Its About Training, Stupid.

Uploaded on 2018-06-22 in NEWS-Newsletter Archive, JOBS-Training, FREE TO VIEW, TECHNOLOGY--Resilience

In South Africa, the private and public sectors need to move with the times and start training employees, the new weak point in an organisation’s information technology (IT) defences, in how to deal with cyber threats, experts say.

There has been "a seismic shift in how we work", with mobile devices allowing remote work to increasingly become the norm, says David Emm, a UK-based principal security researcher at cyber security firm Kaspersky Lab. That means the old model of building security "moats" around company networks no longer works, and many businesses have not moved on from that strategy.

Emm says the shift to working on mobile devices, phones, tablets and laptops, means hackers have more entry points into a company’s network.

Riaan Graham, Ruckus Networks sales director for sub-Saharan Africa, agrees. "With mobile devices becoming effectively a computer in your pocket and where a lot of your communication happens on a daily basis, I think the one thing all corporates are guilty of at some level is the lack of training given to employees regarding cyber security," says Graham.
Since all employees have access to a company’s network, if a cyber-criminal hacks into a staff member’s device, "their work’s already half done".

"So I think the first thing that’s needed is continued training with regard to security risks for employees, from the base all the way up to C-level employees. All of them need to understand the threats out there today," Graham tells the Financial Mail.
Employees should be trained in how to deal with possible malware, spyware or "rogue security software", for instance.

"The software might tell you to update or remove certain functions, and if the employee is not aware of the company’s policies regarding change control, they might click and say ‘yes let’s update’, and then open up the whole network to a virus or a Trojan horse," Graham says.

Some hackers are even penetrating networks by leaving corrupted memory sticks in a company’s parking lot in the hope someone will pick them up and insert them into their computers, according to Paul Williams, Fortinet’s manager for Southern Africa.

Perhaps unsurprisingly, considering the hype around bitcoin and other digital currencies, Williams says hackers are also hijacking companies’ computers to mine crypto-currencies. He says "crypto-jacking", or the unauthorised use of someone else’s computing resources to mine crypto-currencies, has become a major threat to both consumers and enterprises.
It is an attractive ploy for cyber criminals as it does not require strong technical skills and, unlike ransomware, offers a potential 100% payout ratio, Williams says.

Meanwhile, besides their employees, companies’ supply chains are also being identified as a weak link by cyber criminals, according to a recent Dimension Data report. Mark Thomas, Dimension Data’s group cybersecurity strategist, says there are many moving parts to supply chains and outsourcing companies, and these often run on disparate and outdated networks, "making them easy prey" for the cyber-criminals.

"Service providers and outsourcers are also a prime target due to their trade secrets and intellectual property," Thomas says, adding that businesses "need to wise up".

New data protection rules in SA and Europe could prompt businesses to do just that, according to Roy Wright, head of risk solutions at financial advisory group GTC.

Wright believes companies should be taking out insurance against cyber-attacks because they need to safeguard themselves against lost income from systems outages, costs associated with identifying and rectifying a breach, litigation costs, and possible extortion from ransomware attacks.

He says cyber-insurance will probably be taken more seriously following the introduction of laws to ensure the protection of personal data including the General Data Protection Regulation (GDPR) in Europe and the Protection of Personal Information (PoPI) Act in South Africa.

The PoPI act will oblige companies to report and publish any data breaches as and when they occur. Organisations will also have to publish their strategies to rectify a breach and their plans to mitigate against such risks in the future.

"Companies that fail to comply with these requirements will be issued with fines, which will significantly impact small to medium businesses," says the risk expert.

Meanwhile, as organisations move their workloads into public cloud infrastructure, they will gain the added benefit of having better security.

This is because cloud vendors have to spend substantially more money on their security than most companies would ever choose to, says Richard Levine, co-founder and MD of Executive Solutions. Cloud computing providers such as Microsoft and Amazon also fork out a lot more than most companies can for the skills to manage and support these security technologies, Levine says.

"Companies moving to the cloud therefore benefit from economies of scale via their cloud vendor on all fronts, including IT security."

BusinesLive:        Image: Nick Youngson

You Might Also Read:

In S.Africa The Cybersecurity Skills Gap Is A Chasm:

Employees Are Key To Cybersecurity:

 


 

« The Pentagon's AI Program To Find Hidden Nuclear Missiles
AI Is Re-Inventing IT »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

RoboForm

RoboForm

RoboForm's industry-leading encryption technology securely stores your passwords, with one Master Password serving as your encryption key.

Mi-Token

Mi-Token

Mi-Token is an advanced two-factor authentication solution that offers unparalleled security, flexibility, cost-effectiveness and ease of use.

Dark Cubed

Dark Cubed

Dark Cubed is an easy-to-use cyber security software as a service (SaaS) platform that deploys instantly and delivers enterprise-grade threat identification and protection at a fraction of the cost.

H3Secure

H3Secure

H3 Secure focuses on Secure Data Erasure Solutions, Mobile Device Diagnostics and Information Technology Security Consulting.

DivvyCloud

DivvyCloud

DivvyCloud protects your cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges.

Secure-IC

Secure-IC

Secure-IC provide end-to-end, best-of-breed security expertise, solutions, and hardware & software technologies, for embedded systems and connected objects.

WebOrion

WebOrion

WebOrion is an All-in-One Web Security & Performance Suite. Fortify, accelerate and monitor your website today.

Strike Graph

Strike Graph

The Strike Graph GRC platform enables Security Audits & Certifications.

SkyePoint Decisions

SkyePoint Decisions

SkyePoint Decisions is a leading Cybersecurity Architecture and Engineering, Critical Infrastructure and Operations, and Applications Development and Maintenance IT service provider.

IronClad Encryption (ICE)

IronClad Encryption (ICE)

Ironclad Encryption is Dynamic Encryption. The encryption sequence changes continuously so there is never a correlation between data sent and data received.

443ID

443ID

443ID brings OSINT data to Identity Security professionals on any digital platform.

Gem Security

Gem Security

Gem is on a mission to help security operations evolve into the cloud era, and stop cloud threats before they become incidents.

RedNode

RedNode

RedNode is a cybersecurity service provider that offers customized security testing solutions to protect any size of business worldwide.

iomart Group

iomart Group

iomart is a cloud computing and IT managed services business providing secure hybrid cloud, network connectivity, data management, and digital workplace capability.

SecZone

SecZone

SecZone is a Chinese enterprise with a mission to "Make It Secure." We are dedicated to driving software security innovation globally.

SixMap

SixMap

SixMap is a continuous threat exposure management platform that automatically provides comprehensive enterprise visibility, contextual threat intelligence, and a suite of remediation actions.