232 respondents across sectors in SA from 4 October until 18 October. The survey was later opened for the CA Southern Africa IT Management Symposium delegates and closed in January.

Naidoo says the survey results show that a few sectors are dealing with these types of vulnerabilities. “However, SA is on the back foot when it comes to eliminating vulnerabilities associated with protecting information,” he says.

According to him, they found that dealing with vulnerabilities around protecting information is well handled across most sectors in mature overseas markets. “In fact, sector specific legislations have been implemented to ensure that vulnerabilities are dealt with more priority.”

This means that SA companies could be easier targets for international syndicates that exploit these vulnerabilities for fraudulent transactions, he says. “SA companies that transact online need to be more aware of the types of threats they may be exposed to by not incorporating the correct controls to eradicate these vulnerabilities.”

Naidoo believes that, this is a bigger problem than we actually acknowledge. “Companies from banks, retailers, law and audit firms, to manufacturing concerns, have sensitive or highly confidential information.”

He says this may be in the form of customer records that can be sold, or secret recipes that can be copied. “We don't really realise that even small manufacturing companies may have products about to be patented, and these company secrets can be copied or patented before the originator.”

The results of the survey indicate that the majority of respondents did not believe that breaches have caused significant financial losses in their organisations. “We do however know that many large organisations have been financially impacted by breaches. This trend will only grow, meaning that SA is not safe, Naidoo points out.

In each and every organisation duties and controls for internal users should be properly segregated, Naidoo says. “In addition, regular user certification processes and stronger authentication mechanisms for Internet-based transactions should be implemented.”

Naidoo adds that implementation of improved super user/administrator management and monitoring systems, is crucial. “I think with appropriate planning and execution, organisations can minimise security breaches,” he says.

More than half of the respondents say their organisations have experienced breaches of some sort. However, Naidoo says the half that responded yes, are those that were aware of such a breach. “Most organisations are unaware they have even had a breach for months or even years after it has occurred,” he adds.

“The loopholes are numerous, but the main ones are around system administrators having 'the keys to the kingdom', improper processes for granting and revoking user access and improper audit controls to conclusively prove who did what on a specific business system,” he says.

The survey revealed that of respondents, 41% of said lack of budget, and 42% said unclear security strategies are major challenges affecting the successful implementation of information security in their organisation.

Naidoo says a well-planned and executed security programme will ensure that more focus is placed in areas where the potential for breach is higher or more likely. “The appropriate processes and technologies can then be deployed to 'lock down' environments, so there is never a single individual with too much access.” In the instance where this does happen, there should be triggers in place (through logging and monitoring) to identify when this does happen.

The survey also revealed that most organisations think that security solutions are important. According to CA a few sectors understand the imperatives around security and have active programmes in place to mitigate security risks. However, by and large, SA companies still consider security as a 'grudge spend' and do the least possible to keep the company going, the organisation says.

Naidoo also points out that implementation of information security has been a challenge for while now. “Some of the issues relate to the immense lack of security skills in the local market, resulting in security solutions being deployed on a 'best effort' basis. Sometimes, this 'best effort' basis is simply not good enough when compared to the skill level of the malicious user that is trying to breach the security,” he adds.

He says it was surprising to see that some of the highest scores in the survey were against very elementary issues, like not having a clear security strategy, or users sharing their credentials. “I believe these can be easily alleviated,” he adds.

According to Naidoo, it was interesting to note that most respondents concurred that users having more access than is necessary, as well as users sharing credentials are the major issues. “It was also interesting to note that whilst most of the developed world has shifted focus from end-user controls to privileged user controls, the results of this survey did not indicate such a shift in SA.”

The only concern with this is that due to the elevated access that these privilege users have, organisations may not even know they are being defrauded or breached, as the very log files that are expected to report on behaviour, can be tampered with, he says.