Cyber security used to be all about prevention, but as breaches become a matter of when rather than if, the new watchword is resilience, writes ARTHUR GOLDSTUCK.
There was a time when all one needed to keep computers safe was up-to-date anti-virus software. Then the hackers upgraded their armoury and we needed firewalls for both networks and personal computers. Finally, cyber criminals developed an all-out assault, in which thousands of compromised computers would be roped in as “bots” to mass-attack a target. Known as a Distributed Denial-of-Service or DDoS attack, it has taken down even the mightiest technology champions like Facebook and Google.
As a result, for some years now, information security has been seen as an arms race between the hackers and the defenders. The latter have never been willing to acknowledge that the hackers tend to have the upper hand, but this reality is slowly beginning to dawn on them.
So, while up-to-date information security tools and defences remain critical, they can no longer define security strategy.
“People are realising there’s no silver bullet, no one technology that will help them clamp down on cyber threats,” says Heino Gevers, Customer Experience Manager at Mimecast South Africa, specialists in email protection and management. “The answer is not to use more technology, but to develop something called cyber resilience.”
This refers only partly to the ability to withstand attacks. Primarily, it deals with now one responds when an attack does take place, as well as what processes are in place to protect customer information, how these processes are documented, and whether the company has a strategy for evolving its responses.
Right now, for example, many companies are struggling to get to grips with the Protection of Personal Information (POPI) Act, which has been signed into law, but is not yet active due to provisions that have not yet been met. A key element of POPI is a requirement to disclose any security breaches that may have compromised customer information.
Last year, the Ster-Kinekor website suffered a major breach that resulted in millions of user names and passwords being exposed. The company was not obliged to report it, and it only came to light as a result of being given as a case study during a global cyber security conference.
Under POPI, not only would a company be obliged to disclose such a breach, but it would also have to explain what measures had been in place to protect its customers, and how it was addressing the consequences. In effect, POPI compliance would be a key step towards cyber resilience.
“Companies have to ask themselves the question: what have they done today to try to understand POPI and the new cyber laws, and what it means for their business,” says Gevers.
“A lot of it speaks to how you put measures in place, how you document those measures when there is a breach, and about the processes and people components. It’s not a nice-to-have: it’s going to be mandatory.”
Once a company start unpacking these demands, he says, it gets to the core of new cyber security demands.
“Firstly, there is no silver bullet. Secondly, a defensive strategy should evolve to a resilience strategy, ie instead of only trying to prevent it, know what to do when it happens and be able to answer the question: did you do everything in your power to protect customers, users and data?”
The concept can be extended to individuals as well. Everyone should have a plan in place for when things go wrong. For example, if a virus infects your computer or smartphone, or you are conned into downloading software that locks you out of your computer, do you have a backup somewhere? Can you log into Microsoft OneDrive or GoogleDrive and get access to the latest versions of all your documents?
If you don’t have that kind of online backup, are you backing up onto an external hard drive or even USB flash drive? Are you able to change the password on your online bank account or social media network at a moment’s notice?
If none of that has even occurred to you, then you are not even close to cyber resilience. But with that checklist in hand, you can begin the process.
For companies, entire departments exist to take that responsibility off the hands of individuals, but every employee should be involved in the process.
“Cyber resilience is best deacribed as a famework consisting of five pillars,” says Gevers. “It makes it simple for organisations to understand where to start and to refine these pillars.”
The five pillars of cyber resilience can be summed up as:
- Preparing and identifying what information is being processed in an organisation and ientifying what systems interact with that information. It should then be classified according to confidential company information, confidential customer information, or public knowledge.
- Reasonable protection of the organisation, which includes having a clear understanding of the comapany’s information security needs.
- Swift detection of a breach, on the understanding that, as Gevers put it, “the sooner you can detect a breach, the better you can mitigate financial damage”.
- Swift reponse, which includes having a business continuity plan in place, and transparent communication with all stakeholders. “How do I repsond to inernal staff, and who owns that communication? It all has to be approved in advance,” says Gevers. “Don’t deal with the issue in isolation or sweep it under the carpet.”
- How you recover is possibly the most critical pillar. “Most organisations don’t have a plan to restore operations. Most restore from a backup. They need to acknowledge that ransomware and other threats are evolving, so you cant recover in the way you did in past, if the criminals still have your intellectual property.”
How we use phones to avoid human contact
A recent study by Kaspersky Lab has found that 75% of people pick up their connected device to avoid conversing with another human being.
Connected devices are becoming essential to keeping people in contact with each other, but for many they are also a much-needed comfort blanket in a variety of social situations when they do not want to interact with others. A recent survey from Kaspersky Lab has confirmed this trend in behaviour after three-quarters of people (75%) admitted they use a device to pretend to be busy when they don’t want to talk to someone else, showing the importance of keeping connected devices protected under all circumstances.
