If you were to have a discussion about cyber security just a few years ago, you would have been subjected to long explanations about anti-virus software, which firewall was best and how to stop hackers penetrating your network by exploiting vulnerabilities in your company's software.
Things have moved on dramatically as the threats faced by companies have changed. Even Facebook CEO Mark Zuckerberg found his personal social media accounts compromised recently as a breach at LinkedIn led to millions of people's passwords being dumped online. If nothing else, this showed that no one is immune. While Zuckerberg is a high-profile example, IDC analyst Jon Tullett warns that when it comes to organisational security, the greatest danger any company faces is assuming that they're not a target.
"It's the number-one security mistake that companies make, thinking that they are not going to be a target. Everyone is a target. If you are Mosak Fonseca (the law firm at the centre of the Panama Papers scandal) and even if everything it is doing is legal, there are still going to be people out there who want to embarrass the company. Other, more high-profile companies such as Monsanto are constantly under threat from activists who want to make them look bad. It's not about exposing illegal behaviour, it's about damaging the company," says Tullett.
Mayleen Bywater, senior product manager for security solutions at Vox Telecom, agrees that often the motive isn't only financial: "It's not just about taking a business down, it's also about inflicting reputational damage. The hackers don't even need to use the data they have obtained, they just need to make the company look bad, and sometimes that is worse."
Nathan Desfontaines, cyber security manager, Information Protection & Business Resilience at KPMG South Africa, says the conversation between service providers and their clients has to move with the times.
"The problem three or four years ago was that we were dealing with script kiddies and the organisation was being attacked because of the specific software or a version of the SW they ran, whereas now they have become more sophisticated. The hackers have become hacktivists like Anonymous and we are seeing nation state sponsored attacks that are more targeted and more objective-driven. I don't believe organisations today are prepared for that kind of targeted attack."
Complacency rules
However, the breach that resulted in the Panama papers expos'e and the more explosive, but smaller (regarding the amount of data involved) revelations from Edward Snowden. These should have resulted in companies taking a long, hard look at the chance of that happening to them, but Tullett says that this is not the case.
"I have had a number of conversations with local CIOs and the issue of data leaks has come up quite a lot, especially in the light of the Panama Papers. When the CIOs were asked if they would know if they had a couple of terabytes of data leaving their network, they all said no. We're not even talking about being able to classify if the data was sensitive or not; they simply wouldn't even know that it was happening. That's mostly because none of them is doing basic egress monitoring on their networks."
Desfontaines comments that this is because companies have not taken action when they were alerted to an imminent threat.
"When the NSA leak happened and Snowden released all that information, it should have been a wake-up call. At that point, we would have expected that organisations would have asked if they had the right precautions in place, but that hasn't happened. Now we've seen a breach that is orders of magnitude larger and that organisations should be taking even more seriously and we'll have to wait and see what the reaction is. However, external threats are only one avenue for data to leave the network and while it's getting a lot of media coverage, internal threats are just as dangerous and aren't even a hack or a technical glitch. Data could leave through any number of mechanisms, including the network or a hard drive and it's impossible to keep tabs on all of those routes."
It's the number one security mistake that companies make, thinking that they are not going to be a target. Everyone is a target.
Jon Tullett, IDC
Brent Haumann, head of development at Striata, adds that it's not possible to close all the egress points without severely constraining people.
"I've been into businesses in Singapore where you can't plug in anything. You walk in, do your work and leave at the end of the day. In those environments, there is no such thing as working from home and this is extremely restrictive because in the South African environment, we all take some work home and this means taking some data with us. It's such a fine balance that businesses have to manage."
Call your broker
That's not to say that there isn't the risk of real financial damage to companies when a breach does occur or when a company comes under attack. Just the damage that a company can incur from being offline for a number of hours can run into the millions of rands.
It's at this point that the issue of cyber insurance comes to the fore.
Richard Keymer, ?head of product management at Tarsus SecureData, points out that until the cost of the insurance matches the risk profile presented by the business, there is a danger of companies simply outsourcing the risk rather than taking proper precautions. The correct model is the more secure you are, the lower your premiums would be."
Tullett comments that this is actually the case as cyber liability insurance providers require companies to undergo a regular audit, but insurance is intended to provide the resources needed to shore up the breach when it does occur.
