Events across the globe over the past 18 months have seen internal information security breaches escalate to an unprecedented level. This has forever changed corporate consciousness in the security landscape. Companies must urgently address the situation to protect their information assets and the privacy of their electronic identity.
J2 Software managing director John Mc Loughlin says as the complexity of data and ease of access keeps increasing, now more than ever, companies have a golden opportunity to push information security to the top of their agenda.
‚It is more important than ever to ensure that information is protected and risk is minimised, especially considering the ever-changing business environment. Information drives businesses and has become the lifeblood of modern organisations, without it they die.‚
According to a number of recent studies, the ‚Insider Threat’ has loomed to become the most feared information security risk in most organisations today. Regardless of the technologies and software solutions that an organisation may deploy to mitigate the risk of information security breaches, the critical factor is always people.
He says the only solution is to build information security into the DNA of the organisation and its employees. ‚Making Your People the Guardians of Your Information.‚
Working with large and small organisations in various sectors including distribution, precision engineering, pharmaceutical and financial services, it has become evident that only a relatively small number of people are maliciously or intentionally non-compliant with a company’s IT Security Policy. In the majority of cases it is found that non-compliance results from unintentional ignorance, often fuelled the by unsupervised or misguided use of computers.
‚Today, the time is right to discuss the major challenges that managers face when attempting to uphold their information security and compliance strategy, it is the perfect time to share experiences and solutions in an aim to help overcome the complexity of these issues,‚ he explains.
Building information security into the DNA of any organisation is the key to achieving compliance and mitigating risk, but it also presents the biggest challenge, especially for large and complex organisations. Even in organisations where other aspects of security are paramount, e.g. national security in defence environments, the internal regulation of information security policies can prove to be more difficult to enforce.
The buy-in process needs to start at board level and then progress down to the general employee level. Achieving this is not easy and the challenges differ according to the level of maturity of the organisation. Work still needs to be done at board level to change the attitude that compliance costs money and is akin to buying insurance. If nothing has happened, why buy more protection?
Many organisations are typically seen as seeking the ‚Magic Bullet’, but are reluctant to adopt measures that are perceived to inhibit business activity. It is often the case that Governance, Risk and Compliance teams, who are not seen to be generating revenue for the core business, are often viewed as ‚Business Prevention Officers’ because the enforcement of policies and procedures is perceived as obstructive, time consuming and a barrier to generating revenue.
There must be a balance between business risk, business operations and business competitiveness. This also requires the organisation to use tools which are proactive as opposed to reactive.
However, the risk of reputational damage is an extremely powerful factor that all directors want to avoid at all costs. High level incidents are now reinforcing the compliance message via the ‚fear factor’. These incidents also illustrate the ongoing reputational and financial damage that results from such incidents. Reputational risk is a factor that is increasingly driving compliance, particularly in the financial services and public sectors.
The importance of the IT Security Policy document and how it is communicated and enforced is a crucial issue. Most of these documents are too bulky and unmanageable, making them likely to remain unknown and unnoticed. Keeping it ‚live’ and relevant, while communicating the relevance throughout the organisation is the key to achieving the objectives of the document. This proves to be a difficult task, especially when even the authors of the policies can sometimes forget what it contains.
Large organisations are usually divided into departments with associated responsibilities that never ‚talk’ to each other. These silos foster poor communication as is often the case between the IT Department and the board, the audit department and senior management.
Consequently, compliance is often viewed from two or even three opposing perspectives with each party failing to see the other’s point of view, or to be able to effectively communicate risk and consequences. An important factor is the different language and terminology used by the IT and finance departments, which may not be clearly understood by those who need to know.
There are also examples where risk has been communicated, but has been purposely ignored when it is financially advantageous to do so. In these cases, the audit department ‚red flag’ certain suspicious activity to management but is somehow ignored. Reluctance to escalate a known irregularity is highly likely if the irregularity is generating large sums of money.
‚Compliance Fatigue’ can result from the constant updating and revision of regulatory compliance requirements. The outcome of such fatigue can mean that most people stop paying attention, failing to read, understand or care to follow policy. This is a major challenge for all organisations in the regulated environment.
All of these factors must be taken into account when considering the implementation of a long term Governance, Risk and Compliance strategy.
