2019's Security lessons for 2020
Several banks were hit by denial of service (DDoS) attacks, attempting to cripple their networks and slow down transactions. DDoS attacks also impacted several local ISPs, and one of SA’s major municipalities were locked down by a ransomware infection. 2019 even set a record: 116,000 attacks on the country were detected during 8 consecutive days in July.
In our current economic downturn, we can’t have downtime, as it has a direct ripple effect right down to the profit margins. Considering how prevalent cyber attacks are at the moment, there is a definite need for more mitigation of cyber risks, including counter-measures and insurance.
Cybercriminals make a career of breaching targets. It’s their 9 to 5, and they can become very creative. Targeted phishing attacks - spear and whale phishing - are on the rise as criminals aim at more specific targets. But they haven’t foregone their other methods - online criminals are attacking more than before.
2019 was also tough on security because of compliance. GDPR and POPIA both placed pressure on companies to update their systems. Not all of those projects were successful: compliance is not the same thing as security and can even cannibalise security resources. But the companies that worked with a skilled IT partner were able to get the best of both.
Fortunately, data compliance and cyberattacks raised security’s profile in 2019. Customers have matured in their attitudes towards security. So have providers: the best providers now integrate security as part of a more extensive service. This approach reduces the overall complexity of an IT estate. That same complexity has been making it easier for the criminals to get in.
If I could distil the mood around security into one concept, it’s the realisation that good security means continuous improvement. Just as Sigma Six and Kaizen are being used to grow modern companies, the same logic is finding support in security and from the business, not only IT.
But understanding the need for better security, and executing on it, are two different things. 2020 is an opportunity to tackle security with a fresh outlook. To help your thought process, I propose the following steps:
- Take security seriously
Everyone is a target. Criminals have gone after specific people, and they have thrown wide nets to catch as many people off-guard as they can. Stakeholders and decision-makers in a company - including the board - must accept this as a priority and severe risk. Then also understand that you can’t do it alone. Select a technology partner with the skills and scale to help guide your efforts and put the right risk mitigations in place. Vic IT partners with Micro Focus and Axiz to offer the solutions and scales that enterprises need.
- Sort your data
The criminals want your data, so start there. Do you know what data you own? Do you know which data is essential to your processes and output? Do you know where that data is and how many copies are moving around? Even if security isn’t your primary concern, unkempt data inevitably leads to unnecessary storage costs and production bottlenecks. Auditing your data is essential, as are deciding on data management and backup solutions such as DPoD (Data Protection on Demand) and DPaaS (Data Protection as a Service).
- Know your threats
What would criminals target? A data audit can tell you a lot about the information they want to steal. But you must also connect the dots. Who has access to that valuable data? How could they be compromised? It may be someone who can use a device that, in turn, can access the relevant data. One example I encountered was of criminals targeting a CEO’s child. They worked out the toddler spent time on his dad’s phone - which they wanted to breach - so an attack was designed to target the toddler.
- Reduce your complexity
Companies have been responding to security threats, but are doing so in a like-for-like fashion. If they see a risk or threat, they find a solution to fix that specific problem. But this has led to many different security solutions for different services from different vendors. You should select partners that can integrate security into other projects and make security part of everything you do. This includes selective automation of processes.
- Educate your people
People remain the softest targets for online criminals. It’s tempting to try and remove them out of the equation through automation. I am a supporter of ‘zero trust’ methodology that works to take as much pressure away from users as possible. But you can’t achieve complete automation, nor do you want to. No machine is quite as clever as the human criminals out there. So it is important to teach staff basic security hygiene. This must be a continuous activity, designed to appeal to the users. The better they understand the context of security to what they do, the more they will be proactive and aware.