To comprehend the last month's cybersecurity theme of "See Yourself in Cyber", we need to understand that it all starts with you.
By Antony Russell, CTO at Telviva
It's important that I start with an analogy about our own homes. Imagine for a second that you have spent a great deal of time and money securing your house, with a good perimeter fence, security gates, a solid front door, burglar bars, beams and heat sensors, and everything else you can imagine. What good would this do if a criminal, posing as someone trustworthy, tricked a family member into granting them access into the house? What good would any of that do if a criminal had a set of keys and the means to disable or bypass your security measures?
In other words, if the criminal were able to do this, it would mean that he or she simply let themselves in and helped themselves to whatever they wanted.
This concept represents a serious threat to organisations. While they have spent time and money fortifying the front door, criminals are peering through windows and hanging around the back door and getting to know your friends and family members. For all the technology in the world, your employees present criminals with easier opportunities to breach your systems.
And so, if one looks at the official themes of cybersecurity month, it is about seeing yourself in cybersecurity. In other words, there is a focus on people, which is the correct way of looking at security. A vulnerable employee is just one click away from unlocking the virtual door to your business.
Before we look at how businesses in South Africa should consider approaching their cybersecurity strategies, it is handy to review four laws, if you will, that the 2022 cybersecurity awareness month asks of users.
- Think before you click: Security is a process not a destination. It is futile to do a quick awareness course for employees and forget about it. Short, ongoing videos and reminders go a long way towards instilling a culture of thinking before you click.
- Update your software: This is a priority. All patches and upgrades should be up to date. Developers and service providers are constantly finding bugs and weaknesses and working on them – there is no need to keep yourself vulnerable instead of enjoying increased protection afforded by the latest upgrades.
- Use strong passwords: Take a moment and think about your passwords. Too many people have passwords that are repeated across sites and applications, and too many people think they can get away with weak passwords.
- Enable multi-factor authentication: Those of us who use smartphones, which is most probably everyone reading this, should be aware of multi-factor authentication, and how we make use of this when using our smartphones to access important apps, such as our online banking profiles. It is important that this is carried over to all profiles and not just reserved for banking.
How businesses in South Africa should consider approaching cybersecurity
Multi-layered security: On a piece of paper, draw a little image that would represent the core of your business and crucial systems that need to be protected. Then, draw rings around it, a few centimetres apart. These rings represent a multi-layered security strategy and the ring fencing and segregation of systems. Other non-negotiables include properly maintained firewalls, antivirus and other filtering and monitoring software.
Educate users: Equally as important in the non-negotiables list for businesses is ongoing and proactive employee awareness and education. Invest and look after your employees in terms of their personal security skills as it will benefit the business in the long run. Make sure the “four laws” of 2022’s awareness month are ingrained in every user in your organisation and do everything you can to enable them to always think before they click, keep software updated, create strong passwords and use multi-factor authentication.
Surface management: Cloud services that continually scan and test your internet accessible systems can be expensive, as many of them charge per item tested, but they are invaluable. In the spirit of “security is a process”, an ongoing process of testing is unavoidable. Ensure that you have surface monitoring of as many of your potential attack surfaces as possible.
It’s no longer good enough to ask whether someone can access the SMTP or SSH port. Rather, it is about what is sitting behind them and how you manage the potential vulnerabilities in the applications exposed to the internet. Keeping a strong focus on secure code is also a key priority for businesses that produce their own software.
Appreciate the arms race: Appreciate that we are in an arms race. The more sophisticated we become, the more sophisticated the criminals become. Before, it would be enough to tell staff to look at the branding and language used in emails to identify phishing expeditions. Today, these emails can mimic a legitimate entity in all aspects, including the text, and the only way to identify the scams is by hovering over the links to see where they’d take you.
Continuous deployment: Move towards a state of continuous integration and deployment. Rather than deploy a new app every six months, focus on deploying every few weeks with smaller changes and incremental upgrades – this makes it easier to test and fix.
Social engineering and spear phishing: There are a number of emerging threats to be aware of, and you’d hardly be surprised to find out that many of the more dangerous ones are aimed at targeting employees through social engineering. The concept of spear phishing is where criminals take the time to learn about the company and its people and use that to attack. In this case, emails from the “MD” or from a specific employee to payroll to make changes would look far more legitimate. Attacks are becoming a lot more personal and targeted.
Ditch the legacy: It is important, especially for larger organisations to pay attention to their old legacy machines. In many instances, businesses are almost too late to the party and this exponentially increases security threats in a modern work environment.
Hybrid working and managing user devices: Many organisations allow hybrid and remote working. Every device is an additional attack point for criminals, and frankly, it is difficult to control any device that leaves your site. In some instances, organisations instil such rigid security measures that users can’t instal anything, requiring an IT person to do it manually. This obviously causes backlogs and difficulties in a hybrid work environment. This is where businesses would do well to work closely with advisers on the best practice to balance a good user experience with security.
Ongoing awareness: Ultimately, a business is responsible for its own security. While software-as-a-service providers in the cloud take care of their own security, a business cannot, and must not shirk its own responsibility to implement a multi-layered security approach to protect every layer of its systems. At the same time, employee awareness and engagement are non-negotiable and need to continue for 12 months in a year, not just every October.