Mc Loughlin says risks arise when a company has multiple external providers and none of them meet the same standards of internal compliance and risk assessment, often because they do not face the same regulatory pressure. ‚This is when trust has to play an important role and the associated risk may be high. Balancing risk and compliance when a large percentage of people working on a project or deal are external, or where aspects of the business are globally outsourced can be problematic.‚
In order to turn Governance, Risk and Compliance into competitive advantage, it must be perceived and experienced as a ‚Business Enabler’ as opposed to a function which leads to ‚Business Prevention’. Compliance should not lengthen the ‚Time to Value’ continuum, which is a critical success factor for many bid teams.
For this reason, bid teams often do not include compliance staff and in situations where a complex bid is being put together in a short time frame, cutting corners is a very attractive option. It is here that the Risk Management equation comes into its own, where management is often found asking: ‚is the cost of non-compliance worth the risk?‚ .
When legislation is amended several times during the process, compliance could very easily become a casualty. Legislation that changes regularly, leaving it open to interpretation and sometimes with a requirement to be implemented across continents, all leads to compliance being viewed as an undesirable overhead.
‚With all these challenges, how do they build Information Security and Compliance into the DNA of an organisation ? There is a simple answer, it will take some time, effort and commitment from everyone, but for total success — the entire initiative must be led from the top,‚ he says.
The aim should be to get Information Security awarded the same status as Occupational Health and Safety and Corporate Social Responsibility (CSR) at main board level. This needs to be enforced and managed by well planned internal structures and processes which are regularly reviewed.
Driving down the cost of compliance is not only the key to competitive advantage, but also to compliance being taken seriously and becoming part of a cost effective executive risk management strategy. If compliance is too time consuming and complex it will be ignored or short cuts will be taken.
Compliance must be turned into competitive advantage whereby the opportunity cost of being compliant is vastly reduced. In order to help achieve this, compliance roles should not be separate, but should be seen as business enablers, integrating the compliance needs of audit and IT and communicating this at a board level.
He says unseen risks cause damage and unfortunately, one cannot manage what one cannot see. ‚This is a simple phrase to keep in mind when implementing the Governance, Risk and Compliance strategy. Incidents will inevitably occur regardless of effective security measures, but ongoing proactive automated enforcement, staff education and end user buy-in will minimise the likelihood and impact of unforeseen risks.‚
When Information Security is embedded into an organisation’s DNA, compliance not only involves observing the formal rules as laid out in the policy, but also includes observing the informal rules governing circumstances that may not be anticipated. Observing these informal rules will demonstrate that security is well and truly embedded in the organisation’s DNA.
Once this process is initiated, a simple but effective test of how well security is embedded into the DNA can be illustrated by leaving a confidential document on the floor in a common area to see how it is handled by passing staff.
‚Employees must be confident in handling situations where they may not have the familiar security parameters around them and the informal rules or corporate morals will kick in automatically,‚ he concludes.
email this to a friendnttnntt¬†printer friendly version
Prepare for deepfake impact
Is the world as we know it ready for the real impact of deepfake? CAREY VAN VLAANDEREN, CEO at ESET SA, digs deeper
Deepfake technology is rapidly becoming easier and quicker to create and it’s opening a door into a new form of cybercrime. Although it’s still mostly seen as relatively harmful or even humorous, this craze could take a more sinister turn in the future and be at the heart of political scandals, cybercrime, or even unimaginable concepts involving fake videos. And it won’t be just public figures that bear the brunt.
A deepfake is the technique of human-image synthesis based on artificial intelligence to create fake content either from scratch or using existing video designed to replicate the look and sound of a real human. Such videos can look incredibly real and currently many of these videos involve celebrities or public figures saying something outrageous or untrue.
New research shows a huge increase in the creation of deepfake videos, with the number online almost doubling in the last nine months alone. Deepfakes are increasing in quality at a swift rate, too. This video showing Bill Hader morphing effortlessly between Tom Cruise and Seth Rogan is just one example of how authentic these videos are looking, as well as sounding. If you search YouTube for the term ‘deepfake’ it will make you realise we are viewing the tip of the iceberg as to what is to come.
In fact, we have already seen deepfake technology used for fraud, where a deepfaked voice was reportedly used to scam a CEO out of a large sum of cash. It is believed the CEO of an unnamed UK firm thought he was on the phone to his boss and followed the orders to immediately transfer €220,000 (roughly US$244,000) to a Hungarian supplier’s bank account. If it was this easy to influence someone by just asking them to do it over the phone, then surely we will need better security in place to mitigate this threat.
Fooling the naked eye
We have also seen apps making DeepNudes where apps were able to turn any clothed person into a topless photo in seconds. Although, luckily, this particular app has now been taken offline, what if this comes back in another form with a vengeance and is able to create convincingly authentic-looking video?
