Awareness training is the most pressing security initiative
More than half of the respondents in a recent online security described their company’s security strategy as ‘proactive’ – having purposely implemented solutions that address both internal and external threats.
Furthermore, just over one third (35%) believe their strategy to be ‘mature’, with a well thought-out plan for a layered security strategy. Only 13% report their approach is ‘reactive’, with no overarching security strategy.
This was one of the key findings of the ITWeb/KnowBe4 Cyber Security Survey, which captured input from about 280 security decision makers and professionals, during January 2020. The survey aimed to understand the pain points of those responsible for cyber security in SA, the issues they face and how this compares to other regions.
When it comes to security culture of their organisation, a third of respondents believe their company's employees have adopted good cyber security behaviour, while 9% reveal there is no real security culture in place.
“Just like technology and processes, people make up an important pillar of good security and governance programmes,” comments Anna Collard, MD of KnowBe4 Africa. “With data being accessed from anywhere and anytime it becomes more difficult for IT teams to centralise controls.”
Cyber criminals find it easier to ‘hack’ the human than trying to break through sophisticated security technology, by using social engineering to manipulate users into participating in their scams, she adds.
“A human-centric approach is needed to secure the environment holistically and the only way to do this effectively is by building security behaviour into the corporate culture.”
Attack methods that are of biggest concern, according to survey respondents, are phishing or spear phishing, ransomware, and data breaches.
“The rise in the sophistication of targeted attacks using automation and deep fake technology will make it very difficult for the average user to easily identify scams,” warns Collard.
“We have seen targeted attacks using a combination of e-mail, social media messages as well as voice-based phishing (vishing). Educating users about these threats and creating a general sense of vigilance to not trust anything you haven’t 100% verified is going to be the new norm.”
The survey respondents indicate they have already taken this advice on board: security awareness training emerged as the most pressing security initiative that is currently being worked on. It is followed by the need to secure the cloud; establish security culture; and step up incident response.
Security awareness done right will embed critical behaviors into the company culture, says Collard.
“Some of these desired behaviors are: being vigilant and not trusting anything that has come in unexpectedly and even verifying seemingly legitimate requests, reporting suspicious requests, applying good password practices and being careful about not sharing too much about the company or about one’s life online. This will make every user an extension of the security team.”
When it comes to user concerns the survey revealed that negligent insiders that fall prey to phishing scams are most concerning, which was closely followed by users sharing passwords.
“Phishing is still the top attack vector of successful breaches, according to Verizon’s data breach report 2019. This means that behind the majority of any successful breaches was someone falling for a phishing attack,” comments Collard.
“From a risk point of view, it makes sense to prioritise this human vulnerability. People using weak passwords across multiple sites or falling for so-called ‘credential harvesting’ attacks was the second most reported vector. Both of these are practices or behavior that can be improved upon with effective training and awareness programmes.”
The top three cyber security issues that executive are concerned about are business disruption (27%), operational downtime (25%), and the prospect of a significant data breach (23%).
Indeed, the lack of security specialists tops the list of general concerns reported in this survey. Other big worries are inadequate budgets for security spend and the weakening SA economy. How can these be addressed?
“Some larger organisations such as Standard Bank and Absa are tackling the issue head-on by creating security academies and upskilling internal staff as well as the youth in cybersecurity, says Collard.
“Hiring for attitude rather than experience is another tactic as well as allowing staff to pursue self-learning and online certifications to upskill themselves. Industry groups foster knowledge sharing and even support during incidents, but more should be done by government and businesses alike to address the skill shortage,” she concludes.
About the survey
The ITWeb/KnowBe4 Cyber Security Survey was conducted during January 2020 and was completed by 282 respondents. Over 60% of those are decision-makers – 21% are C-level executives, while a further 40% are at mid-management level.
While 41% work in ICT, the remaining 59% hail from a wide range of industry sectors; 43% come from very large companies, with over 1 000 employees, while close to 40% work in the SME sector.