News reports of cyber security threats or attacks have become as common place as news on price of food, and over the past two years virtually every sector of Tanzania economy has been hit by some type of cyber threat or attack. In these series of articles we will discuss some of the work that is going on at DataVision on the importance of cyber security to businesses, cyber security awareness& training, cyber security governance, audit, Forensics, tools, and research & development.
The number and sophistication of cyber security attacks and compromises of information systems that take place daily is increasing at a fast pace. While it might be news to most of the public, the truth is businesses and end-users have been getting compromised for years. What’s new, is how often these attacks and breaches happen, how much they get publicized and the damage done to businesses and end-users. Unless deliberate security measures are taken by businesses and end-users we are not far from reaching cyber security fatigue.
Currently the debate and concerns about cyber security are skewed as most businesses and end-users believe that cyber security is a concern if they have computing devices connected to the internet only. Or in some cases they think that they are too small or do not hold something of value in their systems to be attacked. However, these views misses a holistic picture that even usage of mobile phone or services such as mobile banking can lead to a user being compromised. The social, political, economic repercussions of being compromised range from loss of intellectual property, trade secrets, national security documents, sensitive financial documents to personally identifiable information. The main reason for this sorry state of affairs is the extent of the digitization of nearly all aspects of our lives. For example, many end-users now live their lives primarily in a digital world (Facebook, Twitter, WhatsApp, and Skype). They work digitally, socialize digitally and spend their off hours digitally. Their children are being raised and educated largely in a digital world. Businesses are working hard to re-invent themselves in this digital world, followed closely by public sector. Further, most threats or attacks succeed because they take advantage of human weaknesses (laziness, apathy, or ignorance) and less because of their sophistication.
Our appreciation of the value digitization brings to our society, businesses and government operations have led to wide array of security solutions being proposed. These security solutions have been lagging behind as our ability to use new technologies has not been matched by the ability to use these technologies securely. Most of these solutions are not enough to protect our systems. Thus, leading to an arms race where there is one winner – the attackers. The battle for cyber security is continuous, with new threats sprouting after each new counter measure. If businesses or end users are truly paranoid, then they should stop using the internet.
The emergence of hundreds of distinct new security threats and attacks every minute is alarming. In order to defend against these attacks businesses and end-users have been buying security products such as anti-virus or data protection tools and believing that they are secure. However, buying security products alone does not make businesses or end-users secure. While no one suggests abandoning security products software completely, cyber security today is a much more complicated game of detection, deflection, and data protection. As the security guru Bruce Schneier concisely said that security is not a product but a process. Breaches and investigations have proven that attackers are able to circumvent defences put into places by top selling security tools.
Therefore, the question that businesses or end users should be asking now is how does a business and end user protect against today’s targeted, complex and sophisticated attacks? Or how secure are we as a business? In today’s threat landscape, there is no simple solution so employing several security mechanisms including humans as an integral part of a holistic security strategy is a way forward. Businesses should work towards developing strong business cyber resilience capabilities to achieve competitive advantage. This must be achieved so that the whole business ecosystem security improves.
Cyber security now is more than a technical problem, it is business driver. Security concerns are boardroom issues as they define the success and failures of businesses. There are many examples of businesses that have gone bankrupt because of security failures. Thus, employee’s cyber security education and training will go a long way in improving the security posture of the businesses.
The number of players who have been attracted to cyber security is large. They have all joined the fray for different motives, the main one being the current enormous funding going into cyber security projects. The danger is some of them do not understanding what cyber security is, as it is confusing even to security experts. The new terms change more often than the fashion industry, these terms include cybercrime, cyberwar, cyber ethics, cyber hygiene, and cyber everything. The technologies used are not many and change daily they include data encryption, intelligence driven security, certificates or a combination of these and others. It is agreed among security experts that the strongest defence we have against cyber threats or attacks today is innovation, cyber security user awareness and training.