Today, despite the frequent and large-scale nature of cyber attacks on businesses of all sizes and across sectors, local business owners and managers continue to take a flawed approach to Business IT Security. Instead of turning their focus to employee training, testing and awareness programmes, businesses continue to rely on perimeter defence – the use of firewalls, anti-virus software, etc.
Increasingly, this represents an ‘old’ and possibly outdated way of thinking about business IT security – one which, as the name suggests, ensures that you secure the perimeter of your network. The most common business IT security test within the enterprise today is called a ‘penetration test’, and involves trying to break through this perimeter. Yet it has emerged, through numerous studies and reports, that by far the greatest (and most common) threats emerge from the inside of the network.
According to historical claim data analysed by the London-based consultancy Willis Towers Watson, employee negligence or malicious acts accounted for two-thirds of cyber breaches. A mere 18% were directly driven by an external threat, and extortion accounted for just 2%. Significantly, the research revealed that about 90% of all cyber claims stemmed from some type of human error or behaviour.
The Weakest Link
Take phishing, for example, a form of attack that has been around for many years and continues to plague businesses. A scammer will send an email or emails to people who look authentic, but that contain links to sites that attempt to get usernames, passwords or other personal information. Armed with this information, scammers will attempt to gain access to bank accounts, emails or a businesses network. The recent attack on local comedy and entertainment agency Goliath and Goliath was a classic case. According to reports, hackers intercepted agency invoices and then changed banking details. The money that was ‘mistakenly’ paid over to the hackers ranged between R60 000 and R130 000.
In addition to phishing, social engineering has become a common and highly successful way of hacking into private data and accounts, and it is a method that requires little to no IT skills. Added to this, scammers in the UK and the USA have taken to loading memory sticks with malicious software and then leaving them in parking lots or public places. Naturally, someone sees it lying there, and thinks they’ve scored a free memory stick – only to unwittingly infect their computer or business network when they plug it in.
Sadly, all of these methods involve a user within the network unknowingly sharing confidential information…or activating software that could let cybercriminals in.
Zero Trust Security
Given the fact that hackers are exploiting the human factor (human fallibility) within businesses, it is time for a new approach to cybersecurity. One approach that is increasingly gaining traction relies on the concept of Zero Trust. In a ‘Zero Trust’ environment, the user’s authority is never taken for granted. So, even if someone is inside the network, there should be alternate ways of checking their authenticity. This can include requiring another password, checking the source IP address (does it originate in China, for instance?), or checking the machine ID.
Hands-on Employee Training & Testing
While the Zero Trust concept will very likely grow in prominence within the IT Security community, most local companies will not have the resources to immediately implement the changes in IT infrastructure that such an approach requires. As a result, other methods must be urgently implemented – and without doubt, the most effective method is simple employee training, paired with regular performance testing.
Today, savvy business owners and managers should initiate regular workshops and training sessions that explain the various threats to employees – and that provide tools and strategies to help them to recognise scams. Importantly, scams and hacking methods are evolving all the time – so effective training and awareness programmes should be updated regularly, and implemented regularly. A critical part of this training involves performing tests in which employees are sent fake phishing emails, for example, and then monitored to see whether the training is in fact, having any impact. Such tests should be performed regularly, on an annual, or ideally bi-annual basis.
While the traditional perimeter defence elements such as firewalls, anti-virus software and patches should always be a priority for businesses, it is clear that employee training and awareness is no longer a nice to have. It is a critical part of modern IT security, and businesses that fail to recognise its importance are placing themselves at enormous risk….