…A business with an eye on security; security with an eye on your information
It is truly amazing how far we’ve come, universally, in our digital transformation drive as individuals and businesses in this space. It is an indication of how we have come to truly appreciate the essence and criticality of digitalisation or adoption of the Internet in our lives and businesses as a major drive for modernisation, increasing productivity, achieving operational efficiency, cutting out waste and mobilising resources.
Whether early or late adopters, or for those who are now trying to catch up with the digital acceleration, it’s a significant depiction of what lies in store for us and the vast opportunities up for grasp.
Notwithstanding, it would be biased of us not to also point out the negatives or seeming exploitation of the same technology that is tripling the profits of businesses being used to attack, destroy, defraud, spread misinformation and violent extremist conversations across platforms and online forums.
Cyber-attacks or incidents clearly have been a major negative to most businesses since inception of the digital drive. The same way businesses have scaled and maximised revenues through digitisation, other businesses have also lost a significant amount of money, suffered a significant decline in brand reputation and public confidence, and endured several legal battles through the ills of cyber-attacks or incidents. Some businesses have also, to some extent, suffered collapse or termination of operations. Statistics prove that 60 percent of start-ups go out of business in 6-months after a cyber-incident.
It is therefore paramount that businesses pay critical attention to cybersecurity – but a much closer look at information security if they still want to keep harnessing the benefits and opportunity in store for digitalization.
Information Security is the foundation of cybersecurity. Security since e inception of the Internet has always been about securing business information from the reach of bad actors. The questions that were asked when the Internet and WWW were invented had to do with how businesses migrating part or full operations onto the Internet, and Internet-driven business start-ups as at that time, would be able to ensure confidentiality, integrity and availability of their information. Since then, there’s been a conscious integration of security measures and controls into hardware and software to ensure safety and security.
Now, there are a lot of security products, standards, policies, laws and regulations with a true purpose of tackling cyber-attacks which are now rampant, overly complex and sophisticated. These initiatives seek to secure Internet users, business processes and the technology or devices that are being used on the Internet.
Upon all these great initiatives and directives, cyber-attacks are still widespread across small, medium and large organisations. Organisations that have nearly all or a satisfying level of security measures or controls in place still get hit, or are targetted even more.
Basically, what is really the cause of these cyber-attacks? How and why – after many years of using policies, laws, regulations, directives, Machine Learning and Artificial Intelligence integrations security products to secure businesses, combat threats and incidents and even stay ahead of hackers or threat actors – have they proven less effective or simply insufficient?
Elders advise that if you are saving money to purchase a land, you should also save money to fence it. Even some socialist extremists advise that you put up at least a temporary structure on it to ultimately guarantee ownership. Buying a land doesn’t guarantee ownership, and therefore people still need to go to some extremes to fully assure ownership. The same goes for securing digital assets – extreme ownership, extreme security.
Security is and has always been a part of our lives since inception. Humans have been conscious about the possible implications or dangers of not securing lives and properties. However, it seems not to be so for cybersecurity. Since inception and adoption of the Internet for business, communication and information sharing, there has seemingly been a complete disregard for security. It is surprising to know that most companies factor cybersecurity considerations at the end of their set-up, or as a less needed option/focus area.
There are some fundamental considerations for businesses that want to fully utilise the digital space while ensuring safe or security of their information:
- Businesses need to make sure that controls are in place to mitigate Critical to high/medium risk levels. There is no bargaining on this. Businesses that do not have the financial muscle to deploy controls to mitigate some risks should resort to other risk treatment mechanisms. Many businesses are aware of their risks but still act on the lines of likelihood and probability. Underbudgeting your cybersecurity needs basically means that you are aware of the risks or potential risks, but you are not ready to resolve them.
This is all because most businesses tend to think they are not targets for hackers or susceptible to any attack. For small to medium businesses, treating risk by tackling it in levels of severity and impact is a good start and a step in the right direction, as this will reduce operational impact in case of cyber-attack.
- Surprisingly, many if not all businesses do not factor cybersecurity needs as part of their business plan draft. It is disturbing to know that 70% of tech start-ups do not budget for cybersecurity, nor perform a risk assessment and feasibility study in relation to cybersecurity before commencing operations. It is a bad practice. A cybersecurity feasibility study will enable businesses to discover areas of possible or potential risks and exposure in order to assess and mitigate them before beginning operations. Knowing your strength and weakness is the first step to winning the war.
It is astonishing to find businesses operating for over 10 years with no international or domestic cyber/information security certification or accreditation, putting their business life, customers and the nation at risk.
- When it comes to industry and international standard certifications and regulations, the ‘Trotro’ driver seat-belt scenario is triggered. Most of these African commercial drivers give the impression that government is more concerned with their lives than it actually is. They do not appear to be interested in wearing seat-belts. When approaching police officers, they fasten their sea- belts but remove them after driving past. Similarly, most firms seem to just certify and comply with directives of the regulator, international standard certifications and the governing statute.
They completely have no interest to practice or extensively implement, since it’s a ‘nuisance’ requirement or directive; so they put in every structure and process to pass industry certification, and after that they kill the implementation and somehow still get to pass auditing and re-certification – exactly like the ‘trotro’ scenario, they flash seat-belts in the face of policemen (auditors); making them believe they are conforming when they are not. These standards and laws are seen as nuisances by businesses, rather than a framework to help them in many ways. This is so because most businesses do not have the monetary capacity to fully implement standards or directives, or they just don’t get the buzz about cybersecurity.
- The focus of security solutions lately seems to be derailing from information security, the core of cybersecurity. Companies need to approach cybersecurity from the information security perspective. Focus on products or services that protect your data or information first before expanding or extending to cover networks and infrastructure.
Deploying Insider-threat security applications; Privileged Identity Management (PIM) systems; Identity and Access Management (IAM) systems; securing data using passwords; encryption, security awareness training; file lockers and back-up mechanisms should be the core strategy for businesses, especially small and medium businesses that cannot afford high end products and security teams. These mechanisms are fundamental, simple to implement and help reduce impact in the event of any cyber-incident. Security must be built from the inside out, focusing on securing data or information artifacts first.
- Threat-intelligence is of major benefit to organisations of all shapes and sizes, by helping process and correlate comprehensive threat data to better understand their attackers, respond faster to incidents, and proactively get ahead of a threat-actor’s next move. For SMBs, these data help them achieve a level of protection that would otherwise be out of reach.
Cybersecurity is supposed to be woven through the operational fabric of a business. It must be a necessary consideration in the conceptional business plan. There is no business that does not interface with the Internet at any point in its supply or value chain, and therefore it’s completely absurd to think that you are special or free from cyber-attack or cyber-fraud.
It has been a usual practice of some businesses to only increase their cybersecurity budget after experiencing an attack or cyber incident. This is a very poor practice, as to some extent money might not be a solution to the attack’s impact.
>>>the writer is a SOC/Digital Forensics Analyst at Cyberteq Falcon Ltd. He can be reached on 0279489127