Cyber security should be on the meeting agenda at all levels

The big question on every African’s mind currently is how will the new workplace look after the pandemic and how many people will continue working from home? In their April 2021 research report, Prey software published that 43,13% of the USA will stay remote post the pandemic. Considering the size of their workforce this is a massive shift in permanent remote working, creating opportunities for cybercriminals at a level never experienced before. Will Africa be any different? Although our workforce has a completely different makeuplet us focus on professionals. A recent Robert Walters salary survey, with 2000 professionals in South Africa, found that 40% of respondents would prefer to continue working from home. It is clear from these statistics that a hybrid work environment is here to stay which will escalate the frequencyof cybercrime attacks.

Almost every day we read about personal data leaks from large organisations world-wide and South Africa is no exception. No industry is overlooked by cyber criminals, to name a few recent ones, a vehicle insurer website was hacked for driver licence details, 580,000 privilege files have been affected by a data breach at a large airline and a “highly sophisticated cyberattack” has affected approximately nine million customers at another low-cost airline group. Various cyber vulnerabilities were responsible for these leaks.

How do we as employees contribute?

Although unintentional we make some very basic mistakes:

  • Having a natural dislike in creating a password. It leads to often poor password choice and is also often duplicated to many platforms and systems.
  • Sharing passwords with others to allow quick processing of urgent information.
  • Sending an email or message on a social media app to the wrong person containing confidential information.
  • Postponing software patches until it is too late.
  • Opening malicious attachments and clicking on links of topical subjects of the day, especially Covid related.
  • Installing WhatsApp and other social media app’s on a PC desktop.

Every mistake above has its own consequence, however they all lead to the same conclusion – eCrime! We must understand that cyber criminals have patience and work in a systematic manner. It is generally accepted that a cyberattack has seven stages:

  1. They scan the target organisation or harvest information from social media.
  2. Pair malicious code with a piece of malware to create a weapon.
  3. They transmit the malware to the target via for example email, USB, or website.
  4. Once delivered the malware code is triggered upon an action. This then exploits the vulnerability.
  5. The malware is then installed through the weapon.
  6. A command channel is used for remote manipulation of the victim’s organisation.
  7. They have hands on access and achieve their objective.

What do your devices know about you, your organisation and how?

All PC, Android tablets, smartphones, and IoT devices.

  • Passwords in the web browser autofill/file system.
  • Credit card numbers in the web browser autofill/downloaded cc statements.
  • Deleted files – All deleted files including ones not in the recycle bin can be recovered until physical storage space is overwritten.
  • Bank account details – Downloaded bank statements.
  • Recently visited sites – in the web browser cache/browser and history/Cookies.
  • Name and address in the web browser autofill, Windows contacts and contact manager smartphone.
  • Text messages – Text log stored on phone.
  • Phone calls – Call log stored on phone.
  • Contacts – Contact manager.
  • Current location – Readable GPS.
  • Recent locations – Photos and navigation apps.

Is the threat as bad as reported?

On the 29th of April 2021 at 10:45 IBM X-Force exchange reported 1403 world-wide malicious activities in an hour, by far the biggest threat was spam. IBM reported that Corona virus attacks affected 144 countries and peakedon the 10th of April with an upward trend.

¹More than half of the malware attacks in 2020 were delivered via cloud applications, according to a study from Netskope, and research shows that cloud adoption is becoming more common. Is this a wakeup call? These attacks do not have to be complicated, the survey found that 58% of the attacks were actually infected Microsoft Office documents. Is your organization managing employees’ access to the cloud?

Who owns the responsibility of data?

The more complex the IT environment the more important it becomes to protect data shared across business units, located in hybrid multi-cloud infrastructures and stored on mobile devices and other end points. The Chief Information Security Officer (CISO) would normally not be directly responsible for data processed across lines of business and only act as an advisor. Boards are known to turn to their Chief Information Officer (CIO) to confirm data security, however they might find out that the CIO job is to keep systems operational. The bottom line is that someone in IT would normally be responsible for databases but not have a security budget to protect confidential information. The solution would be to have a Chief Data Officer (CDO) with technical knowledge and business sense reporting to the board on securing the organisation against human error and IT security vulnerabilities. Outsourcing this function to a trusted IT security solutions partner should be an option for smaller organisations.

The top leads by example

Training and awareness should be an obvious step for creating awareness to employees. The standard however should start at the top with the board inviting a cybercrime specialist to advise on the state of the cybercrime landscape in their relevant industry and drive the message that the eCrime ecosystem is an active, wide and well-connected economy of financially motivated groups that engage in many criminal activities, with the purpose to generate revenue. Boards need to comprehend, properly fund and oversee implementation of security awareness and training programs and effective Information Security Management Systems. Board education should include subjects such as phishing, social engineering, file-less malware, ransomware, malware and non-malware attacks (including as-a-service), naming conventions for eCrime actors such as Wizard Spyder, Carbon Spyder, and all the PANDA’s big game hunting (BGH) ransomware campaigns, which are aimed at high-value targets with double extortion methods. This terminology and its risks are not commonly understood which as a result is left up to a few trusted IT employees to decide what is best practise to protect the organisation’s infrastructure and assets.

Where is an effective place to start securing (software and hardware) assets, infrastructure and ultimately data?

Traditionally antivirus has its limitations and is no longer best practise. A more cost effective and efficient strategy should be with EDR (Endpoint Detection and Response) with next generation anti-malware protection for infrastructure and assets. If you cannot see it, you cannot protect it and is the real challenge for infrastructure and IT security professionals. Given the hybrid working environment of the future, all cyber security strategies should first be built around the company’s devices at home (for example laptop, PC, tablet, and cellphone) and if the bring-your-own-device (BYOD) policy allows for it, personal devices too, which are mostly not subject to risk evaluation.

Protecting all endpoints is about protecting all data and personal information processed on behalf of your organisations and clients on the PC, laptop or BYOD. The purpose of an effective endpoint solution should be to find, fix and secure any vulnerabilities from a remote-control position. It enables the IT operations and IT security teams to collaborate in discovering all IT assets (software and hardware inventory)in the organisation, perform software distribution and enforce real-time patch management, whilst preventing both malware and non-malware attacks. Targeting endpoints as part of the security eco-system has less complexity and cost if compared to data and apps and requires less time to implement, resulting in the biggest impact on return on investment.