Kathy Gibson at the IDC CIO Summit, Sandton – There has been an evolution of security threats: from curiosity to cyber warfare – and it’s only going to get worse.
Lise Hagen, research manager: software and IT services at IDC South Africa, says the big question that organisations ask is: what’s next?
With the 3rd platform combining social, mobility, big data and cloud computing all combining to create some form of Internet of Things (IoT), Hagen says – and security is a massive challenge in this environment.
Organisations are urged to understand where they stand in terms of security – whether reactive, proactive or predictive – with regards to each of the four pillars.
“The ultimate goal is that you have early detection and mitigation of targeting, unknown attacks; with granular logging and policy enforcement of internal and external regulations,” Hagen says.
Every company is already working on security – it is an issue that is of concern. So Hagen has issued a call to arms to CIOs, to face the security threat head on and defeat it.
In order to do this, she says, security must be more flexible to deal with cybercriminals, sophisticated threats, mobility, consumerisation of IT, virtualisation, cloud and regulation and compliance.
“IT departments cannot do everything,” she adds, “Look to where you can get help – at the right vendors and solutions; also look to your peers to ensure you communicate and collaborate, to assess vulnerabilities and develop security strategies.”
It’s important to remember that an organisation is only as secure as its weakest link. And the human factor cannot be neglected” companies need to engage and educate employees regularly on security best practices.
“There is no silver bullet,” she adds. “But CIOs should look at a hybrid approach that includes software, security, SaaS and security appliance. They all have their own value.”
A strategy for emerging technologies is critical, with CIOs urged to know who is doing what within their organisations. This includes shadow IT, where users could be opening up the corporate system to insecure communications.
The face of the threat is changing, says Amanda Mills, group technology manager: IT at GroupM.
In years past, the threat was from outside and the industry worked hard to block the external threat.
Nowadays, the risk of internal threats has increased, with the top five being: social engineering; policy enforcement; undisciplined users; malware; e-mail spoofing/phishing attacks; and device loss or theft.
“We need to cultivate an attitude of suspicion within the organisation,” Mills says. “We need to push back into the user base about what they accept.”
Most organisations have policies to govern the use of their IT assets. But many are drafted as a matter of compliance but far fewer are actively enforced.
Some, however, do need to be rigorously enforced as they cover areas of significant risk.
These include client confidentiality and data security policies; BYOD (bring you own device) and mobile device security policies; acceptable use policies; and patch and incident management policies.
“One of the major emerging threats is social engineering,” Mills says. “It is arguably the most insidious and dangerous method of malicious exploitations currently in the IT landscape.”
These attackers gain access to the network by exploiting the trusting nature of employees, she adds. Even the most sceptical of employees can be vulnerable as these attacks are sophisticated enough to appear legitimate at face value.
“You need to engage with uses so they understand it is really a threat.”
Generally the person who thinks he is secure is most vulnerable, Mills add, overconfidence in itself is an exploitable trait, and executives are often the easiest targets.
“And no information regardless of its personal or sensitive nature is off limits for a hacker,” Mills says.
Undisciplined workers also let attacks into the organisation. The average worker spends one to two hours a day surfing the Web for personal use, with the most popular destinations being social media, video sharing, and search engines.
A problem, says Mills, is that social media sites offer games which are not necessarily hosted on a trusted server and so present a persistent threat.
Malicious content is also often contained on “free” downloads, and even computer savvy employees get caught by these.
E-mail exploits are particularly worrisome as many people don’t question it, she adds.
Malware is a complex issue comprising a number of exploits that fall outside the purview of traditional WV programs – so companies need to run anti-malware as well as anti-virus.
The most significant threats from malware are from rootkit viruses, often operating as sleepers; ransomware; scareware; and worms/Trojans.
E-mail and phishing attacks thrive in areas of weak governance, traditionally items considered personal fall into this category.
Because e-mail is ubiquitous, and users trust it, and it is worryingly easy for cybercriminals to spoof legitimate-looking mail addresses, this is quite easy for cybercriminals to exploit.
Phishing has evolved into angling – it’s getting more sophisticated; and they are difficult to track because they regularly change payloads and ports.
Device theft or loss is a very real and present danger. And there is a trend to organising and targeting device theft to get criminal hands on the data thereon. And it’s not just laptops, but tablets, smartphones, external drives or even USBs.
“It’s not all bad news,” Mills says, offering tips to stay safe: execute good physical security; have stringent policy enforcement; patch extra vigilantly to stay ahead of the threats; integrate with HR so you know who you are employing; and continuously update and train users – or none of your security efforts will pay off.