With South Africa ranking among the most targeted countries worldwide when it comes to cyber attacks, local organisations have taken multiple measures to beef up security, including using firewalls and antivirus software, setting up content filtering and more. Now, with the ‘front door’ locked, threat actors are actively targeting other areas of weakness and organisations need to respond appropriately to mitigate the risks.
It is a never ending arms race, with organisations and threat actors continually improving on their tactics and methods in order to attack or defend. However, as organisations better protect themselves against brute force attacks through using relevant security measures and adopting approaches such as segregation of services in order to create multi-layered security, cyber criminals are ditching the ‘front door’ in favour of ‘knocking on the windows and back door’ – often through targeting employees.
Or, they could stroll right through the front door at night using a stolen ‘key’. Employees are now the main targets for cyber attacks such as phishing, with the compromised information being used to either wreak havoc in an organisation’s IT infrastructure, or to carry out some type of financial fraud or theft. These attacks are growing in sophistication and quality, and one can no longer simply rely on spotting spelling or language errors and distorted images to identify phishing sites, which can be flawless copies of the real thing.
Then, there’s spear phishing, where social engineering – or just publicly available information – is used to craft highly personalised emails that are sent to employees under the guise that they are from senior management, suppliers and other trusted persons, often with the intention of financially defrauding the organisation by requesting that banking details be changed, certain payments be made or other seemingly legitimate activities. Or, in the case of user compromised accounts, these can just be shared on the dark web for the next threat actor to come across and use.
Do you see yourself in cyber?
The modern working environment, which includes policies such as Bring Your Own Device (BYOD) and hybrid or fully remote working poses challenges for businesses. Devices beyond a controlled environment can never be fully trusted, yet organisations have to find a balance between security measures, such as placing heavy restrictions on what can be done of the device, and useability for the employee. What all of this means is that employee education and awareness, and support is becoming non-negotiable for organisations.
This ties in well with this year’s Cybersecurity Awareness Month, with the theme “See Yourself in Cyber” – which demonstrates that “while cybersecurity may seem like a complex subject, ultimately, it’s really all about people. It further calls on individuals and families to see themselves taking action to stay safe online, for those wanting to join the cyber community to see themselves joining the cyber workforce, and for industry partners to see themselves as part of the solution. They also list four easy things that people can do in order to better protect themselves in a digital world. This includes:
- Think before you click: This needs to become a key part of awareness campaigns in any organisation. However, this cannot take the form of weekly hour-long presentations on security which will likely bore staff and fail to achieve its objectives. Rather, this can take the form of regular, short snippets on improving security, while engagement can be enhanced through quizzes to test employees’ knowledge and even conducting real tests and observing how employees respond. This step also calls on employees to report phishing attacks.
- Update your software: Ten years ago, admins were rewarded based on how long they could keep their server up for. Today, this reward has to be reserved for the admin who has the server with the most up-to-date security patches and more. Growing numbers of threat actors exploit these vulnerabilities, and keeping systems updated is now crucial for any organisation.
- Use strong passwords: A major risk for organisations these days is employees who use the same passwords across services, for both personal and professional use. Often, these include weak passwords that can easily be compromised through brute force attacks. Apart from the usual user awareness training around password hygiene, organisations can also provide access to tools such as password managers to help employees improve their personal security posture.
- Enable multi-factor authentication: In an age where no one goes anywhere without their smartphone, why not turn it into an additional protection measure? Enabling multi-factor authentication provides users with another layer of security for accessing online accounts, meaning that they are less likely to get hacked.
Being better prepared
For their part, organisations are embracing the concept of continuous development: rather than deploying a totally new app every six months or year apart, they are looking at providing incremental updates that are easy to test and roll out within weeks, helping iron out any vulnerabilities in the code. Additionally, the use of code review tools can help monitor applications continually to identify any loopholes that can let attackers in.
While it is advances in technology that have created these problems, thankfully technology also provides the solution. Following these simple steps will ensure that organisations are not threatened by cyber attacks, but are better prepared as a result of user education, testing and more.
It is critical for organisations to understand that security is not a state, but an ongoing process. A vulnerability scan that gives you the all-clear today might not do the same tomorrow, either due to an internal mistake or simply because the threat actors have evolved. The ‘front door’ might be tightly locked, but now is the time for organisations to fortify the back door and put up the burglar bars on the windows.
By Antony Russell, CTO at Telviva.
