In the last month only banks, hospitals and government agencies have fallen victim to massive cyber security breaches with at least 150 countries affected. The most significant of these perhaps remains the Wannacry and later petya ransomware that saw multiple operations grind to a halt as businesses took stock of the damages incurred both in data and revenue.
What followed for any cyber security expert is the sharp rise in the number of panic calls and security summons they have had to sit in from both individuals and businesses; a sudden but rather crucial awakening to the reality of not what cyber threats are, but how to prepare in the event of an attack and recover after the attack. Further reports that have shaken most Kenyan businesses was the suspicion that one of the waves may have reached southern Africa. The distress and fear forcing businesses to consult on the fastest and best way to protect themselves. Which begs me to posit? Just what is the health of our country’s Cyber Security?
In its 2015 Cyber Security report, Serianu pointed out to a general lack of concern about cyber threats and cybercrime for Kenyan organizations .The report further stated that 21% of organizations in Kenya are not concerned about cybercrime and are unaware of global security threats, which means that in case of an attack, a lot of businesses would simply grind to a halt. Leading up to huge losses like those reported in the public and banking sector, but with hundreds of others going unreported.
While seeking solutions to ascertain our risk level in the face of imminent threats may be a good place to start, there is an even greater need for Kenyan businesses to put in place basic cyber security awareness among staff and have access to ICT security expertise to carry out routine defense checks on the business.
Some basic truths about some of these attacks is the ease with which they can be propagated through everyday devices such as flash drives. I have often visited offices and every time I see the receptionist walk away from her desk to attend to something, I stare at an opportunity where a hacker would plug in a USB with a malicious file to the computer, contaminating the entire organization’s system in just under 5 seconds or even corrupting data. Implementing simple but effective measures like disabling USB drives which are common vectors for malware and other malicious software helps reduce access to platforms that can play host to attacks.
The second truth about cyber-attacks is the precision and time it takes before any attack takes place. The attackers plan it in several stages where they seek information about your network before they strike. On a normal day, if someone was looking at attacking you, they start by looking out for your name, digital footprint, your friends, your likes, where you live, what time you live the office, etc. Some basic details that can provide a pattern of vulnerabilities that make it easy to get to you. The cyber world is not any different.
Hackers spend plenty of time looking out for weak areas in your business; people, devices or your network and this is what they use against you. Kenyan businesses is that we remain too ignorant of the small occurrences in our environment which add up and become an enabler to an attack process. To many businesses, the place of cyber security is the IT department or the “IT Guy” who is squarely responsible for anything in that area. We overlook the education and awareness of our staff, visitors and other users on such basic matters as taking precaution when handling their computers, using the WiFi on their mobile phones or even managing their online activity, to give meaning to the defenses already in place.
In order to safeguard users and the business as a whole, we need to make our staff aware of social engineering; the easiest and one of the most ignored processes of gathering crucial information on a business for malicious use. They need to be wary of people that ask questions about the business, network or even visitors requesting for that WiFi password at the reception. It is crucial that we take their understanding of cyber and online security beyond complex passwords and Spam emails or blacklisted sites.
For businesses, the very person you are trusting could be the same one that could compromise your network and it is therefore time to invest in expertise that allows for a complete audit of our systems, to gather early warnings on potential gaps that could lead to an attack. Dear management, as we’re reviewing our business landscape and worry about competition, there’s a new form of competition that requires constant if not daily monitoring. It is one threatening with temporary or permanent loss of proprietary information, disruption of business operations with lasting financial implications due to losses arising from the disruption of the IT systems. Cyber-attacks are no longer the IT department’s problem, it is a business problem.
The writer is the Cybersecurity Specialist at Internet Solutions Kenya