Companies that are turning more of their operations digital might be winning the innovation race, but they’re opening themselves up to increased cybercrime.
Every activity that goes onto the Internet and outside the corporate firewall increases the ‘attack surface’ and opens another doorway for scammers and criminals to sneak through. That’s no reason to delay the inevitable digital transformation, but it does mean that enthusiasm shouldn’t run ahead of cybersecurity measures.
IT experts from a variety of industries exchanged ideas and advice about cybersecurity at a recent webinar roundtable hosted by TechCentral and sponsored by Obscure, Puleng and RiskIQ.
A downside of trying to be quick to market is that innovations often outpace security, warned Zaid Parak, the chief information security officer of Discovery. Development managers may give the go-ahead for a new tool or app and worry about the processes later. “We’ve allowed a lot of freedom within the company, and nobody reads policies and standards. It’s not a question of negligence, but more enthusiasm and the need for speed in doing business,” he said.
The attack surface extends to humans, too, and the volume of those attempted crimes is “going nuts”, said Warren Hero, the CIO and chief development officer at Webber Wentzel. “Impersonation of Twitter accounts and of social networking is rife. We have to stop thinking about IT security and think about cybersecurity. We have to think about the cyber safety of our staff and our partners.”
Budgets must be extended to cover these areas, because somebody hijacking a Twitter account and impersonating a partner could have a material impact. “It’s not just access points, it’s actually impersonation points that we’re talking about,” Hero said.
Imraan Kharwa, head of information security at Tourvest, asked the panel whether they are seeing a surge in social engineering attacks with their employees working remotely, and if so, how they are addressing that.
An impersonation attack had directly affected Shoaib Nathie, the CIO at CIB. “Somebody tried to change my banking details with HR for my salary, claiming to be me. We’ve had a big increase in Internet impersonation attacks,” he said.
“Phishing is a big, big concern for us as well,” agreed Jacques Loubser, group CIO at PPS. “We conduct tests all the time and have some initiatives in which we educate our staff and members on how to identify phishing scams.”
Loubser reminded the roundtable that devices used by the employees could be compromised too, particularly with many administrative and development staff now working from home. “We are overly obsessed with the ‘data zone’ and securing our data, so we ensure devices are encrypted. In terms of our tech surface, we try to embed security as a whole. It’s about our stacks — some of them run out of the country. We also have subsidiaries which integrate as well, meaning our APIs will be exposed to external vendors, too,” he explained.
Parak told the participants that when he became the CISO of Discovery, the first thing he did was fully examine the IT environment to understand what he was dealing with. “I found a plethora of niche point solutions and services that were extremely expensive, but really complex, which made integrations impossible as nothing would talk to each other,” he said. He also assessed Discovery’s footprint on the Internet, checked for any scam or phishing sites, and found a lot of shadow IT that didn’t follow the internal diligence processes.
He found that security problems had previously been dealt with by applying plasters to the cuts, and that the technologies they had were not always used to their full capability. They were doing a good job of keeping the malicious guys at bay, but it was not sustainable, he said. He decided to plan and execute a strategy that improved the overall security position, reduced complexity, made better use of what they had, and consolidated everything more effectively. “My principle was not buying anything new, but rather seeing what we have, and expanding the solutions to cover a lot of the services we had.”
Riaan Hamman, chief technology officer at Puleng, agreed with Parak, that it was important to understand your internet footprint, although trying to manage that data manually was a battle you’re never going to win. “This constant analysis needs to become a daily process to manage and maintain that digital footprint and look for practical ways to improve your footprint on the Internet,” he said.
There seemed to be several differences between Discovery’s environment and that of a manufacturing organisation, noted Ritasha Kalidas, the director of IT security, risk and governance at Tiger Brands. “I think for us as manufacturing, the mindset is very different,” she said. The core focus in manufacturing was getting products out, ensuring high quality, and making sure they reached the customers’ shelves.
“If there’s an attack, it’s not just about hitting the network, it’s about getting into the factory and potentially tampering with sensors and environmental devices. The impact of a cyberattack in manufacturing is not just limited to data loss. It could also cause injury or threat to life should there be tampering with the machinery in Scada environments.”
Kalidas said when she talked to her executives about security, they always thought about confidentiality, integrity and availability. “But our biggest threat is availability,” she said. “In the manufacturing environment, the minute you take data and systems away from people you’ve got a major concern. Should something as simple as a printer go down in our environment, the impact is substantial. If a truck driver comes to the warehouse and is unable to get his invoice he can’t leave with the goods, and we might end up with a line of trucks going for kilometres.”
Digital transformation was affecting every industry, but the threat landscape obviously varied, said Fabian Libeau, the VP for Europe, Middle East and Africa with RiskIQ. “The bottom line is that the problem is the same, although the impact may be different depending on the industry.”
But one thing that increased the risk for every sector was the Covid lockdown and the enforced move to working from home. Many employees were connecting to corporate networks through their own unsecured laptops because companies hadn’t been able to deliver enough secure laptops quickly enough to keep everybody safe.
For Imperial Logistics, the big problem was creating the capability to implement information security, said its group CISO, Anthony Olivier. “We have dozens of companies in about 40 different countries, all at different levels of maturity — some with massive IT departments and some so small that the guys have to sort themselves out with laptops.”
One example was the dozens of different websites run by those companies, which have all been built by different suppliers. “About two weeks ago, we started looking at how our cookies are being managed in Imperial. And it’s really complex because we are dealing with a company that had a friend create the website or similar, so attaining compliance is a huge part of my problem. There’s a saying that security is not privacy, but you can’t have privacy without security. In the same way, compliance is not security, but you can’t have security without compliance.”
Another problem with securing a company’s external presence was that the digital space is an intersection between the customer, the business and the technology, said Priya Thakoor, managing executive of digital channels at Vodacom. Keeping channels like the MyVodacom app and the corporate website secure while also reducing “friction” for the customer meant working closely with many stakeholders and security teams. “The question is, how do we bake in a lot more of the quality design and experiential elements into our security thinking?” she asked.
Customers who register for MyVodacom app, for example, must create passwords with a certain number of digits, a symbol and a number, and people don’t remember them. “We need to find the balance between how can we make it easy for customers to use what we offer as a digital format, but not have a bad experience in terms of usability. There’s a big opportunity to really bring these two constructs of security and design together, which is a big focus for us.”
Helping customers to keep themselves secure was difficult, agreed Janine West, head of data privacy at Investec. To avoid fraud through impersonation, customers were advised to only open mails that came from people they trusted, and Investec told them they would never send links in its e-mails. “However, you have to be practical,” she said. “For example, you might need them to register with the South African Fraud Prevention Services, and send them a link to go to the website, which becomes a difficult balance of saying that you’ll never send them links except in certain circumstances. It has a lot to do with behaviour and very much a sense of ‘people feeling’, because there’s a lot of mistrust at the moment and all these breaches and scams are adding to it.”
A challenge for Nastassja Finnegan, the cybersecurity officer at FNB, is melding innovative thinking with security thinking from the start. Banks were all in a race to be the fastest, the coolest, and to offer the nicest products. “Do we do this in the most secure, efficient and effective way? Absolutely not,” she said. “Our go-to-market strategy is to get it done quickly and build it ourselves, which makes my job a lot harder. So what we’re trying to do differently is to change the culture to turn us into a risk-based organisation, which incorporates training to get the organisation to think about things differently.” That would be more effective than trying to impose various policies, processes and technologies, she believes.
- This promoted content was paid for by the party concerned
