Cape Town – South African businesses are ill-equipped to deal with emerging cyber security threats and relay on outdated protection strategies, says a security expert.
Cyber criminals have increased their attacks on SA, but company strategies have lagged the merging threats.
“A common but often misunderstood and over relied on solution is the implementation of firewalls. However, the major pitfall of this so-called ‘trusted’ solution is that firewall configuration is often not aligned with changing cyber security policies,” said Graham Croock, director of IT Audit, Risk and Cyber Lab at BDO South Africa.
“In short, the rate of change with regard to cyber-related risk is accelerating rapidly, increasing the security gaps organisations contend with, and leaving them more exposed than ever before,” he added.
Security firm Kaspersky Lab found that 7% of South African organisations experienced a cyber attack in the last year.
Malicious software such as Equation, Red October, Careto, Flame, Turla, Epic Turla, Wild Neutron, Poseidon and Desert Falcons represent the majority of attacks, but Kaspersky said that businesses should be more concerned with bespoke attacks, even though they make up less than 1% of attack strategy.
“Corporate breaches in the headlines are turning hackers into the new super rogues, as these dedicated, organised, and well-financed cyber criminals bombard organisations through alternating attack tools and paths,” said Croock.
He submitted seven precautions for limiting the impact of cyber attack:
• Treat security breaches as “when” and not “if” situations
• Invest meaningfully in people processes and technology
• Put cyber, network security and survival in the business context
• Stop deployment of and reliance on “end point fix solutions”
• Practice resilience scenarios and Business Continuity Plans (BCP)
• Understand the attack lifecycle and plan accordingly
• Ensure that you have an active education programme in place to ensure your staff understand the threats and are trained to react appropriately to an attack
The University of Calgary recently paid C$20 000 to cyber criminals who extorted the institution by encrypting data on 100 computers on campus, reported the BBC.
The Hollywood Presbyterian Medical Centre was also forced to cough up $17 000 to gain access to its computer systems.
“Keeping pace with new attack techniques, and effectively defending against advanced threats, is perhaps the biggest challenge facing security teams today in a world of cyber threats. Therefore, architecting a cyber security solution that dynamically adapts to ongoing change is crucial. This, however, is expensive and for many organisations, unaffordable,” said Croock.
He said that companies should prepare for 10 major cyber security risks:
1. Failure to identify cyber risks and implement basic cyber security controls
2. Failure by executives to identify and understand what generates corporate cyber security risks
3. Lack of a cyber security policy
4. Confusing compliance with cyber security
5. Failure to recognise the importance of social engineering and the risks associated with the human factor
6. Bring your own device policy (BYOD) and the cloud
7. Lack of adequate funding, talent, training and implementation of inappropriate resources
8. Insufficient information security training
9. Lack of a business continuity and data recovery plan
10. Failure to identify, accept and understand the rate at which cyber risks are evolving (polymorphic risk)
Croock warned that organisations would do well to prepare for an increase in number of attacks, especially as “attack-for-hire” gains traction.
“The attacks are becoming more sophisticated and are comprising multiple layers and techniques, each outsourced to specialty groups, ensuring zero-day effects.”
- Follow Duncan on Twitter