Cyber security requires an integrated approach

By Paul Orffer, Senior Manager Risk Advisory, RA Security, Privacy & Resiliency, Deloitte

Johannesburg, 12 Nov 2013
Read time 5min 30sec

Much has been written around cyber security threats and the need for companies to remain vigilant about the impact on reputation and finances should breaches occur. Yet, corporates are often not doing enough to protect themselves.

This article will examine how an integrated approach is needed to mitigate the risk of attacks. One thing is certain: corporate behaviour needs to change, as technology on its own cannot protect against all avenues of cyber attacks. In fact, the security techniques companies adopt need to be reviewed if they are to protect themselves more effectively than in the past. Social media has certainly contributed to raising awareness around hacks and security loopholes, resulting in more people being vigilant both in their personal lives and at work.

Unfortunately, individuals often form part of the collateral damage when cyber attacks happen against a company. Not only do they provide an easy 'in', but it is often their data that gets compromised and used for financial gain by malicious users, says Paul Orffer, Senior Manager Risk Advisory, RA Security, Privacy & Resiliency at Deloitte.

A contributing factor to this is the increased popularity of using public WiFi. Very often, these networks are "open" and the network traffic is unencrypted. This can be used as a stepping stone to intercept data and potentially gain access to the mobile devices of users. And since the majority of people using these public access points do so to check up on work e-mail and the like, this could leave the company open to have their corporate data compromised.

Companies need to do more to educate people on cyber security risks. However, just conducting standard security awareness seminars is not enough. They need to approach this awareness from the perspective of how people work.

It is not good enough simply saying there are security rules. There needs to be a reinforcing of those cyber security messages - making it easy for people to remember them throughout their work day and, ultimately, changing behaviour.

Employees need to be educated around what happens should a cyber security incident occur. If they feel threatened by corporate policy, they might never report an attack on a system as a result of a mistake they made and it might go unnoticed until it is too late.

There are essentially three dimensions of security control, namely, defining what needs to be controlled, monitoring whether it is happening, and having a consequence for non-compliance. Far too often, one of the three is lacking, thereby significantly reducing the effectiveness of any cyber security policy in the organisation.

Despite popular belief, South African infrastructure is often on a first world level when it comes to cyber security protection. But as a result of the booming mobile landscape, there is still a lack of security awareness from a significant percentage of end-users.

And while the country is not more of a target than anywhere else in the world, this lack of awareness is seen to make citizens easy pickings. That is not to say attacks could not come from inside Africa. The rise in hacktivism sees countries and organisations being targeted for their socio-economic and political viewpoints. When the government takes a position on something that raises the ire of other African countries, hacktivists there could target not only the public sector but the private sector as well.

Interestingly enough, most of the attacks on companies seem to be happening through social engineering on employees. This is where the greatest risk is for South Africa. The high proportion of an ill-informed user base that is linked to global networks could see us being used as a hop for attacks on other countries or companies.

This is why it is essential to work with a security consultancy that not only understands the local nuances but has a global network it can rely on to implement best practice irrespective of where the client is based. To this end, leading analyst firm Kennedy Consulting Research & Advisory has named professional services firm Deloitte as a global leader in cyber security consulting. The firm identified Deloitte as the provider with the most comprehensive competency strengths across the cyber spectrum.

"Deloitte is able to speak intelligently to all levels about cyber security consulting, enabling it to meet demand in cyber security consulting from all angles," writes Kennedy Consulting in its findings.

The ability of Deloitte to collaborate globally using one approach and model set it apart from other consultancies. It has made specific cyber security investments not only by establishing secure operations centres (SOCs) but also in establishing relationships with vendors. The SOCs are able to monitor cyber security threats, provide an early warning system, and give decision-makers insight into their specific environments. By being able to track real-time information monitoring through continuously taking threat feeds from disparate sources such as firewalls and other entry points, the SOC can turn that into meaningful data, empowering the decision-maker with the information required to more effectively manage security.

Deloitte also specialises in cyber forensics to enable companies to find the root cause of the attack and give them the evidence they require should they need to prosecute. It is important to remember that these attacks are not just about financial gain. Often it is the intellectual property of organisations that are most at risk.

The silent attacks are the ones companies should be the most concerned about. Just because you cannot see them does not mean you have not been attacked. Often, breaches occur and it might take months or even years to notice them. By then, the attackers would have enough information to be able to close down the organisation.

There is no quick fix or completely safe approach when it comes to cyber security. Companies will get attacked and they will get compromised. It is how they respond to those attacks that will set them apart.


Deloitte refers to one or more of Deloitte Touche Tohmatsu, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

"Deloitte" is the brand under which tens of thousands of dedicated professionals in independent firms throughout the world collaborate to provide audit, consulting, financial advisory, risk management and tax services to selected clients. These firms are members of Deloitte Touche Tohmatsu (DTTL), a UK private company limited by guarantee. Each member firm provides services in a particular geographic area and is subject to the laws and professional regulations of the particular country or countries in which it operates. DTTL does not itself provide services to clients. DTTL and each DTTL member firm are separate and distinct legal entities, which cannot obligate each other. DTTL and each DTTL member firm are liable only for their own acts or omissions and not those of each other. Each DTTL member firm is structured differently in accordance with national laws, regulations, customary practice and other factors, and may secure the provision of professional services in its territory through subsidiaries, affiliates and/or other entities.

Editorial contacts
Magna Carta Public Relations Kerri Lurie (+27) 11 784 2598
Kerry Naidoo (+27) 11 209 8630
Deloitte Paul Orffer (+27) 82 4114839
See also