There is also evidence that the production of these videos is becoming a lucrative business especially in the pornography industry. The BBC says “96% of these videos are of female celebrities having their likenesses swapped into sexually explicit videos – without their knowledge or consent”.
A recent Californian bill has taken a leap of faith and made it illegal to create a pornographic deepfake of someone without their consent with a penalty of up to $150,000. But chances are that no legislation will be enough to deter some people from fabricating the videos.
To be sure, an article from The Economist discusses that in order to make a convincing enough deepfake you would need a serious amount of video footage and/or voice recordings in order to make even a short deepfake clip.
Having said that, In the not-too-distant future, it may be entirely possible to take just a few short Instagram stories to create a deepfake that is believed by the majority of their followers online or by anyone else who knows them. We may see some unimaginable videos appearing of people closer to home – the boss, our colleagues, our peers, our family. Additionally, deepfakes may also be used for bullying in schools, the office or even further afield.
Furthermore, cybercriminals will definitely use such technology to spearphish victims. Deepfakes keep getting cheaper to create and become near-impossible to detect with the human eye alone. As a result, alt that fakery could very easily muddy the water between fact and fiction, which in turn could force us to not trust anything – even when presented with what our senses are telling us to believe.
Heading off the very real threat
So, what can be done to prepare us for this threat? First, we need to better educate people that deepfakes exist, how they work and the potential damage they can cause. We will all need to learn to treat even the most realistic videos we see that they could be a total fabrication.
Secondly, technology desperately needs to develop better detection of deepfakes. There is already research going into it, but it’s nowhere near where it should be yet. Although machine learning is at the heart of creating them in the first place, there needs to be something in place that acts as the antidote being able to detect them without relying on human eyes alone.
Finally, social media platforms need to realize there is a huge potential threat with the impact of deepfakes because when you mix a shocking video with social media, the outcome tends to spread very rapidly and potentially could have a detrimental impact on society.
A career in data science – or your money back
The Explore Data Science Academy is offering high demand skills courses – and guarantees employment for trainees
The Explore Data Science Academy (EDSA) has announced several new courses in 2020 that it says will radically change the shape of data science education in South Africa.
Comprising Data Science, Data Engineering, Data Analytics and Machine Learning, each six-month course provides vital digital skills that are in high demand in the market place. The full time, fully immersive courses each cost R60 000 including VAT.
The courses are differentiated from any other available by the fact that EDSA has introduced a money back promise if it cannot place the candidate in a job within six months of graduation and at a minimum annual starting salary of R240 000.
“For South Africans with drive and aptitude, this is the perfect opportunity to launch a career in what has been called the sexiest career of the 21stcentury,” says Explore founder Shaun Dippnall.
Dippnall and his team are betting on the explosive demand for data science skills locally and globally.
“There is a massive supply-demand gap in the area of data science and our universities and colleges are struggling to keep up with the rapid growth and changing nature of specific digital skills being demanded by companies.
“We are offering specifically a work ready opportunity in a highly skills deficient sector, and one which guarantees employment thereafter.”
The latter is particularly pertinent to young South Africans – a segment which currently faces a 30 percent unemployment rate.
“If you have skills in either Data Science, Data Engineering, Data Analytics or Machine Learning, you will find work locally, even globally. We’re confident of that,” says Dippnall.
EDSA is part of the larger Explore organisation and has for the past two years offered young people an opportunity to be trained as data scientists and embark on careers in a fast-growing sector of the economy.
In its first year of operation, EDSA trained 100 learners as data scientists in a fully sponsored, full-time 12-month course. In year two, this number increased to 400.
“Because we are connected with hundreds of employers and have an excellent understanding of the skills they need, our current placement rate is over 90 percent of the students we’ve taught,” Dippnall says. “These learners can earn an average of R360 000 annually, hence our offer of your money back if there is no employment at a minimum annual salary of R240k within six months.
“With one of the highest youth unemployment rates in the world – recently announced as a national emergency by the President – it is important that institutions teach skills that are in demand and where learners can earn a healthy living afterwards.”
There are qualifying criteria, however. Candidates need to live in close proximity (within one hour commuting distance), or be prepared to live, in either Johannesburg or Cape Town, and need to be between the ages of 18 and 55.
“Our application process is very tough. We’ll test for aptitude and attitude using the qualifying framework we’ve built over the years. If you’re smart enough, you’ll be accepted,” says Dippnall.
To find out more, visit http://www.explore-datascience.net.