While cyber threats continue to loom large over South Africa, there has been a noticeable improvement in the security posture as more businesses realise that investment in both security infrastructure and the training of their staff. With threats becoming increasingly sophisticated in nature, this has become critical if organisations are to successfully protect themselves.
However, it should be noted that local organisations are still playing catch up as compared to developed markets; they are coming to accept a new, non-revenue generating department called ‘security’, which is a necessity for any and every organisation that has IT infrastructure – unless they are willing to put themselves at risk. Medium to large organisations have come to the realisation that they potentially need between five and ten people in their IT department just to take care of security.
Combine this huge requirement with South Africa’s scarce skills shortage, and we can see why cyber security has been a challenge for local businesses. These organisations are turning to outsourcing their security to companies that have the skills and expertise to manage their IT infrastructure, carry out regular vulnerability scans and penetration testing and even have a Security Operations Centre (SOC) to take action on alerts and potential threats.
Thankfully, there is now additional external impetus driving improved security at South African organisations, such businesses now requiring that their suppliers also meet cyber security standards in order to prevent third-party attacks.
Most cyber attacks avoidable
A few vulnerabilities are responsible for most of the breaches that make it to the news, with threat actors themselves going for easy exploits such as phishing or ransomware, as it is easier to target regular employees to get them to click on links, open files, provide personal details, etc. These very employees are also more likely to ignore notifications to update their operating system or apps and make themselves more susceptible to cyber attacks.
Nothing has changed here, as it has been shown that it is much easier to compromise employees than to compromise a firewall; in fact it has become even more critical for an organisation to protect its people from cyber threats.
Of course, there are some attacks that are not avoidable, such as zero-day vulnerabilities, which are security flaws that have been discovered and then exploited by threat actors. In this case, it is highly possible for several organisations to get hacked using the same vulnerability until a patch is developed and installed in order to prevent any such similar attacks.
There are a few fortunate cases where these vulnerabilities are discovered by a ‘friendly person’ and they will go directly to the software or hardware vendor and inform them of their findings, which will be used to develop and issue a patch, following which they will announce the vulnerability and that it has been fixed. To promote this behaviour, some vendors even offer bounties to people who can discover flaws in their products and bring them to their attention before it can be taken advantage of.
This is why it is crucial for organisations to apply security and other patches to their systems as soon as they are made available.
Finding the balance
As mentioned earlier, employees are often the target of cyber attacks and this is where the concept of Zero Trust comes into play. As an example, employees might be provided with laptops where they do not have administrator rights, cannot install their own software or applications and might even have specific ports disabled. Getting past any of these restrictions will require the employee to submit a request to their IT department.
However, achieving Zero Trust has to be a balance between security and usability. The only way to be truly secure with absolute confidence is to switch off your internet connection and do everything using CDs or tape storage. This is simply not practical and organisations need to find the middle ground between giving employees air-gapped devices or having no security at all.
For their part, organisations must have a full understanding of their overall attack surface, including all the PCs and devices, virtual private networks (VPNs) and services that are made available to the outside world and monitor critical logs to ensure that there is no unusual activity. This can be achieved through regular penetration testing and vulnerability scanning.
Organisations also need to ensure that everyone understands the shared security model found in cloud computing, where the provider is responsible for the security of the overall platform, but the users are still responsible for the security of whatever they put into the cloud. One can’t assume that something in the cloud is inherently secure.
Cyber security training to be the norm
Despite best efforts, organisations should keep in mind that there will always be new vulnerabilities as people find flaws in code and create malware to take advantage of this – this is not going to change. However, the biggest worry for organisations is the increasingly sophisticated nature of cyber attacks. This includes coordination between a group of threat actors in order to use the same identified vulnerability to attack an organisation multiple times.
In another example, today’s phishing emails and websites don’t always have the spelling and grammar mistakes or poorly sized images that used to be a telltale sign that something was not right. There is also a growing possibility that threat actors can use freely available artificial intelligence tools such as ChatGPT to craft written content in a manner that appears to be far more professional and legitimate.
As mentioned in a previous cyber security blog, many organisations have fortified their front doors, so the threat actors are now targeting the windows and the back door, and something needs to be urgently done about it. While there may be an element of cyber security fatigue, there is a realisation that this is necessary for any organisation. Security cannot be made into ‘somebody else’s job’ and individuals need to start taking responsibility. As such, ongoing cyber security awareness and training for employees is set to become the norm.
