Johannesburg, 28 Jan 2019
When the concept of cyber crime first came to the fore, it was generally considered to be something that was simply the domain of the IT department. It was their responsibility to ensure the relevant firewalls, anti-virus solutions and encryption tools were in place.
This, however, is no longer the case, as today's cyber criminals are extremely sophisticated, and at the same time, the angles of attack have increased exponentially. Today, suggests Ignus de Villiers, divisional manager for cyber security at StorTech, it's vital for businesses to have a comprehensive multi-layered, in-depth security strategy. Such a defence still involves ensuring that fundamental controls such as the latest firewalls and malware solutions are in place, alongside other specialised control requirements, like endpoint detection and response (EDR) and multi-factor authentication (MFA).
"However, the biggest difference in cyber security today is the fact that an effective strategy incorporates far more than merely the tools looked after by the IT department. Security is the responsibility of every single employee, as well as those in senior management responsible for implementing governing policies and critical business processes," he says.
"It is vital to have a security framework in place that addresses both the technical and non-technical aspects of security. This means taking into account not only the technologies involved, but also the governing aspects and processes to be followed and, critically, the training around security awareness and security incident response management. Employees across the business need to be taught about security threats and how to respond if there is such an incident."
De Villiers is quick to point out that, regardless of how much of the latest technology a business has installed, or how many layers of security and compliance requirements it has implemented, it needs to be understood that, ultimately, everything at some point ends up in front of a human being. And people being people, he continues, they are prone to making mistakes, such as using easy passwords, leaving logged-in terminals unattended or mistakenly clicking on phishing e-mails.
"It happens all the time, across all organisations and industries, so a critical part of any security framework is admitting this and planning around how to reduce human error, and what to do when it does occur. This goes a long way towards allowing a business to architect a proactive and well-thought-out cyber security policy with supporting incident response processes.
"When it comes to your people, it's important to invest in the training of the cyber security team and to undertake security awareness campaigns around aspects such as phishing, as well as policy and compliance awareness campaigns. Moreover, organisations should place a high priority on such campaigns, as the best technology in the world will still fail if your people fail," he says.
It is always necessary, indicates De Villiers, to assist the people aspect by implementing technologies and governing policies that will prevent or eliminate some of these human errors. As an example, a large number of breaches today occur owing to a user identity being compromised. This is where things like enforced password policies or MFA can have a significant impact. Another example is the number of data breaches due to human errors, eg, mobile devices or removable storage devices get lost, or confidential messages are sent to public recipients by mistake. This is where data encryption or digital rights management (DRM) come into the picture.
"Having adequate and the appropriate processes is also key, and here it is critical to have effective ones in place to deal with any incidents as and when they occur. The last thing a business wants to find out in the middle of a critical security incident is that it doesn't have an incident response playbook to work from, in particular, if the staff involved are not trained either.
"It is worth remembering that the most fallible part of your security plan will always be your people. In fact, the US cryptographer, computer security and privacy specialist, Bruce Schneier, is known for stating that 'only amateurs attack machines. Professionals target people.' This clearly serves to illustrate that while an effective security strategy is built on the pillars of people, processes and technology, it is imperative that enterprises acknowledge the critical importance of human behaviour when designing an overarching cyber security strategy," he concludes.
Share