[Column] Karien Bornheim: Building the security baseline
At any given moment, a cybercrime victim is losing around R3.5 million a day, according to Action Fraud in the United Kingdom. The Cyber Security Breaches Survey 2019 found that 60% of medium firms and 61% of large firms deny that they have been attacked and yet 25% of those that identify a breach experience it at least once a week. In 2018, McAfee averaged 480 new threats discovered every 60 seconds. A Morphisec report found that 25% of all attacks directed at the enterprise were banking trojans. Accenture revealed that paying for the fallout of cybercrime could cost more than $US5 trillion by 2023. The Agari Q1 2018 Email Fraud & Identity Deception Trends report found that account take-over based attacks were now taking up around 20% of all advanced email attacks. And these are just some of the salient statistics pulled from studies and analyses done by leading organisations into the endless cyber-threat. Cybersecurity is a legitimately pressing concern for any organisation looking to avoid becoming yet another statistic.
“Organisations need a proactive strategy that they can use to prioritise recommendations and investments, and to develop detailed plans that allow them to achieve the right levels of security,” says Karien Bornheim, CEO of Footprint Africa Business Solutions (FABS). “Compliance and information security have most definitely become key requirements and focus areas for organisations, specifically in the financial sector. There is a dire need for solutions that work with organisations to architect security systems that pay attention to the specific challenges that they face. The one size fits all approach is a myth.”
Facing the statistics head on takes more than a little commitment to a robust security and compliance investment. The reality is that hackers stand to benefit a great deal from their activities and their skillsets are continuously evolving to keep pace with, and often overtake, the security systems most organisations have in place.
“The first step is to delve into the business and uncover exactly what security requirements it has, what it needs, and its existing state of security health,” says Bornheim. “By doing so, you gain a snapshot of implemented controls as compared to industry standards and find the gaps that potentially need to be filled.”
The key security management areas that should be assessed include security policy, security organisation, asset classification and control, personnel security, physical and environmental security, communications, and operations management, system development and maintenance, business continuity management, data protection and compliance. It’s a lengthy list for a reason. Without the insights gleaned from analysing these business units and areas, the security strategy cannot be tailored accurately.
“The second step should be to train the people within the organisation,” says Bornheim. “Few organisations or individuals realise the extent of the threat that faces the company or that they can potentially introduce. This isn’t even considering the insider threat; these could just be just silly mistakes made by employees and companies that open the doors to cyber-criminals and cost companies millions. Training is critical for both the executives and the employees. It gives them clear guidelines within which to operate and explains why these guidelines are important.”
In addition, the organisation should take its in-depth analysis of the company to an even deeper level using security forensics. Trained consultants can work with IT personnel, audit executives, management, and audit committees to assist with internal audit activities once a breach or fraud is suspected. This will allow the organisation to instantly address irregularities and provide the skills needed to support the organisation going forward.
“Finally, it is critical that the business invests into a robust strategic focus for its long-term security,” concludes Bornheim. “Work with experts in cybersecurity to develop strategic roadmaps that encompass the roles, responsibilities and security investments required to ensure the company remains secure. This needs to include business partners, vendors, suppliers, employees and the business as a whole.”
For most organisations, it is worth partnering with a cybersecurity company that can provide these services as part of a cohesive security ecosystem. That way, every aspect is integrated intelligently and aligned with business goals, existing challenges, planned infrastructure investment and more. Consider a partner that can provide a clear evaluation of the existing security posture, that can identify gaps and vulnerabilities, and that can mitigate identified risks based on the globally recognised ISO 27002 standards and industry best practice.
Karien Bornheim is the CEO of Footprint Africa Business Solutions (FABS) South Africa.