Most South African company directors incorrectly fear the regulatory backlash of cyber attacks as POPI, the Protection of Personal Information, and the Payment Card Industry Data Security Standard (PCI-DSS), come on stream. Instead, they face a much more significant challenge in the reputational damage they’ll suffer considering most businesses take about 10 months to go from a breach to successful resolution, cautions Rudolph van Rooyen, pre-sales security consultant at Axiz’s Advanced Technologies division.
In fact, says van Rooyen, most companies aren’t even aware of up to the first 200 days that they’ve been breached. Even when they do discover the attack there’s often little they can do about it.
“They just don’t have the skills,” he says, “so it’s taking them 70 to 80 days to coordinate their response. By then it’s too late. Forget the R10 million fine everyone’s afraid of from POPI – in those 70 to 80 days, or worse, the 200 days prior when they’re still unaware, their reputations could be destroyed and their businesses along with it.”
They need to put the security fundamentals in place, before it’s too late, and have some measure of ensuring it functions as intended, he adds.
Cybersecurity is highly complex in an era dominated by rampant digital disruption, rapidly advancing technologies, ubiquitous connectivity, billions of Internet of Things (IoT) devices, connected utilities and manufacturing concerns with their lines of equipment, and billions more mobile devices. Multi-layered crime syndicates and nation-state actors exacerbate the complexities.
“The sophistication of the cybercrime world today means you absolutely must layer security as a bare minimum,” says van Rooyen. “Firewalls, gateway defences, and anti-virus by themselves no longer cut the mustard. You need perimeter defences, you need endpoint security, and you need intelligence to ascertain what the threat vectors are and cope with advanced attacks that haven’t even been catered for yet. And you absolutely have to minimise human interventions. People are still the weakest link when it comes to cyber security.”
By now most South African businesspeople have heard of the data breach that revealed the personal information of more than 75 million South Africans.
“It wasn’t a hack,” says van Rooyen. “They didn’t need to hack it because the security on the Web server was so lax they could just download the 30Gb database file. And the company, which is in real estate, didn’t even know they’d lost it. An Australian security researcher found the information being passed between hackers – at least seven months after it was first downloaded. The administrator had used the same username and password – which was accidentally leaked – throughout the entire system. He hadn’t secured the username and password properly and he hadn’t even bothered to change it between systems. That’s sloppy and demonstrates the weakness of humans in the system. Once they knew the system was compromised it was quick to secure. But it took an Australian to warn them. More than seven months later.”
Van Rooyen says the layered security approach minimises the risks for enterprises. The first task is to assess the scope of risk. Organisations must know where they are exposed.
“Mobile devices, networks, and the cloud are everywhere,” says van Rooyen. “Companies can unwittingly lose IP inadvertently stored in a service like Dropbox. Or an employee could pick up ransomware when they use an unsecured WiFi network in a hotel abroad without adequate security on their device. Or trojan’s can infiltrate via partner portals that allow uploads.”
Automated deployments and monitoring limit human interventions and ensure consistency of service. Health checks improve the surety of knowing that post-implementation changes do not inadvertently expose businesses or create opportunities for hackers to exploit. And it keeps an eye on the remaining top threat: social engineering, usually delivered via e-mail, these days, that get people to click an attachment or link.
“The hackers like zip files at the moment,” says van Rooyen.
Robust policy with intelligent software can protect businesses from malware, ransomware and other advanced threat vectors.
Database activity monitoring is also crucial – and would have saved the estate agent that exposed the personal information of 75 million South Africans. It analyses the vulnerabilities in the database so it highlights where an administrator may not have followed best practice, for example. It can show where there are weak passwords to defeat brute force attacks, as another example. It can protect against SQL injection, which is another common attack method.
“Data loss prevention (DLP) is a major issue,” says van Rooyen. “Many organisations aren’t even sure where all of their data sits. It’s not surprising since cloud technologies and thumb drives have really made this a headache for IT departments. But the security solutions automatically discover where the data sits and can be used to identify mission-critical and all other data classifications. Then we can establish the right policies with the data types, establish permissions, and control the ebb and flow of data throughout on-premise and off-premise networks and storage.”
“That layered approach gives businesses a rock solid foundation that sets the baseline for their modern security needs,” he says. “It’s already more advanced than what most businesses actually have today. So putting that foundation in place also makes it easier for hackers to try hack someone else’s systems.”
“And stopping intrusions in the first place – or rapidly alerting you to their occurrence while also giving you the tools to do something about them should they be attempted – means you can provide the ounce of prevention that’s worth more than a pound of reputational cure.”