This Mail & Guardian webinar was sponsored by Rectron. It featured Elaine Wang, Cloud and Software Solutions Director at Rectron; Simon Perry, Chief Technology Officer at Cyber Security South Africa; Colin Erasmus, who heads up the Modern Workplace Business Group at Microsoft South Africa; and Peter French, Managing Director of Synapsys. It was moderated by Toby Shapshak, editor-in-chief and publisher of Stuff magazine.
Cyber-attacks are on the increase, affecting all types and sizes of businesses. The situation has been exacerbated by the Covid-19 pandemic, as millions of people are now working from home. These cybersecurity risks are numerous and pose a very serious threat, especially for businesses sharing valuable information on their networks. So how can businesses stay protected and how should they respond if they think there has been a possible security breach? This panel discussion provided some answers.
According to Simon Perry, there are three main threats currently in the market. Ransomware is considered the biggest global threat today. Malware is sent via email where it can encrypt the data on the machine and then hackers demand a “ransom, often in cryptocurrency, to reclaim it. Another major threat is phishing campaigns, which have gained more prevalence during the pandemic with cybercriminals posing as trusted organisations providing vaccines, for example. Clicking on a link sent via email gives hackers access to sensitive information on a machine. Lastly is the insider threat or risk, where staff of an organisation with access to data may share it or lose it, by mistake or maliciously, with damaging consequences for a business.
Security challenges in a WFH landscape
As more people are working remotely, the challenges for businesses increase. For example, devices are now sitting outside a traditional network perimeter, people other than employees can gain access to the network, and many applications that are being used are not part of the cloud service. These all pose new, interesting risks, said Colin Erasmus, which means an organisation must change the way it thinks about security. It is not just about being focused on device, asset and employee safety, but also on data protection.
Working from a home network can be problematic, added Elaine Wang, as these often use generic, easily hacked passwords, and are not set up with proper cyber protection, unlike a traditional office environment.
Proactive steps for cyber protection
Training, educating and keeping people informed about malware is extremely important, said Wang, in preventing an attack. Businesses also need to think about how their data is being used and how to protect it. Encrypting disks can safeguard data if a device is stolen. People are also increasingly working on multiple devices, such as mobile phones and tablets, which need to be included in a security management system.
Even if there is a security system in place, businesses should regularly monitor it and update it to safeguard against the latest cyberattacks. Wang advised that businesses should have a response plan in place to pre-empt a breach, enabling businesses to respond timeously as opposed to reactively.
The benefits of business-grade security systems
As times are tough, many businesses are looking to cut costs. Free or consumer-grade protection software is fine for start-ups and a few devices, said Wang, but as soon as a business grows with more people and more devices on a network, security becomes more complex.
One of the downfalls of consumer-grade protection solution is that there is no central way to manage security across a company. For instance, licences may expire for users at different times, so some employees may not be adequately protected. Business-grade security systems allow for a centrally managed system, with security updates and patches going to all endpoints. Many business-grade security systems now have built-in learning systems and AI, which helps businesses stay up to date with protection, as cyber-attacks are evolving fast.
How much protection is enough?
Earlier in the discussion Erasmus mentioned that 94% of organisations are now working on the cloud, but that does not mean inherent security. Businesses still need to be careful about how and where they put things in in the cloud and rely on strong identity principles. Perry added that often cloud vendors do not provide security within the cloud, only providing protection for the cloud perimeter. He went on to say there is still a need for a third-party security control.
Shapshak pointed out the importance of identity management in a system — you must know who is connecting to your system and that they are who they say they are. Wang advised that there should be clear communication between the staff, particularly HR and IT, about who is currently working for the company, and that not everybody needs access to all systems and data. Multi-factor authentication is a must-have, said Wang, for providing the next level of assurance that the correct person is logging in to the system.
How do you secure a remote workforce?
Peter French said that the first step is to define a policy for remote working that outlines certain rules for security, such as keeping company data on company computers, avoiding public Wi-Fi systems or using VPN (virtual private network) encryption. He reiterated the need for strong passwords, password managers and multi-authentication apps. Train staff in these guidelines and ensure that the IT team support users in performing these functions.
Businesses need to leverage the right tools in managing and monitoring remote systems and sites and controlling devices and data. French added that it’s essential to maintain the basics, such as regularly updating software and anti-virus solutions, and having a general foothold on devices accessing the network. Ensure there’s a strict, encrypted, cloud-based back-up system in place, notify staff about current threats in meetings and internal newsletters, and provide a relevant, accessible platform for employees to stay informed.
The impact of POPIA
The Protection of Personal Information Act (POPIA) regulations will come into effect on 1 July 2021. The onus is now on organisations to be responsible about how data is collected and stored. You need to have permission from people for collecting data about them, and this data can only be used as originally intended. To navigate this, Erasmus advised that organisations need to know their data and where it is stored. About 80% of organisations have “dark data” which is data that they haven’t classified; they don’t know if it is public information or not, and don’t know if it is sensitive or not. The next step is to protect this data, and then govern this data in an intelligent and automated fashion. If policies are in place, ensure you can enforce them.
What should companies do when they are hit by a ransomware attack?
Businesses must have a DEFCON 1 strategy in place, said French, where all users should know what to do in the event of a ransomware threat. They should immediately get the system off the network. The next steps said French is to isolate and identify the threat and disconnect external hard drives from the system. Finally, inform the experts. It may not be worth the time and resources trying to clean up the old system, so rather go to a back-up copy if there is one. Avoid at all costs paying the ransom.
In addition to having a game-plan for an attack, Erasmus said that businesses need to look at their security architecture, particularly with shadow IT. Security needs to take an integrated approach that has adjustable controls and continuous monitoring. Identity management is essential in this regard, to mitigate potential risk of an attack.
Is it possible to be 100% secure?
Perry said this will never be the case, but a “human firewall” is the first line of defence in coming close, where security awareness among users remains key. Wang added that businesses should test security systems regularly, to see what they do, and if they are going to defend you in case of an attack.
In conclusion, said Shapshak, cybersecurity should be a number one priority for businesses. Security is not a one-size-fits-all issue; each company must customise their systems, and always be prepared for an attack, especially in the rise of a work from home environment and as threats become more personal.