A strong security culture is vital

It is crucial for an organization to inculcate a culture of security within the business, one that incorporates education, training and a layered approach to defence.

Johannesburg, 05 Nov 2019
Read time 3min 50sec

With Cyber Awareness Month having just come to an end, it’s worth noting that despite the drive to make people more aware of cyber security issues, there have been several notable incidents lately. This points to a major lack of commitment from companies around educating their employees on the many dangers out there, most specifically around e-mails, spam and scams.


While it is true that many organizations do facilitate training and awareness campaigns, many still do not. This is despite the many innocuous ways that security can be inadvertently breached by employees, such as accidentally copying the wrong people in a confidential mail.

According to Hilton Ashford, a security consultant at BUI, security becomes even trickier in tough economic times like those at present. He explains that most people are desperate for business, meaning they may ignore certain alarm bells that would otherwise raise flags. In such a situation, we find common sense often falls by the wayside, even though it is common sense not to trust anyone or any communication from them unless you are certain as to who they are.

“There are many ways companies can inculcate a stronger security culture in an organization, starting with education around the many ways cyber criminals try to manipulate you into clicking on links. Social engineering is another method, where targeted phishing campaigns are used on employees to see if they can be manipulated into giving up confidential information,” he says.

“What is important is to bear in mind that training and education around this subject has to be continuous. Remember that the bad guys are becoming cleverer all the time, and are consistently making their mails and their approaches more realistic. Thus, ongoing education around this is absolutely vital.”

Ashford uses a simple example to explain why employees should always be suspicious of mails from people they don’t know: “If you think about it, you wouldn’t let some stranger in the street take a photo of your ID book, would you, as such an incident would appear super-suspicious. So why would you more easily believe someone online who you have never seen or met?”

He adds that while the responsibility for security ultimately falls on the individual, enterprises also have an obligation to protect users at the most basic levels. This means implementing spam filtering solutions and intelligent scanning engines to help search out malicious content.

The problem, continues Ashford, is that many businesses fail to invest enough in their cyber security defenses until they suffer an incident, by which time it is too late. Furthermore, security is often an additional job given to system administrators, and anyone trying to juggle multiple roles is bound to make mistakes.

“This is why we feel it is always better to utilise an expert third party to keep an eye on your systems, analyse the numbers and reduce the ‘noise’ around cyber-security. The right partner can supplement this with a security operations center (SOC) that is just another part of the toolkit, supplementing the training and education.”

“When it comes to security, a successful defense will be one which is layered. In other words, just as in the Dark Ages, where a castle was protected by a moat, a drawbridge, a portcullis and large pots of boiling oil, so today’s organization needs – among other things – firewalls, anti-virus, strong education and training and access to an SOC.”

The most critical reason for bringing in a third party security company, suggests Ashford, is because it prevents the situation where the business is essentially ‘marking its own homework’.

“By handing your security to third party, there are always neutral eyes on the situation, ensuring that the business gains a different perspective on their issues, while also obtaining additional threat intelligence to enrich that perspective. At the end of the day, it is crucial to know your risk exposure, to understand your security and threat landscape and to ensure the continuous education of your staff. Having a third-party security provider on the case is probably the most effective way to achieve this,” he concludes.