»

The year of the hack

It’s been a hell of year, and just like the security experts warned us, there’s been a sharp uptick in breaches and ransomware. How can the channel respond?

This year saw an unprecedented number of breaches, precipitated in part by the distributed workforce and the increased cyber security risks that this has brought. And those are just the breaches we know about. Next year will also see the introduction of the Protection of Personal Information Act, finally empowering the information regulator to fine companies proved to be playing fast and loose with personal data.

Paul Williams, Fortinet Paul Williams, Fortinet
Still, why aren’t we getting better at security, and what measures can we take to better protect ourselves and our customers?

Paul Williams, country manager at Fortinet, believes that the PoPI Act coming into full force next year will spur companies to be more compliant.

“You speak to people right now, and they’re busy planning, designing, developing and resetting their architecture. Only when government takes out the big stick next year, and says, ‘Now we’re enforcing it, and now you’ll pay the fines’, is when you’ll see a change in the industry.”

He also predicts that all companies will have implemented zero-trust environments – for contractors as well as trusted employees – by the time five years have elapsed.

Conner Smith, Sub-Saharan Africa at Trend Micro Conner Smith, Sub-Saharan Africa at Trend Micro
Conner Smith, head of partnerships and alliances for Sub-Saharan Africa at Trend Micro, says she believes we’ll never be able to completely secure an environment, in part because hackers have a singular focus, and ‘treat hacking like a 9-to-5 job’.

She suggests a measure of industry-wide cooperation in an effort to protect companies, and their customers, as well as a consistent approach to security protocols.

Elaine Wang, cloud and software solutions director, Rectron, says many local businesses seem more concerned about physical security than cyber security, and, in the latter’s case, there’s still a large measure of ignorance. There’s also the mistaken notion among some small business owners that because they live in ‘a tiny corner of the world,’ they’re somehow immune to attacks. Some owners of SMBs also think they’re exempt from attacks because they are small, ‘but what we see when we chat to our channel is that SMBs are being increasingly targeted because they’re really easy pickings’.

Elaine Wang, Rectron Elaine Wang, Rectron
SMBs need to have a strategy, and should work with a solutions provider to understand what their risks are, she says.

“I know we all like to provide amazing technology solutions, but ultimately, it’s that tannie in the back office who won R1 million – who clicked on that email – who brings a lot of risk into the organisation.

“Whatever tech solution you put in, never forget about the user.”

Stephen Osler, business development director at Nclose, says many of his corporate customers are getting ‘the easy stuff’ right, but their networks are now so vast that it’s difficult to ensure they are closing all the holes.

“We also see that the large corporates buy a lot of tech and tools to prevent the incident from happening, but they still happen. The reality is that they need to become a lot more clever in the way they detect the incident, and reduce the dwell time.”

Stephen Osler, Nclose Stephen Osler, Nclose
Echoing Wang, he says SMBs don’t think they’re targets, so they don’t practise the ‘quick and easy’ wins, such as patch management and understanding where their vulnerabilities are.

He believes most attacks aren’t sophisticated – phishing, for example – and could be repelled by doing things such as patch management, and educating staff members.

“Get the easy stuff fixed, and that should make your life a little bit easier.”

Every step you take

Sebastiaan Rothman, senior consultant, applications and infrastructure at Altron Karabina, says while he thinks we’re getting better at security, we’re not getting better quickly enough.

Sebastiaan Rothman, Altron Karabina Sebastiaan Rothman, Altron Karabina
He says it’s a like an episode from the Wile E. Coyote and the Road Runner cartoon; no matter how smart and proficient we are at putting controls in place, ‘we’re always just one step behind’.

Customers of all sizes have been compromised, and no company is immune. He adds that on-premises security controls often don’t translate very well into the cloud.

What happens when companies move to the cloud? Is it a question of misconfiguration, which opens a hole?

“Poor cloud architecture is definitely something that’s very prevalent,” Rothman says, adding that security in the cloud is often only an afterthought.

Niel van Rooyen, Vox Telecom Niel van Rooyen, Vox Telecom
This is also mentioned by Niel van Rooyen, CISO at Vox Telecom, who says there’s the misconception that once information is in the cloud, ‘your security is basically done’. He adds that the company is struggling to appoint people with the requisite skills, and likens a career in security to that of a police officer: “It’s a calling, not a job.”

Dean Steenkamp, Check Point product manager at Westcon-Comstor Sub-Saharan Africa, says while security solutions may be getting better, many organisations are still lagging behind in how these solutions are deployed. The surge in remote work has also probably not helped, he says.

Dean Steenkamp, Westcon-Comstor Sub-Saharan Africa Dean Steenkamp, Westcon-Comstor Sub-Saharan Africa
He advises organisations to gain a consolidated view of their architecture, and, where possible, push a security policy from a single pane of glass to the entire network.


