Security is no longer the ambit of the IT department alone. As more South African companies conduct business online, and as more people and things connect to the Internet, security becomes everyone’s business – from the CEO to the newest or most junior employee, says Greg Griessel, consulting systems engineer, Security Solutions, Cisco South Africa.
The recently released Cisco 2015 Annual Security Report found that employees are the weakest link in the company security chain. Some employees intentionally exploit a business – as was the case with the recent Gautrain hack in which the public entity was nearly defrauded of R800 million by a former IT staff member.
But criminals are increasingly relying on ordinary users, who are generally careless when browsing the Internet, to install malware or to exploit security gaps within company networks. They then take advantage of these gaps to conceal their malicious activity and evade detection.
Cybercriminals will take the easiest path available to launch their attacks. In South Africa, this is often through patched or outdated software. While it’s one thing to ensure software installed on company-owned devices is up to date, it’s another thing to police the software on employees’ personal devices – especially when nearly two-thirds (63%) of South African employees are allowed to use their own devices to access the company server or network.
Taken together with the report’s other findings, which include a dramatic increase in spam, rapidly evolving attack methods, weak governance and a growing geopolitical landscape, it becomes clear that business defenders must continuously improve their approach – or perhaps review it completely – to effectively protect the organisation and its users.
Sophisticated security
The 2015 Annual Security Report found a number of similarities among sophisticated companies whose chief information security officers regard their security tools as extremely effective. These include security prioritisation by executive leadership (91%); clear, well-documented policies and procedures that are easy to understand (88%); and the use of integrated tools that work together (78%).
To reach this level of security sophistication, South African businesses need to prioritise threat prevention at the board level. Board members need to know what the risks to the business are as well as the impact of those risks. Businesses should then adopt stringent security controls that provide greater visibility of the network, including who is in the network, when and how they got in.
Everyone in the business should have a role in this new security approach. They should be accountable for their actions and learn how not to become a victim. This will become even more crucial as more South African employees bring their own devices to work and as a swell of connected devices drive up Internet traffic.
Cisco Security Manifesto
Cisco has outlined a set of security principles, known as the Cisco Security Manifesto, which will help businesses to ensure they have the tools and visibility needed to identify security issues. These principles can help users and security practitioners to see the ‘big picture’ on security, ultimately reducing the time to resolution in the event of a successful compromise.
* Security must be considered a growth engine for the business – the adage that business and IT should align applies here. Security teams should be involved in business strategy discussions, and vice versa, to ensure that the business’ security strategy does not hamper productivity or innovation but rather supports it.
* Security must work with existing infrastructure and be usable – any IT implementation that is difficult to manage or is not user-friendly will be shunted by staff and will not be useful to the organisation. Organisations should not have to change the way they do business to accommodate new security technologies.
* Security must be transparent and informative – users should understand why security is important and why the business may restrict certain activities, like social media use. Users should not feel a need to bypass security restrictions but should be able to achieve their goals safely through clear recommendations.
* Security must enable visibility and appropriate action – by automating visibility into the network and understanding how technologies operate, security teams can reduce their administrative workload and more effectively identify and respond to threats.
* Security must be viewed as a people problem – technology alone will not protect an organisation. Users should be educated on safe habits so that they can make good decisions and feel empowered to seek help if they think something is wrong. Commitment and vigilance by all users, from the top down, empower security success.
Effective security is multifaceted and multi-tiered. Ultimately, people, process and technology together form the defence against today’s threats. This will raise the average level of security for everyone in the organisation and help the business make more informed risk decisions – down to each individual user.
