The words “cybersecurity” and “data leak” are increasingly becoming part of our lexicon, especially after Absa recently confirmed that data belonging to 200 000 clients was stolen by a rogue employee, who now faces criminal charges.
That leak followed an Experian breach, which left 24 million South Africans exposed when their personal information, including cellphone and ID numbers, apparently ended up on the Internet. Those who follow media reports will also have read that matriculants will have to rewrite two papers after examination papers were leaked.
The question then becomes, how can companies ensure that staff do not walk off with competitively, or otherwise, sensitive information? According to Brett Skinner, security sales manager at Micro Focus, “it’s more dangerous to walk on the Internet highway” than it is to take a jog.
Skinner was one of several IT leaders speaking at a TechCentral roundtable to discuss how to mitigate identity risk in the “new normal”. He said that we are living in an age of espionage, and we need to know who’s accessing our systems, what access they have, and what data they have access to – and this needs to be broken down into granular detail.
Shiloh Naiken, CEIO at the department of basic education, explained that one of the big challenges with the matric papers is that they need to be printed and distributed around the country. He added that there are various printing stations around the country, and these are identified through barcodes on the paper.
Despite this level of security, the department was unable to stop the human element and prevent a contractor from walking out with a reject paper.
GM of enterprise strategy and architecture at Transnet, Tony Willis, said some of the steps Transnet has put in place include multi-level authentication, because “two levels are no longer enough”, as well as increased cellphone security to prevent data leaks.
Maclaud Mafaiti, GM of IT security and Trust Centre at the South African Post Office, added that education is key. He described a scenario in which staff change shifts, but the afternoon employee logs on using the first shift’s password. In this case, Mafaiti said, employee education as to the risks was vital.
Old Mutual Insure has seen thousands of attempts to penetrate its systems, and avoiding a cyberattack is not always easy because systems need to be cut over, which takes time, said head of innovation and architecture Shillan Kisten.
One solution that worked for Rain was two set up multi-factor authentication. As Regardt van de Vyver, head of department for product engineering explained, this made a massive difference, especially in a completely virtual environment. The solution was to ensure that colleagues needed to verify their identity via their smartphone, because no one will hand their phone over to someone else, whereas they may share their password.
Another suggestion from Willis was to let scamsters in, but then ringfence the area in which they could play, which would stop them from trying to penetrate further as they would believe that they had successfully breached security.
Vox implements permissions internally, in association with its human resources department, said Niel van Rooyen, head of information security. A real-life example would be that provision access to information is related to human resources providing a start date, and the access is automatically cut off the day an employee leaves.
This is also a rule that the department of agriculture, land reform & rural development applies. CIO Priscilla Tsotso Sehoole said there should be five different permission levels, which limits access. However, there still need to be penalties for stealing documents or selling information.
3Sixty Health CIO Tshepo Motshegoa agreed that human resources needs to be involved, especially when it comes to the issue of access. He explained that, besides onboarding, provisioning is done, which allows employees access only to the data that they need to use. This process is managed to allow for movement within the company as well, and user rights can be changed as needed.
Van Rooyen also pointed out the importance of knowing what data a company has, because many don’t. And that, he said, would be indefensible in a court should there be a cybersecurity issue.
“We actually need to move from the traditional way of doing things into the new,” said Tsotso Sehoole.
No matter what we do, however, there will always be the human element, which is driven by circumstances, said Naiken. “Times are tough right now; I’m not trying to justify the actions, but I’m trying to see … we need to understand … the challenges that people are facing.”
- This promoted content was paid for by the party concerned