Two significant events happened recently. One positive, the other, cripplingly negative.
First the good: The International Labour Organization recently recognised cybersecurity as part of World Day for Safety and Health at Work, as being hacked does not just put a company’s assets or reputation at risk, but can also affects its people’s health.
Now, for the bad and ugly: The recent cyber devastation that made companies worldwide weep: the WannaCry ransomware, which in mid-May crippled computers in at least 150 countries. According to cyber risk modeling firm Cyence, the attack caused an approximate loss of R52 billion revenue. Other groups are estimating the losses to be a great deal higher.
“In a time of changing and ever-present cyber attacks, it’s crucial for every business to know where its risks lie. If you’re an IT security professional, you need to understand your potential cyber enemy and the current threat landscape so you can anticipate risk, determine your likelihood of being hacked, and the resulting impact when (not if) it happens,” states cloud and security solution specialists, F5 in its ‘Demystifying the threat landscape’ white paper.
According to internetlivestats.com, around 40 percent of the world population has an Internet connection today. In 1995, it was less than one percent. The number of Internet users has increased tenfold from 1999 to 2013 – first billion was reached in 2005, the second billion in 2010, and the third billion in 2014.
With the rise of the Internet and connectivity, attacks on applications have also become ever more complex, forcing organisations to transform the traditional security perimeter to include the new everyday reality of users accessing applications from anywhere, at any time, and from any device.
F5 in its 2017 ‘The State of Application Delivery Report’ notes, “there’s a focus on a holistic approach to application security that protects the app from DDoS and DNS attacks and defends the company from fraud, as well as mitigates traditional application security flaws.”
The report surveyed participants about their strategies to defeat emerging threats, secure their applications, and protect their data – and found that the top five security challenges are attack sophistication (50 percent), employees (44 percent), lack of skills (34 percent), mobile app security (32 percent) and complexity of solutions (30 percent).
Worth mentioning is that the survey revealed increases in preferences for managed/ as-a-service offerings with respect to security (DDoS, WAF, and so on), “which likely arise as a result of organisations’ inability to find staff to address security struggles.” Previous challenges however saw reductions in the survey, including budgetary concerns, which dropped from 41 percent in 2016 to 30 percent in 2017.
“We suspect that this is due to security budgets rising across industries as the importance of securing data and applications becomes more critical to the success of the business,” highlights the report. “Attacks continue to grow in sophistication and size, but organisations are also evolving their strategies to address the security of their applications. With security budgets rising in the wake of public attacks, DDoS mitigation solutions, WAFs, and anti-fraud protection are among the top app services that organisations plan to deploy over the next 12 months. Respondents who have a WAF and DDoS protection solutions currently deployed, as well as those identifying themselves as representing cloud-first organisations, tend to feel more confident in their ability to withstand application-layer attacks.”
According to the research, the complex set of challenges faced by companies at present encompass:
· The inability to scale infrastructure and resources to protect against high volume attacks without service interruption;
· Compliance with customer expectations and maintain industry/ regulatory standards;
· Knowledge and visibility, that is understanding of attacks faced and how to respond to incidents;
· The complexity of management explosion of applications, and needing to stop attacks at various stages of exploit;
· The migration to cloud services leading to an increased need for protection that supports hybrid environments; and
· As mentioned, the fact that increased application attacks are getting more sophisticated as attackers seek to penetrate and cripple web sites.
10 areas to step up the security game
F5 has put together 10 critical areas of focus that it says will help organisations significantly strengthen their security program and risk mitigation strategies.
1. Understand hackers’ motivations, targets, and tactics.
2. Align your budget to your threat landscape and make sure cyber insurance is part of it.
3. Train everyone, from administrative staff to the board.
4. Properly control access.
5. Manage your vulnerabilities.
6. Ensure you have the visibility you need, especially into your critical data. You can’t manage what you can’t see.
7. Hire a hacker and/ or implement a bug bounty program.
8. Leverage experts, especially when it comes to compliance and incident response.
9. Have a DDoS strategy.
10. Communicate the likelihood and impact of a breach.
(For a detailed description of each step, please download F5’s e-book here.)
“Consider some of these stats: 20 percent of employees would sell their company passwords, and nearly half of those would do so for less than USD1,000! More than seventy percent of attacks target the user identities and applications, not servers and networks. Yet, 90 percent of today’s security budgets are still spent on protecting everything but user identities,” points out Simon McCullough, major channel account manager: Sub-Saharan Africa at F5 Networks.
Anton Jacobsz, managing director at Networks Unlimited, value added distributor of F5 solutions throughout Africa, adds: “As public and private organisations and individuals scramble to protect themselves following the global WannaCry ransomware attack, the cyber attack has highlighted the seriousness of security threats and that they are not singular to only one industry or country but spread a wide range of havoc. The warning is out that more attacks, possibly with greater severity, are in the digital pipeline.”
Jacobsz says being aware of your own risks and being alert of any probable threats “out there” is critical to any strategy that is forged with the purpose of adequately protecting yourself. “Each and every computer has the strength to damage reputation and cause revenue loss. It also has the ability to morph into a bot strengthening the cyber attack and helping in the effort to destruct. The severity of any potential cyber threat cannot be ignored,” he warns.