Imagine you’ve arrived at a bar and you’re waiting for your date. The bar is busy, and people are chatting all around you. What do you do now? Strike up a conversation with someone you don’t know? Grab your phone from your pocket or handbag until your date arrives to keep yourself busy? Why talk to humans or even make eye-contact with someone else when you can stare at your connected device instead?
The truth is, our use of devices is making it much easier to avoid small talk or even be polite to those around us, and new Kaspersky Lab research has found that 72% of people use one when they do not know what to do in a social situation. They are also the ‘go-to’ distraction for people even when they aren’t trying to look busy or avoid someone’s eye. 46% of people admit to using a device just to kill time every day and 44% use it as a daily distraction.
In addition to just being a distraction, devices are also a lifeline to those who would rather not talk directly to another person in day-to-day situations, to complete essential tasks. In fact, nearly a third (31%) of people would prefer to carry out tasks such as ordering a taxi or finding directions to where they need to go via a website and an app, because they find it an easier experience than speaking with another person.
Whether they are helping us avoid direct contact or filling a void in our daily lives, our constant reliance on devices has become a cause for panic when they become unusable. A third (34%) of people worry that they will not be able to entertain themselves if they cannot access a connected device. 12% are even concerned that they won’t be able to pretend to be busy if their device is out of action.
Dmitry Aleshin, VP for Product Marketing, Kaspersky Lab said, “The reliance on connected devices is impacting us in more ways than we could have ever expected. There is no doubt that being connected gives us the freedom to make modern life easier, but devices are also vital to help people get through different and difficult social situations. No matter what your ‘connection crutch’ is, it is essential to make sure your device is online and available when you need it most.”
To ensure your device lifeline is always there and in top health – no matter what the reason or situation – Kaspersky Security Cloud keeps your connection safe and secure:
· I want to use my device while waiting for a friend – is it secure to access the bar’s Wi-Fi?
With Kaspersky Security Cloud, devices are protected against network threats, even if the user needs to use insecure public Wi-Fi hotspots. This is done through transferring data via an encrypted channel to ensure personal data safety, so users’ devices are protected on any connection.
· Oh no! I’m bored but my phone’s battery is getting low – what am I going to do?
Users can track their battery level thanks to a countdown of how many minutes are left until their device shuts down in the Kaspersky Security Cloud interface. There is also a wide-range of portable power supplies available to keep device batteries charged while on-the-go.
· I’ve lost my phone! How will I keep myself entertained now?
Should the unthinkable happen and you lose or have your phone stolen, Kaspersky Security Cloud can track and protect your device from data breaches, for complete peace of mind. Remote lock and locate features ensure your device remains secure until you are reunited.
Five key biometric facts
Due to their uniqueness, fingerprints are being used more and more to quickly identify and ensure the security of customers. CLAUDE LANGLEY, Regional Sales Manager, for Africa at HID Global Biometrics, outlines five facts about the technology.
How many times in a day are you expected to identify yourself? From when you arrive at work you are required to sign in, visiting your bank, receiving healthcare services… The list is endless. When a system knows who you are, you are able to do any number common, everyday activities. Your identity is unique and precious. It is also easily stolen and the target of many hackers across the globe. Technology is constantly evolving alongside the criminal element, always looking for ways to protect data and identity. One such solution happens to be biometrics and it is rapidly gaining traction in our increasingly complex modern world.
Reliable, secure and fundamentally YOU, unique biometric traits such as fingerprints are being used by banks, enterprises and consumers to verify identity. Biometric solutions offer significant identity protection because they use unique biological details to ensure an account is only accessed by the account holder, a door only opened by the owner. Here are five things that are little known about this technology…
- The uncut identity. Your fingerprint is unique to you. Nobody can use a copy of it to impersonate you. Good technology is capable of scanning down into the layers of the fingertip to differentiate unique elements of a person’s fingerprint, this data is then encrypted and used as a key to unlocking whichever physical or virtual door that the biometric system protects.
- The living proof. No, there is nothing to the stories of fingerprints being used without their owner’s knowledge or permission. Biometric solutions can use specific variables to determine if the finger used to access the system is that of a present, living person. A copy or a fake cannot be used to access a cutting-edge biometric solution.
- Easy and convenient. Queues and documents and paperwork may well be a thing of the past should biometrics take a firmer grip of government and banking systems. The process of registering is easy, and access to identity documents and records is yours alone.
- Security blanket. A thousand passwords and a hundred post-it notes stuck on walls and drawers. An excel file with a list of sites and applications and their corresponding passwords, all a thing of the past. Nobody needs to remember their password with biometrics, they only need to show up.
- Anywhere is cool. Schools, airports, networks, offices, homes, toilets, banks, libraries, governments, border controls, immigration services, call centres, hospitals and even clubs and pubs – knowing “who” matters and biometrics can quickly and conveniently confirm your identity where needed.