In today's modern digital world, cyber crime is growing rapidly and the cyber criminals always appear to be a step ahead. While there's plenty of good technology out there that can help protect the organisation's data against attack, you also need to create awareness among your staff around cyber crime if you want to have a fail-safe solution. That's according to Gerrit Deyzel, ICT Manager at Sebata Municipal Solutions.
This is particularly true for the public sector. "Municipalities are entrusted with citizens' personal information, and, with the Protection of Personal Information Act (POPIA) due to come into force by the end of 2018, the organisation needs to change the way it thinks about data security and data protection. There's a need to educate staff members around the importance of ensuring that the data at their disposal is not exploited, or ‘hijacked', but handled with the strictest confidentiality."
Deyzel says having the proper technology safeguards in place are a first step, but aren't sufficient protection on their own. "Despite 2017 being marred by devastating global ransomware attacks, the security solutions that we've implemented for most clients have held fast. This is testimony to the importance of educating staff about cyber attacks, and not just relying on technology, even if it does have state-of-the-art security, to defend the organisation.
"Creating awareness among management, teams and staff members is primary, as is adopting a proactive mindset. They need to understand what cyber crime is; that they mustn't open attachments; which e-mails are okay to open; what ransomware attacks are; and how they work. If the end-user is educated around cyber crime, you've won 70% of the battle against it."
Awareness campaigns can take the form of workshops, mailers, posters in public spaces within the business. They need to be accompanied by regular security assessments to identify where breaches could occur.
Deyzel says: "An organisation is often quick to blame its technology supplier if there's a cyber attack; they don't realise it's actually caused by user behaviour within the organisation."
Deyzel advises that different divisions get together and have discussions around ransomware and explain how it works and how to avoid it. He says: "Users need to know what to look out for in e-mails, such as spelling errors or slightly different e-mail addresses, or no signature at the bottom. These are just a few small things that can be used to identify a suspicious e-mail. Although, this is just one of the attack methods used by cyber criminals."
Something that compounds the issue is people who work from home or who use USB sticks to copy items to and from their computers; they could just as easily be transferring a virus or other malware at the same time.
Backup your data
Having a decent backup solution is extremely important, he continues. "Ransomware is becoming so advanced that it's outpacing the patches being issued, so without a backup, there's an excellent chance that you could lose all of your business data."
Cyber crime's biggest risk and cost comes from the loss of business continuity. Ransomware is one of the most common forms of cyber attack at the moment, and if an organisation's data is being held ransom, service delivery will be impacted. Much of the time the organisation is required to pay a ransom to get its data back, but there are no guarantees this will happen. From a business continuity point of view, there's no difference between the theft of company devices that contain data, or the organisation's data being locked down by ransomware. It's the same end result.
Deyzel says: "The best line of defence is to have a backup solution that is able to get the organisation up and running again."
The backup solution must encrypt the data, a copy should be kept offsite and the backup must be kept separate from the original data, he says. It's also important to regularly test backups. "You need to ask yourself, how quickly can you restore your data and how current is the data stored in your backup? POPIA is going to play a big role here, as the regulator won't accept poor backup policies as an excuse for data loss."
Incident response plan
The organisation needs to be able to respond to and report on security breaches swiftly and effectively. Again, POPIA has a role to play here, as it requires organisations to do this. "There are three steps that any organisation should follow in the event of a data breach," says Deyzel.
"Firstly, you need to be able to respond quickly and report equally quickly on what happened. Then you need to get your environment up and running as quickly as possible. Finally, you need to make sure that a breach like that won't happen again."
All of the above steps must be covered in the organisation's incident response plan. He adds: "Once POPIA comes into force, there may be legal implications if you're unable to report on how the breach happened."
It's also important to defend the organisation against deliberate, internal breaches by ensuring each person only has access to the data that is relevant to their role within the organisation. Data should be siloed and protected by passwords and other security measures to keep it secure. This is a topic that should also be raised in the awareness campaigns, says Deyzel.
An organisation needs to carry out security assessments to determine what data its users need to access in order to perform their specific function in the business. The rest of the organisation's data should be off limits. By limiting access to data and systems, you reduce the likelihood of your data being breached. You also need to ensure that people who leave the organisation have their access revoked.
Less data, fewer problems
Finally, the organisation must only use the quantity of data that's required for a defined purpose and use an archiving solution to store old or unused data. This will result in the organisation having less data on the active system to backup and recover, should a breach occur.
POPIA says only the minimum amount of personal information should be collected or processed.
If you aren't using the data, store it somewhere and keep it safe.