Cyber security checklist for South African organisations
By Heino Gevers, Customer Success Director, Mimecast.
Here's the truth about cyber security: if your business is connected to the Internet in any way, shape or form, it is a near certainty that you will be a victim of a cyber attack at some point in your business life cycle.
There is no silver bullet that can offer complete protection against cyber attacks. Instead, organisations in South Africa need to build cyber resilience into their DNA to gain the ability to recover quickly and with minimal financial and reputational damage following a successful attack.
When everyone in an organisation understands the threats facing the business and commits to applying best practice to avoid them, they can drastically improve the business's security posture, together, says Heino Gevers Customer Success Director, Mimecast.
E-mail is still an organisation's weakest point, with 91% of attacks starting with e-mail-based phishing attacks. And they're not going away. In fact, according to a 2019 study by Mimecast and Vanson Bourne, 88% of South African organisations have seen phishing attacks in the last 12 months.
Some people would think that e-mail threats would be a thing of the past by now. Most savvy e-mail users know not to open attachments or links sent by people they don't know. But, what if that e-mail looks legitimate? What if it's an e-mail from Microsoft, or so it seems, saying our password is about to expire and that we should follow a link to create a new one? The branding is the same, the language is the same; the mail even comes from Microsoft.com. Most of us would probably click on it.
And just like that, cyber criminals have harvested our credentials and have access to our Microsoft accounts, including e-mails, calendars and sensitive documents.
Then they take it a step further. With internal access, they can analyse the language we use in our own e-mails and scrutinise our calendars. In minutes, they know that Joe Soap, financial director of Joe Soap Trading, will be travelling on Wednesday at 2pm; the perfect time to send an e-mail from his address to the accounts team, asking them to make an urgent payment to a "supplier".
The e-mail comes from the FD's address. It sounds like he wrote it. Why would the accounts team question it? It's strange that he'd be sending mails from an aeroplane, 30 000 feet in the sky, but maybe the plane has WiFi, we can't call him to confirm, but he says it's urgent. Payment is made; cyber criminals win.
Cyber criminals also search for e-mails containing words like 'invoice' or 'payment due'. They'll change the banking details on the invoice, and if there's no governance structure in place, the invoice will be processed, but the money will go to the criminals.
Or they'll weaponise Word or Excel attachments in a way that bypasses traditional security systems. Once you open the file, it runs a script that installs malware, like WannaCry. From there, your organisation is exposed to manipulation by cyber criminals.
Cyber resilience checklist
It might seem like a hopeless situation, especially when we tell businesses to assume they will be attacked eventually. But, that's the current state of the security landscape and our best defence is to be prepared with a well-developed and tested cyber resilience strategy.
In addition to having the right security controls in place to prevent an attack, the strategy should include these elements:
* Communication. Once you realise you've been hacked, you need to inform staff and other affected stakeholders of the breach immediately. Provide regular updates until the breach has been isolated. Prepare an honest media statement, outlining what you know about the attack (without implicating the business), who is affected, and what you're doing about it. Communicate immediately, not one week after the incident.
* End-user awareness. Tell your staff what has happened and why the network has been shut down. Use the incident to educate users, but this shouldn't be your only attempt to train them. Regular cyber security awareness training should form part of your cyber resilience strategy. Yet, this is often overlooked by many organisations who believe that sending out a mail now and then reminding staff not to open suspicious mails is enough. It's not. Staff won't read them. Security awareness training should be regular, interesting and relevant; we've found that videos and humour work best to get the message across. Your end-users need to know what your strategy is, and their role in it, in the event of an attack.
* Durability. You need an effective backup, recovery and failover plan to ensure your staff can still work and access mails while the breach is addressed. Businesses need to be able to switch over to alternative technology that ensures continuity without further compromise. Mimecast and Vanson Bourne's 2019 study shows that 99% viewed e-mail uptime to be an important part of their business continuity in the event of an e-mail-based attack, yet two days was the average amount of downtime they expected to experience because of a ransomware attack.
* Recoverability. Can you recover all e-mails and data from the exact moment you were attacked? Can you get your operations back up and running quickly? Have you appointed stakeholders with defined responsibilities in the event of an attack, to ensure the business recovers? Having a plan means knowing the answers to these questions.
Your cyber resilience strategy needs to be tested often, at least every six months. Don't only test parts of it, execute the entire strategy.
Regular testing allows you to adapt your strategy to stay ahead of new and evolving threats and will help keep security awareness top of mind for everyone.
A cyber resilience strategy also prepares you for compliance, with data protection laws like the GDPR and POPIA. One requirement of these laws is that businesses can prove they implemented reasonable measures to protect data in the event of a breach.
Many organisations often only implement a plan after they've experienced a breach. By then, it could be too late.
Mimecast is participating in ITWeb Security Summit, southern Africa's definitive conference and expo for information security, IT and business professionals. The 14th annual ITWeb Security Summit, to be staged at the Southern Sun Cape Sun on 23 May and the Sandton Convention Centre, Johannesburg, from 28-29 May, will be a high-profile conference and business exhibition featuring top international, African and local speakers delivering key insights across three focused tracks, interactive workshops and in-depth training courses.
The event will demystify emerging cyber security strategies in AI, blockchain, IOT, DevSecOps and more, and give delegates an understanding of how to increase their businesses' cyber resilience.
For more information, go to www.securitysummit.co.za.