For a country like South Africa that is visibly paranoid about security, the country’s information security landscape is seriously lagging in terms of awareness and practical, relevant application.
Today’s chief information officer (CIO) needs to keep tabs not only on external security threats, but on internal threats as well, because the potential for disaster is inherent in both.
External threats have long been a focus for CIOs, and while progress has been made in ensuring that organisations are protected, these threats continue to evolve. Internal threats, however, have not been receiving the attention they deserve. Such threats can be the result of employees acting with or without malicious intent; but regardless of the intentions, they still have an impact.
Lise Hagen, IDC’s research manager for software and IT services in Africa, believes the problem is that many organisations overlook the internal threats, leaving them vulnerable and often surprised when the inevitable happens.
Intentional or unintentional – internal threats are real
“Internal threats are usually not malicious and can be as simple as an employee losing a flash drive or having a laptop stolen from the boot of their car,” says Hagen.
“However, disgruntled employees can have a devastating impact on the organisations they work for, and this is where CIOs need an operational benchmark. In this regard, data analytics can play a key role in identifying abnormal behaviour, such as a sudden increase in downloads. Such analytics can be automated and need not be expensive, but their implementation requires some proactive thinking.”
Generally speaking, the most likely perpetrators of malicious insider attacks are systems administrators and other IT staff with privileged systems access. “Technically proficient employees can use their access levels to open back doors into company computer systems or just engage in sabotage and thereby wreak havoc,” adds Hagen. “Data loss is one of the biggest areas of impact when it comes to internal attacks, but they can also result in a loss of customer and shareholder confidence and cause damage to the organisation’s reputation, market share, and brand.”
The key to protecting the organisation from internal security threats is to establish clear, written security policies that cover physical security as well as data and network security. “Get buy-in from the bottom up, but lead from the top down,” advises Hagen. “Make it clear why these policies are important and establish good physical security too. Make it part of the organisational culture by integrating it into the hiring, on-boarding, and orientation process, as well as into annual reviews.”
External threats are evolving
If this wasn’t enough cause for concern, Hagen also explains that external attacks are becoming much more targeted: “Attackers are using more advanced and more determined phishing methods, identifying high-value account holders and then employing spear-phishing techniques to ensure that their attacks are successful. Social media plays an enormous role in this regard; once the attacker has developed a list of relevant employees, they will use social media pages to gather detailed intelligence that can be used to craft a targeted attack on the pre-identified individuals. This, of course, relates directly to the amount of information we share about our personal and professional lives on public forums such as Facebook, Twitter, LinkedIn and Instagram.”
With emerging technologies like virtualisation, cloud computing, and social media becoming the new “normal”, organisations must secure the assets that they don’t own, control, or manage and that aren’t tucked away behind their firewalls. “This will require a frequent resetting or rebasing of the organisation’s security posture, with ongoing evaluations taking place as new infrastructure emerges and a clear focus on selecting security technologies and strategies that are designed to deal with these new realities,” says Hagen.
To this end, CIOs will need to look at ensuring the early detection and mitigation of targeted, unknown attacks through granular logging and policy enforcement of internal and external regulations. “When sourcing solutions, CIOs should interrogate IT services providers on how their offerings align with the demands of next-generation technologies,” advises Hagen. “And, given the high value placed on security, any new product, solution, or service will have to be underpinned by resilient and advanced security features.”
Security 101
Featuring prominently among the focus areas of the IDC South Africa CIO Summit in March will be the issues that CIOs must consider when developing a coherent security strategy.
The first thing that must be appreciated is the fact that security is not a product, but rather a frame of mind. And given this reality, IDC encourages CIOs to take the following steps when reviewing and revising their strategies:
* Create and revise the risk portfolio;
* Consider a metric-based approach;
* Plan, update, and enforce security policies;
* Implement ongoing user awareness and education programmes;
* Spend smarter, not more; and
* Align existing internal governance, risk, and assurance strategies. It is important to note that this does not just sit within the domain of the CIO, but also intersects with the legal and compliance teams, and even finance.
Implementing a solid security strategy is no longer a one-off project; it has become a long-term commitment that requires ongoing evaluation as areas for optimisation are highlighted during the course of the process. “Security needs a holistic approach comprising all components, including employees, suppliers, physical, software, hardware, network, and data,” concludes Hagen. “It is therefore not only helpful, but critical to properly align these internally and benchmark security strategies against industry peers to ensure that all the relevant bases are covered.”