The world is currently a very scary place. There are growing political tensions between the US and Iran and one stupid statement or action can escalate the situation into a full-blown war. There is also the issue with Brexit and the uncertainties about what will be the fall out when it eventually happens. What trade deals is the UK going to make and what will the future of the UK look like with Scotland and Northern Ireland voicing their concerns over Brexit and their desirability to remain the EU.
These are all important global issues. However, it could be taking the focus away from an issue that needs urgent attention; particularly in Africa.
Over the past two years, the issue of cyber security has become the most talked about issue in any business. Cyber crime has become a clear and present danger and companies are scrambling to update their cyber security because they know the implications that a simple breach can have on their business.
There are genuine concerns that we are always on the precipice of a cyber apocalypse. If we are, is Africa ready for its fallout?
According to an article on ITWeb, most African countries are unprepared for a cyber apocalypse of any kind.
The article points out that most people living on the African continent are not prepared for cyber-attacks. This was one of the biggest takeaways from the 2019 KnowBe4 African Cyber Security Report which surveyed over 800 respondents across South Africa, Kenya, Nigeria, Ghana, Egypt, Morocco, Mauritius and Botswana.
According to the report, 65% of respondents across all eight countries are concerned about cybercrime. However, the report points out that they are vulnerable as they are not aware of what they don’t know.
The report points out that, from ransomware to phishing to malware and credential theft, users are not adequately protecting themselves because they mistakenly think they’re informed, ready and prepared. Around 55% believe that they would recognize a security incident if they saw one.
“The results proved that respondents’ confidence was based on the little they knew about cyber-attacks and it is where the problem lies. Africans are not prepared for these threats, making them increasingly easy preys to cyber-criminals,” Anna Collard, MD of KnowBe4 Africa told ITweb.
She added that many criminals consider Africa a safe haven for their illegal operations, as many African governments need to attend to other pressing issues such as fighting poverty, unstable politics, violent crime and large youth unemployment and still regard cyber security as a luxury, not a necessity.”
The report says in many organizations, cyber security budgets are reported to be less than 1% of overall spend or are non-existent.
The ITWeb article points out that Africa also faces the problem of a serious skill shortage of security professionals as well as a lack of awareness and skills among the general user population to protect them online.
Collard told ITWeb that many African Internet users are connecting to the Internet for the first time and with the sharp increase in the next few years, you are looking at millions of people connecting without understanding the risks.
The article adds that another reason why Africa is attractive to cyber criminals is the lack of legislation and law enforcement.
According to a report by the African Union, only about 20% of African states have basic legal frameworks to deal with cybercrime.
Kenya, South Africa and Mauritius are probably the most advanced in this regard and Nigeria is coming up fast.
The KnowBe4 Africa survey found that even though nearly half of respondents across all eight countries felt that their organizations had trained them adequately, a quarter of them didn’t know what ransomware was.
The ITWeb article adds that, for South Africans, a worrying 31% thought that a cyber threat that encrypts files and demands payments was a Trojan virus and 27% of Kenyans agreed. More than 50% of respondents are not aware of what multi-factor authentication is or the benefit thereof.
The article points out that E-mail security is one of the biggest threats facing the average user, both at work and at home, and it is one of the most common communication methods – more than 70% of those surveyed use e-mail to collaborate with friends and colleagues.
The KnowBe4 Africa report pointed out that most people don’t realize what a risky e-mail looks like or how their actions can result in their systems becoming infected.
It added that while more than half of respondents in Botswana, Egypt, Kenya, Ghana, Morocco and Mauritius have enough security smarts to avoid clicking on links or opening attachments they don’t expect, 46% still trusted e-mails from people they knew.
The ITWeb article noted that, in South Africa, more than half of respondents (52%) trust e-mails from people they know while 50% don’t open attachments they have not expected.
The KnowBe4 Africa report points out that email remains one of the most successful forms of cyber-attack today for this very reason.
The report adds that people are quick to click on links or attachments sent to them from people who they know, not realizing that cyber criminals have potentially hacked or spoofed (impersonated) their friend’s, colleague’s or suppliers’ systems to spread malware, or launch other forms of attacks.
It explains that cyber criminals can easily mimic contact lists or use e-mail addresses that look as if they’ve come from trusted institutions, and a simple click can unleash a ransomware attack that can hold an entire company, government or home hostage.
The truth behind awareness programmes.
The truth of the matter is that the only way that the cyber security issue will be resolved is when every party pulls their weight and there is increased awareness around the issue.
However, according to an article on business2businesscommunity.com, there are a lot of clichés when it comes to these awareness programmes.
Cliché 1: Cyber Security is Everybody’s Responsibility.
The article points out that, at face value, this is truly a very dangerous argument to manipulate. To answer it using another cliché, there is a fine line between something being everybody’s responsibility, and the same thing becoming nobody’s responsibility. The key is to acknowledge that while each employee may have a role to play in securing the firm’s assets, those roles do vary from function to function.
