An ISO’s insider tips to secure your business
South Africa is the third most targeted country in the world for cyber criminals – not necessarily because of the rich pickings, but because of the ease with which wealth can be extracted, says Kevin Halkerd, Information Security Officer (ISO) at fintech company e4, which offers software as a service-driven digital solutions.
Yet even the most advanced and expensive security tools can’t completely protect against all threats. Here, Halkerd gives advice on how security teams can fill some of the most glaring gaps.
Put people first
Cybersecurity might seem like a technological problem, but very often, it’s a people problem, says Halkerd. “People are really the weakest link in the cyber security risk chain. People-related risks are ubiquitous and include social engineering such as phishing, poor password protection and even employees selling their credentials to criminals for money. Creating awareness about these risks and educating the workforce is key, and competent training programmes should form part of your security budget.”
Communication is crucial
Too often, security is viewed as a band-aid – something that needs to be done after a breach. Whereas, of course, security should be in place to prevent a breach. Part of the reason for this mindset is poor communication leading to a lack of cooperation, says Halkerd. “One common example of this is when new methodologies, technology or systems are adopted in a company without consulting IT on the security aspect of it first. Bringing security in as an afterthought leads to vulnerabilities.”
It’s also important that security teams engage with the rest of the workforce, rather than operate as a separate entity, he adds. “Trust is built through face-to-face interaction. If an employee encounters a cyber threat, they should know who they can call and that there is immediate help available to them.”
Spend smarter
Every information security officer knows how challenging budgets can be. Staying on top of the latest trends and risks, and acquiring the right tools to deal with them, costs a lot of money.
It’s time for a mind shift, says Halkerd. “The way business works is to spend the minimum to maximise profits. This sometimes means simply installing an anti-virus programme and firewall – and that’s a dangerous position to take. Business leaders, and security officers in budget negotiations with execs, should reframe this to: What is the most risk the business can be exposed to and still make money? This usually hits home, because now it’s about risk management and risk tolerance. Can your business really afford to go offline for days because your straight-forward anti-virus didn’t do the job? If not, it’s time to rework that budget.”
Delve into data
In South Africa, ease of access to data is an immense problem, says Halkerd. Though the Protection of Personal Information (POPI) Act is taking strides to safeguard personal data, it’s not enough. “Data and information theft is a lucrative business. Criminals often target law firms to get access to property information, for example, because real estate deals can be worth millions. Other data is used to enable insider trading. Our mining industry is under threat because criminals want to steal geographical survey and mineral study data to sell to the highest bidder.”
Companies, he says, need to go beyond POPIA to secure data. “And don’t forget the third-party risk, too. I strongly encourage companies to follow the US National Institute of Standards and Technology’s (NIST) cybersecurity framework, which gives good guidance, and to get all suppliers to adopt it too.”
Do the boring work
While a solid understanding of what security the business needs, and then using the correct tools to keep it secure, is you first line of cyber defence, monitoring those tools is also crucial. “You need comprehensive practices to monitor the effectiveness of your toolsets. It’s not the most exciting work, but it’s essential,” says Halkerd.
Most high-profile breaches that occurred in South Africa over the last few months, he adds, could have been prevented by such monitoring. “Even simple monitoring practices never occurred – password re-use, for example, was prevalent. In other cases, monitoring was limited to one platform or only certain actions.
“Yes, security tools can do the work automatically, but you then must review the results on a weekly, monthly, and quarterly basis. And then adjust the playbook and practice to manage risks as necessary. Regular auditing and testing are vital and require constant vigilance.”