A lack of policy-driven consequence is putting corporate South Africa at risk of being vulnerable to cyber attacks. Organisations often view security as a grudge purchase, resulting in them not adequately protecting their data assets. This, coupled with complex or multiple solutions often lead to security being compromised putting the company at risk. Companies, therefore, have to take the responsibility to invest in increased security as risks continue to grow in the wake of the Internet of Things (IoT) and pervasive connectivity.
According to Eric McGee, managing executive of information security and managed network services at Business Connexion, one of the biggest challenges companies face is that the current generation of business leaders do not understand the true value of data assets.
“These assets are intangible and, because these leaders don’t necessarily understand the value of the information, they don’t necessarily understand the risks that surround it,” he says.
Compare this to millennials or digital natives and the picture changes significantly. “These millennials are attaching a monetary value to things in a virtual world for example in gaming, and they therefore have a much better understanding of the value information provides.”
McGee says that although companies do invest in security, a lack of understanding of what they are trying to achieve makes them feel like they are wasting money. “People are willing to spend money on physical security items such as alarm systems, gates and beams because if they don’t, the impact means stolen tangible assets. However, in the virtual world, it’s not something tangible.”
Physical risks are mitigated by investing in security measures and the same goes for cyber security, where investment in encryption, anti-virus software, firewalls, to name a few, will reduce your exposure to risk. “It is also important to educate employees to be responsible when they are online and to understand the risk and impact of their online behaviour and why they have to adhere to the company’s security policies,” he adds.
A clear shift in mindset is required if organisations are to alleviate their risks in today’s connected world. Organisations will have to simplify the use of security measures to ensure that they are not compromised in an attempt to work on complex systems. “If you, for example, have multiple passwords to access different systems, it makes it very difficult for the user, resulting in them writing down or sharing their passwords and rendering the security measures ineffective,” says McGee.
“While this problem can easily be solved through a single login platform, it costs money and many organisations are not willing to invest in this. If the business had invested in a single sign-on solution, the user’s behaviour would be very different, making their lives far easier. It is, therefore, worth spending that money on the convenience as it will drive better user behaviour.”
While South Africans are protected under the proposed Protection of Personal Information Act, McGee believes that there is not enough consequence if security is breached. “We are lagging behind the likes of Europe and the United States, where there are far more policies in place to protect personal information. In South Africa, there isn’t that deep-rooted understanding of the responsibility for the protection of data.
“What organisations must come to terms with is the fact that security and the protection of their customers’ data and identities are their responsibility, even if there are limited policy-driven consequences. Furthermore, millennials entering the workforce have very specific expectations when it comes to security and the virtual world and will expect their employers to ensure they are protected.”
He adds that proactive monitoring of your systems is crucial in securing your organisation’s information assets. “The challenge is that many organisations do not know where their vulnerabilities lie until their security has been compromised. This, along with a lack of clear policies and procedures that need to be followed in the event of a breach, puts the organisation at greater risk as they will not be able to deal with the eventuality.”
McGee believes that security should not be an IT issue, but rather a business issue. “Information assets belong to the organisation and therefore, the organisation needs to take responsibility as a collective to secure these. Unfortunately, this is not often the case and IT is left to drive security. And, while we are already observing a change in mindset when it comes to this, it is not happening as fast as it should be,” he concludes.