Well, not in the sense that it used to – firewalls are no longer the be all and end all of your defense, and if you are still relying on them as such, you have a problem. According to IBM Security and the Ponemon Institute, the average total cost of data breaches in South Africa was R 32.36 million, an amount not to be casually cast aside! So what are some of the threats out there in the landscape, and what can you do to protect yourself from them?
One of the most eye opening videos I’ve watched was from Tech Insider, where a group of ethical hackers were hired by a power company to test their security. Part of the attempted attack is that of social engineering, where the hackers pretended to be from the company’s Internet Service Provider investigating a speed and connectivity issue. Thanks to a suspicious supervisor, they were denied access – but this is not the case in a lot of organisations.
If you watch the video, the goal of the attack on the office was to install a small device called a plug bot, not much bigger than a stack of business cards, into an outlet. Had they been granted access, this would have been incredibly quick to install.
If you consider your office environment, how easy is it
- for someone to get past reception and into the greater office, and
- for someone to access a network point while they are waiting?
A (very basic) security measure in this instance could be to simply disable any unnecessary network points in any open areas, something that I can almost guarantee has been overlooked in many companies.
Opportunistic (and Deliberate) Theft
How well do you and your employees know your IT policy? And from there, what is your IT policy on people being observed when working in sensitive areas, like server rooms? It is a sad and scary reality that devices go missing. I have seen it numerous times where an external hard drive or flash disk has ‘grown legs‘ during a routine air conditioning maintenance run or cabling installation. It is vital that any work being done in your office be supervised, and any devices are locked down. A massive risk is having external hard drives and backup tapes sitting in your server room with the attitude of “well it’s behind a locked door, so it must be safe“. It’s not. These devices MUST be encrypted, and they MUST be locked down. You should also have a clean desk policy instituted for all staff members.
In a discussion with a cyber forensics expert, I learned the terrifying fact that some technicians in the line of air conditioning, cabling, heating and so on (read: people with access to sensitive areas), are on the payroll of malicious persons. Meaning that they are paid per device that they can steal from an office – be it a boardroom, open office area, or server room. If the device has no useful data on it, they’ve gained a small amount of cash for their thievery, however, if there is something worthwhile that can be held for ransom they can get rewarded a great deal more – a percentage of the ransom – which is way more than a blue collar wage. Food for thought, no?
In the same study mentioned earlier, it came out that 43% of data breaches are with malicious intent, followed by 29% being due to human error, and lastly 28% being due to system error. I don’t know about you, but those figures keep me up at night.
Malicious intent, which could be an external attack, can also be that of a disgruntled employee, either still employed or ‘on their way out’. Do you have a policy regarding this? Are you aware that this may be happening? It is vitally important as an organisation to have your access controls well defined and mapped, to grant access only to needed data for appropriate individuals. While you cannot operate in a closed system of denying everyone access to everything, you can mitigate your risks by taking reasonable measures.
Accidental leaks are also concerning. It’s important to educate staff on a regular basis as to the causes and consequences of data breaches. In this day and age, everyone from the cleaning staff, up to the executive level should have a basic understanding of the fundamentals of data security and privacy. It is inexcusable to not have this in place. The same applies to system administrators; leaks due to system errors are still leaks, and with modern privacy laws such as POPIA, GDPR, and the Australian Notifiable Data Breaches scheme, you WILL have to publicly admit to and mitigate your data breaches, if they don’t sink you in the process.
While the above is pretty terrifying, with the appropriate measures and tools in place your risks can be mitigated. A fundamental part of every compliance strategy should be the inclusion of data privacy and information security, be it internally run or through a consulting agency. We at Ross G Saunders Consulting have numerous specialists within our network, covering everything from professional legal opinions on data privacy and information security, to penetration testing and education for staff. If you feel you need a hand coming to grips with the above, please reach out to us for a meeting. Often, taking the time to map your organisation out can both open your eyes during the day, and allow you to sleep at night.
Don’t be scared, take action.