A group of IT executives discussed what they had implemented to stave off cyber-attacks at the CIO South Africa Cybersecurity Summit held on 20 February 2024. Here are the real-world practices they have implemented.
The message that came through clearly at the CIO South Africa Cybersecurity Summit, was that people are the weakest link.
IT leaders at the summit said staff are the biggest challenge when it comes to trying to limit the effects of cyber-attacks, despite regular training, as they will still open dodgy links in phishing emails. As one participant said: “It’s all about awareness and training staff. People are the first point where breach of data happens.”
One way to counter this is to build in awareness and understanding as part of KPIs, which will influence raises and bonuses. It’s also vital that IT is on top of staff changes such as new hires and resignations so they can remove security access from the system, or add a new employee at the right risk level. “One weak link can affect the entire company,” noted another attendee.
Contact IT
At the same time, people need to understand that they must get hold of IT when something seems suspicious, or communicate with the tech team when things go wrong. “We had a CFO get hold of me when he received a suspicious email – before he clicked on the link. It was great that he reached out,” noted one CIO.
When it comes to staffing, a solution – even for current employees – is to rank them in terms of level of access. Someone working in a warehouse is not likely to be tech-savvy and therefore doesn’t need email, which is still one of the biggest risks for cyber-attacks.
Lock it down
Another solution that is based on ranking staff members, raised by another attendee, is to have desktops that are locked down when the users only need access to certain programmes and network points and otherwise have low levels of understanding of the cyber space.
“When it comes to those who are more proficient, they can have higher levels of access, such as mobile devices that they can use for work,” said one technologist.
Stolen devices
Laptop theft for the purposes of getting hold of data is not a significant risk in South Africa. “In South Africa, there’s a very small chance that people steal laptops for data. They take them for their value. The question is, how much risk do laptops really have, because people don’t store data on laptops,” noted an IT specialist.
Phishing and other attacks
Although email is a significant area of focus for hackers, most threats come from social engineering, while there are fewer attempts to get into networks for companies such as retail. Those in financial services, however, face a higher level of attack.
According to Fortune Magazine, the financial industry endured the most data breaches in 2023, including a single attack that affected nearly 1,000 institutions.
Another large area of concern is that impersonation is not considered when systems are being configured. One example of this an attendee highlighted was the use of AI to generate a fake video of the CEO. This new tool can easily grab the company head’s voice and image from previous videos and use it to fool employees into doing something that opens a door for criminals.
“Impersonation is not considered when systems are being configured. This is probably one of the biggest threats. We use threat intelligence to fight this and run simulations to see if we can be affected,” noted one CIO.
So, what else can companies do given that staff remain an entry point?
When it comes to implementing defence strategies, backend solutions require proper authentication such as two-factor ID, which is especially important when staff are working from home or travelling. Other important elements are to take pen and vulnerability testing inhouse and not just rely on external auditors, although these are also an important part of the process.
“Standard operating practice and worst-case scenario planning are boring, but you must go down to that level.”
This internal testing, says one professional, takes eight hours every week. Yet, the company has successfully averted the 400,000 attempts on its systems every day. A lot of testing can now be automated, which is also a smarter way of looking after the estate.
Moreover, when adding new clients or machines to the network, IT needs to ensure that they are locked up and only have access to those areas of the system that they require. The tech department also needs to make certain that service providers do what they should, and no new vulnerabilities come in.
As attacks are a matter of when, not if, it’s important to collaborate with the right partners and have them on call, according to several of those in the brainstorm session. The weak points aren’t those you don’t even know about, commented one participant.
“It’s a matter of when, not if. You need to have good specialists on call, as partners are key. If you have this sort of ecosystem, you can get through nearly anything.”
Although artificial intelligence can be seen as a threat, it can also be used to see which processes can be breached and impact the brand. Another key aspect is to protect the vital aspects of the business, the “crown jewels” – the most valuable or critical assets – and make these a focus area rather than trying to cover everything and overextending staff.
However, the most important aspect to any cybersecurity plan is how a company responds when, not if, they are breached. The entire company needs to be trained so they know how to react when IT is compromised, and they need to know how to escalate the issue, and to whom. And that comes down to compliance and procedures, which must be planned ahead of time.