Failure to communicate with each staff member in meaningful ways in the context of their own job will simply not work. Telling HR staff who receive CVs by email everyday not to open attachments is a waste of time. Also, it is essential to acknowledge that the level of engagement of each employee around cyber security will depend entirely on the level of engagement the employee has with the firm, its culture and its values. It is a basic instinct to protect what you care about.
The article adds that, conversely, it can be a hard job to convince disengaged staff, or staff who see senior management constantly allowed to skip the rules, while they must adhere to stricter measures. So, it may well be that in some form cyber security is everyone’s responsibility, but the message cannot be generic and must be structured appropriately.
In addition, the example must come from the top and must be relayed without exception by all middle-management layers for the message of good practice to work through the fabric of the firm.
Cliché 2: People are the Weakest Link.
The article points out that people may well be the weakest link, but the key is to understand why and how this is true within the context of each firm, before jumping to ready-made solutions is important. This is particularly applicable when it comes to tech vendors. It must start from a sound examination of the threats each business is facing.
The insider threat may well be a widespread high-ranking business threat in financial services, not so much maybe in logistics or retail. Of course, in all firms, there will be people who have access to sensitive business information and may be tempted or coerced in certain circumstances to leak it out. But the key here is to understand and address their potential motivations in doing so.
The article adds that those motivations will often be rooted in corporate culture, management styles and governance problems. These are areas that you are not likely to address through a “traditional” tech-focused cyber security awareness programme.
It is worth repeating this one more time: Staff will protect the firm with a basic instinct, if they care about it and share its values and its purpose – economically, and increasingly socially as well.
Cliché #3: This is all about Awareness.
The article asked how can it be that some firms (and their CISOs) still believe that their staff apparently do not know what to do to protect their organization from cyber threats?
At an individual level, many people have experienced fraud attempts or virus attacks. Data breaches and cyber-attacks are constantly in the news, and many online platforms and service providers have considerably strengthened several security measures.
The article points out that an example is around multi-factor authentication. People are increasingly getting used to those additional layers of security in their everyday life. More importantly, security good practices have been well established for two decades and have not evolved that much; don’t write down your password meant the same thing 10 or 20 years ago. Large firms have collectively spent significant capital across the last two decades on so called security awareness programmes, not to mention governments and their agencies.
Where did it go wrong?
The article asked what went wrong with those programmes?
The problem is that most of those programmes have focused extensively on making sure people simply know what to do around security. There was not a lot of focus on giving people incentives to act on cyber security or to deal with the roadblocks preventing staff from enacting good practice.
The article points out that just knowing what to do to protect your organization is simply not enough. Only the right actions and behaviors can protect the business. Awareness by itself is never going to be enough without incentives to act and change culture where it is necessary.
In addition, as detailed above, many of those programmes have often fallen short of expectations by being too generic and not rooted in the right cultural context.
The article points out that fake phishing campaigns are a good example of where it goes wrong, they have been all the rage for the past few years but often they contribute to the build-up of a nasty culture around cyber security. Employees feel tricked and embarrassed, and those are not emotions which are likely to build a favorable ground in which to root good security practices.
Sending random emails, forcing people to follow online training programmes, putting up posters or distributing mouse-mats may well put ticks in compliance boxes but what does that achieve in real life?
The article points out that success criteria remains vague and is qualitative or anecdotal in many campaigns (those that are not designed as a pure box-checking exercise to address some cheap audit point).
That shouldn’t be the case, and as a matter of fact, the issue of metrics should be central to any cyber security awareness programme and built in from the start.
But it is a difficult topic, which is why it is frequently side-stepped.
The article points out that the only way to address this in a meaningful manner – for firms large enough to do this – is to fall back on traditional marketing and polling methods:
• Build representative panels of employees across the firm;
• Measure their level of “security awareness” through questionnaires and interviews, in a structured way prior to launching the campaign;
• Design the campaign to be centered on key findings highlighted by panels and interviews, and deploy it; and
• Measure levels of security awareness again and compare.
Of course, as well as difficult, this may be expensive, and priced-in from the start, it may well push any programme out of an acceptable budgetary bracket.
However, cutting out the metrics aspects – on grounds of costs – from a cyber security awareness programme should bring out a real management question. Is it worth spending large amounts on an initiative of that nature, knowing and accepting from the start that you won’t be able to measure its success quantitatively?
According to GTconsult Co-Founder and CEO, Bradley Geldenhuys, the issue of culture is the most important challenge to address when it comes to cyber security.
“Culture plays a major role when it comes to addressing cybercrime. Every employee needs to be invested in the process of being vigilant and identifying threats when they occur. In addition, they need to feel invested in the company. It is true that an employee who feels like they need to protect the company as if it was their own will go above and beyond when it comes to addressing cybercrime. And that is what you want. Lastly, there is a massive responsibility on management to take the lead and show that they are more invested…and ultimately more at risk…when a cyber-attack occurs. You cannot drive culture unless it comes from the top,” said Geldenhuys.