Cyber security affects every aspect of business – not just IT
Johannesburg, 6 November 2013: One of the last remaining means to combat the growing scourge of cyber-crime is for companies to implement an education programme of cyber-crime awareness among all staff, and establish an immediate response capability.
This was one of the findings of a discussion panel at the annual meeting of the Black Management Forum (BMF) held at Gallagher Estate recently. Professional services firm Deloitte was selected by BMF to be its thought leadership partner for the first full day of the conference.
The panel discussion was moderated by Deloitte Risk Advisory Senior Manager Tiaan van Schalkwyk, with additional speakers Deloitte Risk Advisory Manager Brandon Naicker; Paul Orffer, Cailan Sacks and Emmanuel Adigun.
There is a growing global regulatory regime, with South Africa closely following suit, to combat cyber-crime, identity theft and terrorism. Van Schalkwyk pointed out that the fact that by survey 64% of local business people think there is a ‘high probability’ of their businesses becoming victims of cyber-crime over the coming year, meant such legislation was toothless as a preventative tool without commensurate education among staff and appropriate urgent action by the private and public sector.
“Cyber-criminals devote months and considerable resources to researching a potential corporate mark, and without awareness and the implementation of preventative measures it is very difficult to detect, respond to and stop a coordinated and sophisticated attack,” said Van Schalkwyk. It may be as simple as one vulnerable employee of the target company being handed a USB device encrypted with malware and plugging that USB into his or her computer – such malware can pry open the entire corporate system unnoticed, compromising any weaknesses in passwords and internal encryption.
The Deloitte team demonstrated how malware that is commercially available on the internet or written by cyber-criminals is capable of bypassing a number of security mechanisms on a computer. Enabling a so-called attacker to capture even a photograph of the user. It was stated that in a similar manner to using the web camera on the laptop the attacker could also record audio using the built-in microphone.
Why the many layers of protection companies install seldom work is because one is always reacting to what the malware has already looked at. “You’re always playing catch-up. Awareness and prevention is the only solution – educate all staff not to click on links to internet sites they don’t know, don’t plug in foreign devices and do not open emails you don’t recognise. More importantly, if staff members have done any of these, educate them that instead of trying to hide the fact they should immediately inform the IT department or the Information Security Department.
“The same rules apply to personal devices – and don’t download randomly off the internet. According to a survey, 90% of employees say they access company resources through their personal devices,” says Van Schalkwyk. The ease with which malware can access information is demonstrated by the fact that more than two-thirds of people say they use the same password for multiple uses. When malware discovers one password – such as for LinkedIn, which was compromised in early 2012 - it can then deduce your password to other sites.
“Often such malware does not steal your own money as that is easily traceable, but more cleverly links to your Facebook ‘friends’ who are more ready to click on a link thinking it is you, only to have their personal banking details stolen,” said Van Schalkwyk. Furthermore, a trade has developed in selling personal details to other criminals.
Naicker advised that the increasing sophistication of cyber-criminals meant that companies needed ‘pre-emptive intelligent security’ measures to address such dynamic, targeted external threats.
“The prevalence of these attacks is that attackers have low barriers to entry, low risk – because such attacks can emanate from Russia or China - and the potential for significant success rates,” he explained.
“For the corporate victim, previous attacks have demonstrated that the risks are multifaceted – quite apart from financial loss, there is damage to reputation and share price,” said Naicker.
Deloitte uses Business Intelligence software to offer an integrated threat management programme which commences with penetration testing, vulnerability management, cyber security education and insider threat detection.
“Primarily, one would want to prevent an incident from ever happening. We educate staff on what to do when they receive a suspicious email or USB device. It starts with educating the board of directors as to their responsibility and implementing company policies.
“The challenge is that many executives fail to see the value such programmes bring – because it is difficult to quantify avoided incidents. Furthermore, cyber-crime can never be completely prevented. It can only be measured in terms of the security meeting the expectations of the business. What is driving many boards to introduce anti-cybercrime programmes is that they are becoming more cognisant that breaches of privacy legislation carry criminal penalties for officers and directors,” said Naicker.
A particular vulnerability among many companies is the number of their staff carrying mobile devices with their Wi-Fi capability left permanently on. It was demonstrated that this enables a profile of the individual to be built up as the device sends out broadcast messages looking for previously connected Wi-Fi signals. This not only leaks the name of the Wi-Fi connections you have made, they can sometimes be filtered down to physical location, as well as the make and manufacturer of your device.
“The danger of connecting to public Wi-Fi is that you do not have control over it. Your device may think it is connecting to a legitimate site, but the public Wi-Fi hotspot may just be launching a man-in-the-middle attack against you, stealing your personal information. Eavesdroppers on the same connection may also be able to snoop your private information, as many connections are unencrypted, or contain enough meta-data to be able to profile your recent activities,” concludes Naicker.