Working towards effective cyber-securityDOWNLOAD
By Tiaan van Schalkwyk
Senior Manager: Risk Advisory
Johannesburg, August 2013 - Globally, cyber-security threats have been receiving significant attention. With the world being as connected as it is, companies and individuals cannot afford to drop their guard when it comes to protecting their information. In my experience some worrying attack trends and security issues are cropping up in Africa. This article will examine the more prominent ones.
Spear phishing attacks are on the increase. Designed to collect information from organisations and individuals, spear phishing could be used as a platform for further attacks. A recent example is that of individuals receiving phone calls at home from people claiming to represent a world-leading software company wanting to help them fix their computers. These fraudsters then proceed to give step-by-step instructions for installing legitimate software for malicious purposes.
Today, people opt for email or social networking as their preferred means of engaging with friends, colleagues, clients, and customers - often readily sharing all types of information. But when it comes to communicating face-to-face, a person becomes more reserved.
Companies need to be aware that they can have adequate physical security measures in place but it means very little if their online data is not protected. They also need to educate employees about the importance of cyber-security and personal information protection. Security needs to be made personal.
For example, staff who write down their passwords need to be reminded that those are often the same ones they use for online banking, social networking profiles, and cloud services (such as mobile device backup). This means that they not only inadvertently put their employer at risk but also their personal information.
Another avenue for attack is through mobile devices. South African organisations are increasingly embracing the concept of Bring Your Own Device (BYOD) that sees employees using their own devices for business purposes. There are a number of valid business benefits for BYOD, for example increased workforce mobility and more flexible working arrangements. While the easy answer from a security perspective would be to disallow non-corporate mobile devices, for some the business benefits are seen to outweigh the risks.
South Africa is also being used as the base for cyber-attacks into the rest of the continent. There has been a significant increase in international bandwidth due to the arrival of undersea cables such as SEACOM, WACS (West Africa Cable System), and EASSy (Eastern Africa Submarine Cable System). This is not only providing malicious users with better connectivity but also the ability to use a number of different systems should one cable network be compromised.
Organised crime, hactivists, saboteurs, and other malicious users multi-national organisations as attractive targets for attacks. These companies use distributed networks and might be more vulnerable in some territories where these are allowed to be autonomous and less secure than the head office. All an attacker needs is to gain access to or compromise the weakest point. Undetected access can put the attacker in a position to monitor and gain more information about the organisation and prepare for further attacks.
So what are organisations to do? Limited budgets are often cited as the reason for not having adequate security solutions in place. Yet, security is not necessarily a technology problem but rather one of not prioritising correctly based on risk (potential business impact and vulnerability). Companies need to understand that people and processes could potentially be an effective countermeasure.
Recently, Gartner has ranked Deloitte number one globally in security consulting based on revenue. This is the result of Deloitte placing a deliberate focus on security. By combining its worldwide best practice experience with local knowledge, Deloitte is able to look at security from both a technological perspective as well as a process-driven one. Many countries have a lack of cyber-security specific skills but Deloitte is able to get experts from any of its international offices and combine that with its local knowledge. Ultimately, security is a critical area to ensure the longevity of any organisation. Can you really afford not to take it seriously?