Today’s digital business landscape sees many organisations face a myriad of evolving security threats. Based on our experience, companies today tend to spend 80% of their security budgets on trying to prevent security breaches, but only 20% on predicting, detecting and responding to attacks.
However, if we consider the recent global ransomware cyberattack, WannaCry, which hit so unexpectedly, and the havoc it caused – surely a change in approach is needed and businesses in Kenya should be investing their security resources in a more diverse way?
The answer is a simple yes. It is no longer good enough to merely be reactive, instead, business decision-makers across the country must embrace a more pro-active strategy to cybersecurity – and now!
The reality is that no business is 100% safe. We live in a world where the question isn’t whether you’ll be attacked, but when, and how quickly and completely you can recover. Targeted attacks, as an example, may only resemble 1% of threats overall, yet they do a lot of harm.
In fact, our research shows that the average cost of a targeted attack for an enterprise is as high as 1.4 million USD. Furthermore, as the case with Wannacry, it doesn’t always take a hugely sophisticated targeted attack to cause extensive damage.
In many cases ransomware is able to breach defenses through simple spear-phishing and then rampage unchecked through unprotected corporate networks, with measurable financial, operational, reputational and personal impact.
Considering this, local businesses need to look beyond the traditional viewpoint that cybersecurity only entails a firewall, an anti-virus solution, and some Internet filters. Instead, they need to consider the realities of today and the fact that with this, cybersecurity has evolved to become a process that is completely integrated into the running of the business.
According to the Serianu Kenya Cybersecurity Report the acceptance of Bring Your Own Device (BYOD) by Kenyan organisations has risen, where 62.2% employees now use their personal devices at the office.
Furthermore, this report states that typically a SME has at least one or two systems fully exposed on the internet with default passwords and unpatched software.
We believe that this can be dangerous as it may often be the first stop for cybercriminals looking to unfold their operations.
It is also unfortunate that companies who have suffered a security breach tend to be the ones who understand better that a ‘reactive’ approach to a cyberattack is not effective. Consider for a moment that the WannaCry ransomware attack exploited a (patched) Microsoft Windows vulnerability.
While cybercrime is rapidly evolving, where cybercriminals years back where known to be opportunists, today they are known to be more skilled, attentive and targeted in their attacks – this ‘it will not happen to me’ attitude among businesses must therefore change.
So, what needs to be done?
Kenyan companies, no matter the size of the business, need to become more proactive, as opposed to merely relying on ‘installing’ software to ‘prevent’ an attack. Companies can better understand this by following the below suggested strategy, that can be implemented by the IT security department:
Look at threat prevention
Here, the company needs to observe and inspect how able it is to block all the generic threats, which are emerging. Can the IT security team block the latest Trojan or ransomware as our research shows that generic threats emerge at a rate of 310,000 a day.
For this phase, the company may require advanced tools and expertise, as well as the time to identify the indicators of attack, spot an incident, investigate it and mitigate the threat. Check with the IT security team if they are well trained in this regard.
Responding (and timely) to a cyberattack is very crucial – which companies should not ignore. In this phase, a company will require unique skills of forensic experts to ensure that the response is effective and that the threat is dealt with, entirely. Some organisations have IT experts with the knowledge, however, outsourcing is also a good option.
Predicting future attacks
Ensure an understanding of the current threat landscape of today, to determine the long-term strategic defense required. This is typically done through running penetration testing as well as a host of other security assessments within a business. Businesses need intelligence to predict future attacks – this is what we refer to as True Cybersecurity.
It must be noted that technology alone cannot protect a company, however, efforts from all departments, in unity and following the company’s IT security policy – can minimise the chances of a cyberattack at all costs. If a business proactively takes control of their IT security by following the above guidelines, they will be far more ready to protect themselves from tomorrow’s potential threats.