It doesn't matter how big a gate you build, if the fence isn't there to secure that gate then you are wasting your time
Brent Haumann, Striata
He adds that while larger companies have policies in place, small and medium businesses often fall behind the curve in this area in South Africa, but in other parts of the world, there have been successful strategies deployed to help SMMEs.
"In the UK, the government published a ten-step programme that businesses can follow if they want to be more secure; the government then tracks the adoption of this plan and all indications are that it has been very successful. These are really just basic techniques that enable businesses to safeguard themselves. In SA, this could be rolled out relatively simply as well by leveraging the relationship that all formal businesses have with their banks or with SARS. There are lots of ways to get awareness out there that are consistent and easy to do."
Kevin McKerr, IBM SA security sales leader, adds that the experience that IBM has had is that some simple conversations are key to setting the tone when it comes to security in the enterprise space.
"Based on the feedback we get from the 14 000 customers that use our security technologies, we have four key conversations with our clients. The first is reassessing the security programmes that they have in place. Because the security field is so fluid, technologies that were relevant two years ago may no longer be useful. The second intervention is ensuring that the customer is protected against advanced threats. As these threats evolve, you need to be continually working to protect yourself against them. The third is ensuring that your crown jewels are protected. And in this context, we're talking about the company's data. The fourth conversation we're having over and over again is around cloud and mobile. There is a proliferation of devices coming into the enterprise, but this raises the issue of shadow IT and with more resources being used outside the control of the IT department, it raises considerable risks.
Tullett points out that the rise of shadow IT is often the result of a cultural failure within organisations. "You have shadow IT because your IT department has failed to anticipate the needs of the users. You have people that are motivated by productivity, but are unable to find a solution from internal sources and, as a result, they are no longer protected by corporate security structures. So you should reward them for that productivity, but, at the same time, the IT department has to be on board and find ways to ensure that security is in place."
McKerr agrees, saying that there should be a mandate to pursue the business advantage, but, equally, the security team should be there to help them along the path rather than restricting them.
All about the users
The conversation keeps returning to the issue that people play in the security of organisations.
Haumann identifies the biggest threat faced by companies as coming from social engineering.
"There is a lot more money being spent in security, especially by the companies that are being targeted, such as the large financial institutions. However, it doesn't matter how big a gate you build, if the fence isn't there to secure that gate, then you're wasting your time. At the moment, the biggest hole organisations have is their people. You can put in all the technology you like and jump through all the hoops and tick all the boxes, but it just takes one person who has access to that information to break the chain."
Bywater adds that when it comes to social engineering, the rise of social media has made it possible for individuals to be targeted more precisely by those looking to penetrate an organisation.
"You don't even realise that something in your environment is a threat; it doesn't look sinister in the least, but three months later, you realise what has been going on and then it's too late. These things are so personalised and direct nowadays, because they know who you are and that becomes an entirely different discussion point."
All the panellists agree that it's essential that companies build up a culture of awareness inside their organisations, but Desfontaines points out that when the issue of awareness is raised, it isn't a once-off process.
"Even if we are willing to spend time training and upskilling employees to be more aware of information security, the rapidly changing nature of the modern organisation (joiners, movers, leavers) makes this a process that you don't embark on and then complete; it has to be an ongoing process. People need to be told, `When joining our organisation, these are the kinds of things that are expected of you'."
However, the issue of awareness doesn't stop at the staff list. Almost every organisation nowadays shares information with any number of third parties and they need to be embraced when discussing the idea of a culture of security.
Keymer adds that these third parties need to include any cloud providers that are part of the technology mix.
"One of the reasons that siloed security doesn't work is because of the move to cloud. More and more businesses are taking the decision to implement a solution or implement a technology that is far removed from the business and this prevents overly rigid security departments from putting their claws into it and hold it back."
Tullett comments that there remains a tradition of doing things in a certain way in South African IT departments.
"Especially in SA, the thinking is still out there that organisations want to buy a solution. They want to be able to plug in something and have a green light that says everything is okay. Attackers, and especially the motivated attackers, have one objective and that is to beat the blinky green light and, inevitably, they will achieve that simply because there are more of them out there. You can't buy a security product that will protect you against an evolving threat. The only solution is to create an evolving security mind-set rather than buying a product."
And that involves creating a security-aware culture throughout the entire ecosystem of the organisation.
This article was first published in the July 2016 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.
Share