Building a cyber-resilient organisation
Cyber criminals have been known to go for the 'low-hanging fruit', and in most cases, that happens to be individuals within the organisation. Employees are the weakest link, with most research suggesting that the majority of breaches happen as a result of the insider, whether careless or malicious. Either way, the most effective way for businesses to protect themselves is to create and nurture a culture of cyber-security awareness.
"Businesses need to take a proactive cyber-resilience approach to ensure all areas of the business are covered."
So says Dr Bright Gameli Mawudor, head of cyber security services at IS Kenya, who will be presenting on 'Practical tactics to change user behaviour and create a secure culture," at the ITWeb Security Summit 2018, to be held from 21 to 25 May at Vodacom World in Midrand.
Mawudor will employ live demonstrations in a controlled environment to show various ways hackers do reconnaissance, from exploiting a user, to gaining a foothold on the network. "There will be a simulation of various customised malware that is being used in the wild and show ways they get to exploit a user or system."
In terms of changing user behaviour, Mawudor says a good approach is holding frequent phishing campaigns to test users' alertness when it comes to various security incidents. In addition, he suggests Red Teaming, or the practice of viewing a problem from an adversary or competitor's perspective to challenge the business to improve its effectiveness from an external assessor who will use various methodologies to try exploit the internal network.
Other ways to change user behaviour, he says, include conducting social engineering attacks which include physical security exploitation, and print-outs on notice boards to remind users of simple cyber-security concerns. "All the above boils down to frequent training and re-tests from time to time."
A resilience framework
A proactive approach will be enable businesses to be aware of where they stand as an organisation, and the actions they need to take to be as secure as possible.
"So many businesses rush to buy products and services that are either not a priority, nor currently necessary. They buy from multiple vendors, creating an environment that turns out to be very difficult to support and integrate with cross platforms. This raises complexity and spending which could be avoided with good planning."
He says a good security culture entails five elements of a resilience framework, namely identify, protect, detect, respond and recover. "Having all the above will assist in the transformation of the organisation's security posture and in turn, help to develop a robust strategic roadmap. This is a process that requires a lot of time and is not a single event."
Mawudor advises businesses to start by doing a gap analysis, to be able to build the company's risk profile, lay down priorities according to urgency and budget, and finally take action to implementation over time.
Delegates attending Mawudor's talk will be able to understand the various simple and sophisticated ways hackers compromise them and their networks. "They will be able to understand easily as I will be breaking it down into practical everyday scenarios and layman terms to assimilate with ease."