Technology alone can't address Layer 8 risk
Technology alone cannot fix the information security problem, said Keitumetsi Tsotetsi, cyber security risk assurance consultant at PwC.
Tsotetsi told delegates at the ITWeb Security Summit 2017 that 'layer 8' - the user - remained the weakest link in information security, and that technology alone could not combat this.
In South Africa, cyber crime was the fourth most reported economic crime, with at least 32% of organisations having fallen victim to it, she said. "Inadvertent breaches account for more incidents than malicious breaches worldwide, although malicious breaches have proven very damaging for many companies."
Citing high-profile examples of significant data leaks and breaches around the world, Tsotetsi said disgruntled or negligent employees were often responsible for significant and costly incidents. Insiders had been behind damaging incidents at organisations such as AOL, D&B, Target, Morgan Stanley and JP Morgan, and in some cases, the insider theft of records from these organisations had taken place over the course of several years, she said.
"Technology, without a culture of information security, cannot fix the problem," she said. "And it doesn't help to have all the latest technologies in place if nobody knows how to use them.
"Information security has to become a culture within the organisation - you need to implement long-term change rather than aiming for a quick fix. It helps if the user training taps into existing behaviours rather than attempting to create new ones. Also, it is important to address your audience with appropriate, targeted training," she said.