Working towards effective cyber security

Companies must be aware that adequate physical security measures mean very little if their online data is not protected, says Tiaan van Schalkwyk, senior manager: Risk Advisory, at Deloitte.

Johannesburg, 26 Aug 2013

Globally, cyber security threats have been receiving significant attention. With the world being as connected as it is, companies and individuals cannot afford to drop their guard when it comes to protecting their information. In my experience, some worrying attack trends and security issues are cropping up in Africa. This article will examine the more prominent ones.

Spear phishing attacks are on the increase. Designed to collect information from organisations and individuals, spear phishing could be used as a platform for further attacks. A recent example is that of individuals receiving phone calls at home from people claiming to represent a world-leading software company wanting to help them fix their computers. These fraudsters then proceed to give step-by-step instructions for installing legitimate software for malicious purposes.

Today, people opt for e-mail or social networking as their preferred means of engaging with friends, colleagues, clients, and customers - often readily sharing all types of information. But when it comes to communicating face-to-face, a person becomes more reserved, says Tiaan van Schalkwyk, Senior Manager: Risk Advisory, at Deloitte.

Companies need to be aware that they can have adequate physical security measures in place, but it means very little if their online data is not protected. They also need to educate employees about the importance of cyber security and personal information protection. Security needs to be made personal.

For example, staff who write down their passwords need to be reminded that those are often the same ones they use for online banking, social networking profiles, and cloud services (such as mobile device backup). This means they not only inadvertently put their employer at risk, but also their personal information.

Another avenue for attack is through mobile devices. South African organisations are increasingly embracing the concept of bring your own device (BYOD) that sees employees using their own devices for business purposes. There are a number of valid business benefits for BYOD, for example, increased workforce mobility and more flexible working arrangements. While the easy answer from a security perspective would be to disallow non-corporate mobile devices, for some, the business benefits are seen to outweigh the risks.

South Africa is also being used as the base for cyber attacks into the rest of the continent. There has been a significant increase in international bandwidth due to the arrival of undersea cables such as Seacom, WACS (West Africa Cable System), and EASSy (Eastern Africa Submarine Cable System). This is not only providing malicious users with better connectivity, but also the ability to use a number of different systems should one cable network be compromised.

Organised crime, hacktivists, saboteurs, and other malicious users see multinational organisations as attractive targets for attacks. These companies use distributed networks and might be more vulnerable in some territories where these are allowed to be autonomous and less secure than the head office. All an attacker needs is to gain access to or compromise the weakest point. Undetected access can put the attacker in a position to monitor and gain more information about the organisation and prepare for further attacks.

So what are organisations to do? Limited budgets are often cited as the reason for not having adequate security solutions in place. Yet, security is not necessarily a technology problem but rather one of not prioritising correctly based on risk (potential business impact and vulnerability). Companies need to understand that people and processes could potentially be an effective countermeasure.

Recently, Gartner has ranked Deloitte number one globally in security consulting based on revenue. This is the result of Deloitte placing a deliberate focus on security. By combining its worldwide best practice experience with local knowledge, Deloitte is able to look at security from both a technological perspective as well as a process-driven one. Many countries have a lack of cyber security-specific skills, but Deloitte is able to get experts from any of its international offices and combine that with its local knowledge. Ultimately, security is a critical area to ensure the longevity of any organisation. Can you really afford not to take it seriously?

For more Deloitte press releases, visit Deloitte Press Office.



Deloitte refers to one or more of Deloitte Touche Tohmatsu, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

"Deloitte" is the brand under which tens of thousands of dedicated professionals in independent firms throughout the world collaborate to provide audit, consulting, financial advisory, risk management, and tax services to selected clients. These firms are members of Deloitte Touche Tohmatsu (DTTL), a UK private company limited by guarantee. Each member firm provides services in a particular geographic area and is subject to the laws and professional regulations of the particular country or countries in which it operates. DTTL does not itself provide services to clients. DTTL and each DTTL member firm are separate and distinct legal entities, which cannot obligate each other. DTTL and each DTTL member firm are liable only for their own acts or omissions and not those of each other. Each DTTL member firm is structured differently in accordance with national laws, regulations, customary practice, and other factors, and may secure the provision of professional services in its territory through subsidiaries, affiliates, and/or other entities.