If we are to understand the most important theme of the recent cybersecurity month, it’s pertinent to start with an analogy about our personal homes.
Imagine for a second that you have spent a great deal of time and money securing your house, with a good perimeter fence, security gates, a solid front door, burglar bars, beams and heat sensors, and everything else you can imagine. What good would this be if a criminal, posing as someone trustworthy, tricked a family member into granting them access to the house? What good would any of that do if a criminal had a set of keys and the means to disable or bypass your security measures?
In other words, if the criminal were able to do this, it would mean that they simply let themselves in and helped themselves to whatever they wanted.
This concept represents a serious threat to organisations. While they have spent time and money fortifying the front door, criminals are peering through windows and hanging around the back door and getting to know your friends and family members. For all the technology in the world, your employees present criminals with easier opportunities to breach your systems.
And so, if one looks at the official themes of cybersecurity month, it is about seeing yourself in cybersecurity. In other words, there is a focus on people, and this is the correct way of looking at security. A vulnerable employee is just one click away from unlocking the virtual door to your business.
How businesses in South Africa should consider approaching cybersecurity
Multi-layered security
On a piece of paper, draw an image that represents the core of your business and crucial systems that need to be protected. Then draw rings around it — these represent a multi-layered security strategy and segregation of systems. Other non-negotiables include properly maintained firewalls, antivirus, and other filtering and monitoring software.
Educate users
Equally as important on the non-negotiables list is ongoing and proactive employee awareness and education. Invest and look after your employees’ personal security skills as it will benefit the business in the long run. Make sure the “four laws” of 2022’s awareness month are ingrained in every user in your organisation: always think before you click, keep software updated, create strong passwords and use multi-factor authentication.
Surface management
Cloud services that continually scan and test your Internet-facing systems can be expensive, as many of them charge per item tested. However, they are invaluable. In the spirit of “security is a process”, an ongoing process of testing is unavoidable. Ensure that you have surface monitoring of as many of your potential attack surfaces as possible. It’s no longer good enough to ask whether someone can access the SMTP or SSH port; rather, it is about what is sitting behind them and how you manage the potential vulnerabilities in the applications exposed to the Internet. Keeping a strong focus on secure code is also a key priority for businesses that produce their own software.
Appreciate the arms race
Appreciate that we are in an arms race. The more sophisticated we become, the more sophisticated the criminals become. Before, it would be enough to tell staff to look at the branding and language used in e-mails to identify phishing. Today these e-mails can mimic a legitimate entity in all aspects, including the text, and the only way to identify the scams is by hovering over the links to see where they’d take you.
Continuous deployment
Move towards a state of continuous integration and deployment. Rather than deploy a new app every six months, focus on deploying every few weeks with smaller changes and incremental upgrades — this makes it easier to test and fix.
Social engineering and spear phishing
There are a number of emerging threats to be aware of, and you’d hardly be surprised to find out that many of the more dangerous ones are aimed at employees through social engineering. The concept of spear phishing is where criminals take the time to learn about the company and its people and use that for attacks that are more personal and targeted. In this case, emails from the “MD” or from a specific employee to payroll to make changes would look far more legitimate.
Ditch the legacy
It is important, especially for larger organisations to pay attention to their old legacy machines. In many instances, businesses are almost too late to the party and this exponentially increases security threats in a modern work environment.
Hybrid working and managing user devices
Many organisations allow hybrid and remote working. Every device is an additional attack point for criminals, and frankly, it is difficult to control any device that leaves your site. In some instances, organisations instil such rigid security measures that users can’t install anything, requiring an IT person to do it manually. This obviously causes backlogs and difficulties in a hybrid work environment. This is where businesses would do well to work closely with advisers on the best practice to balance good user experience with security.
Ultimately, a business is responsible for its own security. While software-as-a-service providers in the cloud take care of their own security, a business cannot and must not shirk its own responsibility to implement a multi-layered security approach to protect every layer of its systems, and continually educate its employees.
Ensure an excellent experience for all your cloud-based services with fast, stable network access and managed firewalls. Telviva’s vendor-agnostic approach gives you the most appropriate access network solution for your business needs, with the broadest choice at the best price (equivalent to going direct) and maximum supplier redundancy. Contact us today.
- This promoted content was paid for by the party concerned