With data often being just as important to an organization as its finances, now more than ever, firms cannot afford to put these assets at risk. The current economic, political and legislative environment in Africa, as well as the type, volume and accessibility of information now available on the internet, has led to a continuing trend of ever-increasing security attacks on computer networks - equally in size, variety, and seriousness.
Experts believe that the nature of I.T. threats have made a swift and alarming turn from being purely malicious to revenue-driven and even nation-state sponsored. Hackers look to crack into companies' security systems for financial gain, making the threat considerably larger. What’s more, as technology advances, more and more avenues to entry arise; e-mail, the internet, spyware.
However, the news isn’t all bad. By identifying these threats, businesses can limit their exposure to them. We speak with world-renowned Web security expert Jeremiah Grossman, Founder and Chief Technology Officer at WhiteHat Security and Co-founder of the Web Application Security Consortium (WASC), to find out more. “Computer security is a global problem and growing worse by the day. And there is no reason to believe that South Africa will not experience similar malicious incidents as the rest of the world,” he says.
So what are the top I.T. security threats at the moment? Globally speaking, Grossman, who previously held the role of Information Security Officer at Yahoo, says the major threats are web-based. “The threat to the security of a website and to the Web browser is a huge issue. An incident involving a website may lead to direct loss of sensitive information, fraud, embarrassment, and so on. When a Web browser is exploited, the result may be an infected machine where it is hijacked to send spam or liquidate their online financial accounts,” he says, outlining that South Africa is undoubtedly facing similar challenges to the rest of the world.
Grossman also highlights the rising trend of social networking as having had an effect on I.T. security recently. “It has had a negative effect. The use of social networks challenges organizations to track and control the location and flow of sensitive information. Their data and communications perimeter is no longer isolated to the corporate network, but expands to various online service providers whose systems they don't control or have visibility of.”
Another worrying issue lies within an organization’s employees. Whether carelessness or maliciousness, staff can potentially pose a significant threat to their companies’ assets, as Grossman attests: “The latest data indicates the insider threat is a real issue, but this pales in comparison to the losses sustained by outside hacking attacks.”
A SILVER LINING IN THE WEAK ECONOMY
There is no question that the challenging economic environment has led firms to tighten their budgets. And with less money for upgrades and new systems, this inevitably affects the security of a business - but not necessarily in an entirely negative way. “A weaker economy does indeed impact spending and of course emboldens the activities of cyber criminals. Fortunately, given the absolute necessity of computer security, the industry has not been as affected as other markets.
“There has been a silver lining with respect increased budgetary scrutiny. Forward thinking organizations are incentivized to take a closer look at the solution stack they are investing in, determining what has made real measure impact, or not, and adjusting accordingly. Purchasing decisions and security strategies solely based upon ‘best-practice standards’ is quickly becoming unacceptable.”
THE RIGHT STRATAGY
It is becoming clear that with data security, it is not so much about spending more, as it is about having the right strategy and keeping informed of the industry’s rising threats. “I prefer looking at the big picture of security and recommending strategies as opposed to particular point products.
“The majority of the computer security mindshare is spent attempting to address yesterday's threats, typically targeting host and infrastructure security. The reality is the majority of today's actual attacks have moved up the software stack to the application layer, specifically Web applications where traditional security products such as firewalls, anti-virus, and SSL provide very little protection.
“Strategically, an organization should first identify their I.T. assets - network, host, and application - then assign a business value relative to the I.T. investment, and treat security as a tax. Then I.T. security can smartly invest resources protecting the ecommerce business flows relative to their value to the organization.”
Although over the past years we have seen the ways and means of attacking data become more sophisticated, if companies can stay ahead of these advancements, attacks can be ward off, avoiding a potentially devastating outcome in an already challenging business environment.