Cybersecurity as important as physical security to protect the ‘crown jewels’ of business

Cybersecurity is possibly even more important than locks, vaults and walls in protecting the modern business. This is according to members of the Institute of Information Technology Practitioners South Africa (IITPSA) Cybersecurity Special Interest Group (SIGCyber).

In a statement marking international Cybersecurity Awareness Month, which is held every October, the IITPSA SIGCyber members noted that business intellectual property, data and systems have significant value. This makes them a target for cyber criminals.

To combat the cybercrime risk, cybercrime should be a top priority, and more skills development and awareness campaigns are necessary, they say.

The business case for protecting the ‘crown jewels’

Bryan Baxter, CRO at Wolfpack Information Risk, says: “Business mission critical assets are known as their ‘Crown Jewels’. These are high value assets that would cause the most business disruption if compromised. Information Technology systems and data make up a significant portion of an organisation’s Crown Jewels. These could be trade secrets, intellectual property, company or customer data, as well as operational and financial systems.”

“Anything of value attracts the attention of criminals and this is no different in cyberspace.  Organised cybercrime is the largest threat and is a lucrative and growing business. Common threats are ransomware, data breaches, malware, and phishing.

Many organisations have the basics of cybersecurity in place, but lack formal frameworks to manage and reduce cyber risk. Some leave key areas are neglected, which translates to leaving the ‘cyber gates’ wide open, making for an attractive target,” Baxter says.

The costs of recovering from physical or cyber incidents can far higher than the cost of preventing such events, he notes. With losses due to data breach potentially running into millions, many of the costs are quantifiable, but long-term damages to reputation and customer or shareholder confidence are harder to assess.

“Real-world threats such as burglary, vandalism, fire and flooding are well understood. Money is spent on fences, alarms, security guards, fire detection and suppression to protect physical assets. The same due diligence needs to be applied to protect the high value virtual Crown Jewels,” Baxter says.

Baxter says all organisations should establish cybersecurity as a business priority. “A Cyber Risk assessment should be conducted to assess the main adversarial threats to the Crown Jewels. Appropriate controls should be implemented and their effectiveness constantly monitored,” he advises.

“This will ensure customer retention and confidence by demonstrating you value their business and data. It will ensure sustainability of operations, financial stability and protect the interests of shareholders.”

Prioritising cybersecurity

Professor Lynn Futcher of Nelson Mandela University, School of IT, Centre for Research in Information and Cybersecurity says cybersecurity can no longer be considered an afterthought, to be addressed once other higher priorities have been met.

She says: “New and evolving cybersecurity threats demand a change in mindset of everyone. Far too often we hear people pass the buck by saying “cybersecurity isn’t my responsibility – it’s a technical issue”, “hackers don’t target small and medium-sized businesses”, “we have strong passwords and virus protection software to protect us from a data breach”, “we comply with industry regulations so we’re safe”, “my personal information is only of value to me – no-one else would want it”.

Prof Futcher warns: “Just one cybersecurity incident can have a devastating impact, whether it be financial, reputational or relating to one’s personal privacy. The increase in cybercrime is a growing concern for organisations, governments and society at large, exacerbated by the unprecedented cybersecurity skills gap that exists both globally and in South Africa. This cybersecurity skills gap can only be effectively addressed through the concerted effort of all role players, including individuals, academia, organisations and governments across the globe.”

Leading organisations both locally and internationally can play a key role in bringing these role players together to address the cybersecurity skills and related concerns, she says.

“These organisations include the International Federation for Information Processing (IFIP), the Association for Computing Machinery (ACM), Information systems Audit and Control Association (ISACA) and the IITPSA, to name a few. It is therefore important for us as IT professionals to engage with these organisations and play our role in addressing the many cybersecurity challenges within South Africa.”

From weakest link to human firewall

Professor Kerry-Lynn Thomson, also of Nelson Mandela University, School of IT, Centre for Research in Information and Cybersecurity of the School of IT at Nelson Mandela University, says that while people are often referred to as the ‘weakest link’ in the security chain, it could be argued that they should rather be viewed as an integral part of the cybersecurity defense – a human firewall – through the cultivation of a cybersecurity culture.

She notes that in 2015, the South African National Cybersecurity Framework was proposed in which it says: “To effectively deal with Cybersecurity, it is prudent that civil society, government and the private sector play their part in ensuring South Africa has a culture of Cybersecurity. Critical to this is the development of a culture of Cybersecurity, in which role players understand the risks of surfing in cyberspace.”

Prof Thomson says: “To create this societal cybersecurity culture, it is vitally important that individual users of technology have an awareness of cybersecurity and have the skills needed to behave securely and protect themselves, and others, when online.

To lay the foundation for this, cybersecurity awareness programmes and campaigns should be promoted for all people going online, no matter their age.  However, more than just providing the information, these cybersecurity awareness campaigns should be customised to be age-appropriate and targeted to the particular threats for the various age-groups.  For example, cyberbullying for younger children versus identity theft and financial scams for adults.”

She adds: “These cybersecurity awareness campaigns should be underpinned by behavioural theories, such as Social Learning Theory and Sociocultural Theory, together with pedagogically sound educational principles in an attempt to translate awareness into action.  This makes the approach and way forward to cultivating a societal cybersecurity culture truly interdisciplinary.”

Bridging the cybersecurity skills gap through collaboration

Doctor Mafuwafuwane, Practice Manager, Security Solutions & Strategy at Logicalis SA, believes skills development and training is necessary to help combat the growing cybercrime epidemic.

“There is no doubt that cybersecurity is everyone’s responsibility. Technology has transformed almost every facet of our lives. As we continue to embrace the 4IR revolution, we now control our household Internet of Things (IoT) using smartphones or voices. How we communicate, learn and work is all built on complex technologies. Meanwhile, the government continues to adopt the smart city concept which makes the city stunning and wirelessly connected.”

“But have you ever thought about the security required to ensure everything from a smart house to a smart city is protected from cyberattackers? The cybersecurity industry desperately needs people from all walks of life to think about a career in technology, but we must tackle digital skills first to ensure nobody gets left behind,” Mafuwafuwane says.

“The public is still struggling to comprehend the fast-emerging digital world. It’s hard for someone to play it safe on the internet when they don’t have a full understanding of how everything is connected. Their lack of understanding of the best use of the technologies exposes them to cyber criminals,” he says.

Combating cybercrime requires individual awareness and a growing army of cybersecurity professionals, he says, noting that Microsoft has predicted that by 2025, there will be 3.5 million cybersecurity jobs open globally – a 350% increase over eight years.

Mafuwafuwane says: “Through collaboration between the public sector, private sector and academia we can create a cybersecurity syllabus which consists of deep-dive technical material and business strategy. The courses could be offered in many formats including hands-on labs. Some of the content could also be created for a technology patron to use, to easily guide normal citizens to be cybersmart while taking on the 4IR uprising.”