Security: the evolving threat landscape
Where does IT security begin?
Pieter Nel, SOPHOS: The biggest problem we see in the market is with end-users. They are not educated at all. We see phishing attacks and ransomware attacks taking place. Education goes a long way to tackling this. We are on a major drive to educate the partners, the distributors and the end-customers themselves.
Maeson Maherry, Lawtrust: It begins with education, but it has to be the education of the people who need to appreciate the IT. If you want the board to appreciate the CIO, or IT in general, turn off the datacentre for half an hour. And then, all of a sudden, everything will stack into place. Once people understand the value of the IT that they have, that's when the conversations starts. Then you can learn. Then you can get things done. For me, that's the beginning.
Marianne van der Pluym, Micro Focus: I would add to that, turn off the CIO's e-mail and see how loud he shouts because ubiquitous access is what everybody demands. Everyone wants access, they want it all the time and they want it from everywhere. That's because work is no longer a place, it's an activity. This means the users to whom you are providing access could have too many rights. If they have too many rights, you could be exposing your organisation.
What can you do to improve security?
Warren Hero, Mircosoft: There was a late-night talk-show gag, where someone stuck a mic into people's faces and asked them what their password was and people just gave it. So this question about a basic digital literacy, or broadly called a digital astute citizen, is something we have to talk about.
Marianne van der Pluym, Micro Focus: I agree. I was once on a plane where I saw someone's password pasted on a sticky note stuck onto their laptop. Users are either fundamentally lazy, or ignorant or just plain stupid. In a digital world, we need to look at security, and this means we have to look at replacing passwords with another type of digital access method that takes the risk away from the user.
If they have too many rights, you could be exposing your organisation.Marianne van der Pluym, Micro Focus
Mark McCallum, Orange: What we are really saying here is that there are two things: people, and the technology they bring into the enterprise environment. This is about educating people on the one side, and how you address the security relating to the technology they are bringing to the table on the other.
Sagen Pillay, CA Southern Africa: You need to know your consumers, you need to know the devices they are transacting on and you need to give them a user-friendly experience. This means you will have to manage their identities right through the entire transaction, specifically focusing on the privileged accounts. These privileged accounts are where the breaches happen. Once a hacker gets control of a privileged account, like an administrator's account, they can do anything they want on the network.
Garth James, VMware: The notion that the user is going to protect him- or herself is a false one. We almost have to turn this entire thing on its head and start from the ground up again. We need to have a default denyer wrapped around every single user. From where we stand, we want to wrap security closer to the end points, to the virtual machines so everything is firewalled. This means even if they are able to create a breach at the lower levels, they will not be able to get access to the higher-level credentials.
Do the executives take IT security seriously?
Manny Corregedor, Telespace Systems: This 'IT security' term is a bit of a problem for me because it's not just about IT. In my view, it's about information security, not just IT security. So far, we've spoken about people and process and that is lot bigger than IT, which is about the management of the systems. But to answer your question, yes, boards are starting to take it a lot more seriously. The media has played a roll. At one time, I was in a boardroom where a CEO declared that 'cybersecurity' was nothing more than a buzzword. Now, it is the word.
Andrew Potgieter, Westcom: One thing I always see, when we sit in a boardroom, or in a group like this, is that it's always somebody else's responsibility. No one takes responsibility for it. That's why we start these conversations with the CIOs sitting at the kids' table. But this is starting to change. I recently saw a meme of the board inviting the CIO up to the boardroom. It showed that the CEO was now starting to take the role of the CIO a lot more seriously.
If you want the board to appreciate the CIO, or IT in general, turn off the datacentre for half an hour.Maeson Maherry, LAWtrust
Maeson Maherry, Lawtrust: They take it seriously when they understand it. Take Ashley Madison, for instance. We had a good laugh when people were found out, but it's forgotten that people were using work e-mail addresses and passwords. No one really understood the gravity of the situation from an information security point of view. The same goes for WannaCry. What if they wanted access to the information and not just to lock it? When people start to understand this, they will start doing things.
How are hackers getting into the networks?
Warren Hero, Microsoft SA: According to the latest Microsoft Security Intelligence Report, the number of undetected beachheads has risen from 194 days to 205 days. I find that absolutely fascinating. One of the conversations we are having with customers is around how secure is your supply chain when it comes to implementing a piece of kit in your context.
Andrew Potgieter, Westcon-Comstor Southern Africa: When we start talking about these midmarket guys, they don't have a clue. And that is where we see a lot of the problems coming in, as they are the springboards into the next organisation. Customers are not realising the volume of the threat that's out there. When you do talk about it, it becomes so monumental, it's not real.
Mark McCallum, Orange Business Services: Companies are getting targeted from areas they are not really thinking about. And what we're seeing is that CIOs are struggling to articulate some of these security challenges.
I was in a boardroom where a CEO declared that 'cybersecurity' was nothing more than a buzzword. Now it is the word.Manny Corregedor, Telspace Systems
Jaco Sadie, Ascent Technology: The question we usually ask is do you trust your administrators and developers? Do you actually know what they are doing? Securing your data from the outside is important, but so is securing it on the inside. About 60% of attacks come from the inside, and 40% those attacks are malicious. You really need to come up with a strategy that looks at both facets.
Do we have to live with constant vigilance? Are the attacks like the WannaCry one something we have to live with?
Warren Hero, Microsoft: Around 143 countries now have some kind of offensive cyber capability. They have been stockpiling vulnerabilities for years. There are things much worse than WannaCry out there. The issue is that we focus on the things that have been publicised.
Marianne Van der Pluym, Micro Focus: WannaCry is like a flu symptom, but it's not really the flu. The real danger is the stuff you don't know about. The threat is having people with too much access inside the organisation colluding with people outside of it to run syndicated attacks. This isn't publicised and companies are not talking about it because of reputational damage. This is actually the real threat.
Paul Williams, Fortinet: We have South African numbers that were given to us confidentially, and we can see that the average data breach costs an organisation about R30 million in down-time and redirecting of staff to fix it. This does not factor in the reputational damage.
Maeson Maherry, Lawtrust: Another danger is data integrity and the subtle alteration of facts. Someone can go into a database, make some changes and literally change history. You don't block the data, you don't steal it, but you make small changes to it. It's not worth having data if the data is wrong.
Roy Fisher, MWR InfoSecurity: What WannaCry did teach us is that not only are people bad at patch management, there was also no real plan to respond to an incident. This saw the UK's National Health Service going offline for 12 hours.