Securing the “crown jewels” in a decentralised, hybrid, and remote environment is at the top of CIOs’ minds.
Sasfin Bank CIO Josh Souchon and Adcorp Group CTO Unathi Thosago discussed innovative ways to maintain security during a panel discussion at CIO Day 2024.
“When it comes to security, don’t trust anybody. Take your parameter, shrink it down to what we call our crown jewels, which for us is client data and transactional data, and put everybody on the outside,” said Josh when asked about the lessons he’s learned on security in a hybrid working environment.
While most people enjoy the freedom of working outside the confines of their offices, tech leaders have had to remain ahead of cyber-criminals who continue to find innovative ways to infiltrate their organisations.
They continue to strengthen a chain that secures both the organisation and its clients from cyber attacks including phishing, password attacks and malware.
Unathi said, “The chain is only as strong as its weakest link, and employees form a vital part of that chain.
“Your weakest link tends to be the employee or users because they are the ones that are in the front line, they are the ones who are getting attacked – who are getting phished,” she said.
She said cybersecurity training needs to be continuous and painless for employees. “You have to make your cybersecurity and awareness training part and parcel of how your users and the employees think about work in the environment,” she said.
At Adcorp, Unathi says they introduced a weekly training session that is time-saving and that offers incentives. Staff members participate in a one-minute training and a 30-second multiple-choice game based on cybersecurity.
“It doesn’t have to be anything that expensive, but it’s just to make sure that we grow attention to awareness training as well as cyber when it comes to the Adcorp environment,” she added.
Josh agreed, noting how his organisation demonstrated the importance of training during a phishing simulation. “People who fell for the phishing simulation had not done their training. They are five times more risky than people who had done their training,” said Josh.
Using VPN and geo-blocking to protect the crown jewels
“When it comes to security, don’t trust anybody. Take your parameter, shrink it down to what we call our crown jewels, which for us is client data and transactional data, and put everybody on the outside,” said Josh when asked about the lessons he’s learned on security in IT.
When Sasfin introduced its cloud-first strategy in 2017, it established a hybrid working environment that made it more prepared than most when the COVID-19 lockdown that forced most organisations to go remote came along in 2020.
“We had this traditional mindset that said that when you are in the building, you are part of a secure parameter and when you are external to the building, you are unsecured. So we had software for people to dive in and assess the environment,” he remembers.
When remote work became compulsory during lockdown, Sasfin turned to VPNs to ensure a secure working environment. They also moved all staff members who worked on PCs to laptops.
“Literally from that point onwards, we said everybody must connect via VPN. VPN brings you into the environment and accesses the data. The cloud services come in via the same VPN technology in a secure environment. So you can’t enter the environment without coming through the secure tunnel with all the other layers of security,” he said. VPN ensured the consistent protection of multiple layers across all the endpoints.
“That was one of my proudest moments,” said Josh on the successful migration to a remote working environment during lockdown.
As expected in decentralised and remote work, Josh said they had to block access from all countries outside South Africa into their cyber environment. “On the geo-blocking, what we found, and it continues to be the state, we get attacked on a continuous basis from certain geographies,” he said.
So because of our revered technology and our security model, we are able to say, ‘We will block all geographies outside of South Africa except for when you are travelling,” he said. When travelling, executives have to request time-based access from particular countries into their environment.
“The amount of tags that we got out of North Korea and Russia was profound. We don’t have any staff working there. It was hard when we got a staff member working in an area where we’ve had attacks from,” he said.
He said organisations need to apply clear security strategies. “It’s really about defining what you need to protect, what we call crown jewels. Set that parameter very clearly: what comes in, what talks to what. Don’t allow unnecessary connectivity when it’s unrequired. Be very clear with your strategy and think of a completely hybrid environment. So when you are in the office, it still connects you in the same way as at home,” he said.
He said organisations need to continue to advance their security systems as technology evolves.
Our device, my apps
Does geo-blocking mean organisations restrict the use of popular non-South African apps like Netflix,YouTube and Twitter? Participants asked how they could find a happy middle ground between geo-blocking and allowing employees to use personal apps on their work devices.
“If you block certain things, people will find another way to do it,” answered Josh. He said organisations can find ways to allow particular traffic on company laptops, however, they also need to manage the traffic and be clear about what is allowed on company devices.
CIOs continue to face a conundrum on managing employees’ personal devices, including cellphones and tablets, in a bring-your-own-device environment. A debate among CIOs continued on whether they should be focusing on managing devices, personal or not, or if the focus should be on securing data, regardless of where it is accessed from.