Colin Erasmus, OEM lead at Microsoft SA, agrees that a distributed workforce, and the deployment of remote work solutions, has not perhaps been carried out in the most secure fashion, and that there is some catching up underway. He says ransomware-as-a-service is now cheaply available on the dark web, but hastens to add that he hasn’t actually been on the dark web.
 
Mikey Molfessis, Mimecast Mikey Molfessis, Mimecast
Mikey Molfessis, sales engineer for Middle East and Africa at Mimecast, says it found in its global survey that less than 5% of companies have a CISO who is part of the executive committee.
 
Boards may well speak to the CIO, but, ‘the CIO isn’t the security specialist’, and perhaps won’t be able to justify the security spending. A CISO will also be more likely to configure a security product correctly.

He adds that many small and medium-sized businesses need to be persuaded of the value of security tools, and are being ‘penny shy, pound foolish’. “(They should be asked), ‘How important is your data to you? If you’re attacked and someone gets in – and you can’t operate for three days – can you carry the cost?’”

Anna Collard, KnowBe4 Africa Anna Collard, KnowBe4 Africa
Anna Collard, SVP content strategy at KnowBe4 Africa, suggests a back-to-basics approach, and says most breaches rely more on social engineering than sophisticated technical attacks. Misconfiguration and unpatched systems are also to blame.

“It’s not sexy; it doesn’t have AI in it, but if companies focus more on the basics, it could alleviate a lot of the more opportunistic attacks.”

She says Interpol noted the severity of cyber attacks in Africa during the pandemic, and that the private sector is not cooperating with the public sector. By way of example, she points to the non-responsiveness of the South African government’s Cybersecurity Hub.

Security is for everyone

Jeremy Matthews, Panda Security, Jeremy Matthews, Panda Security,
Jeremy Matthews, regional manager, Panda Security, wants to talk about ransomware, and suggests that organisations pursue a rigorous patching policy, which, at the moment, might present a challenge. He says there are very strong technologies that can be deployed on endpoints that will stop ransomware from executing, but there’s often an unwillingness to spend money on endpoint security.

Karl Fischer, automation lead at Obsidian Systems, says that only three things are certain: death, taxes and data loss. The conundrum of security is that it has to be understood at all levels in an organisation, and this can be helped by a culture of inclusion.

“Security is not taken seriously enough, and developers are not being taught how to code securely, or users are not being told enough about security. Later on (after a breach), people will scramble. People care about audit findings, and only then will say that security is important.”

He says while there are a lot of endpoints to be monitored, and a lot of security reports to be read, ‘people should start somewhere’.

Karl Fischer, Obsidian Systems Karl Fischer, Obsidian Systems
“The challenge for us is how to make this more accessible to everybody. How do you eat an elephant? Nobody cared about PoPI until July 1; now it’s a thing.”

Are you seeing smarter spend on security? And as people head back to the office, what does this mean for the security channel?

Nclose’s Stephen Osler says it’s certainly seen a shift in spending over the past eight months.

“With Covid, there’s a been a lot more looking at what has been done in the past, and a review of failed projects, or those that are assumed to have failed, around the detection of security incidences. We’ve seen a lot of our customers applying a lot more governance rules, and thinking around where to spend their money more appropriately to get more value.”

He thinks that most companies are going to try to adopt work from home strategies, but this is more about operational than security issues.

“Before Covid, they thought they were only toe-deep in cloud, but they were waist-deep. Now, they’re applying those same (security) controls when they thought they were toe-deep, but they’re eyes-deep. This will ntroduce many challenges in the next few months.”

He also thinks that as common as breaches were in 2020, this is likely to continue next year. With the information regulator wielding her whip in 2021, we’re also going to be a lot more aware of breaches.

He says with regards to working from home, ‘we lose out on that collective IP, specifically in the security industry’.

“It’s one thing writing a technical message on Teams or Slack, and it’s another turning to your colleague next to you and saying, ‘This is what’ve I seen.’”.

He predicts that companies will start asking some of their staff to start coming back to the office.

Henk Olivier, from Ozone IT Distribution, says with both SMEs and enterprises, he’s seen an increase in expenditure on security. Financial institutions, in particular, are spending on compliance products. Enterprises are also paying for internal auditing tools, as well as those for forensic investigations.

Henk Olivier, Ozone IT Distribution Henk Olivier, Ozone IT Distribution
Conner Smith, from Trend Micro, says she’s in her office today, it being quarter-end, and there’s ‘fear and panic’ as everyone rushes around attending to last-minute deals.

“What we’ve realised is that we’re using more tools outside of the norm of a business environment, and that’s a security red flag. We’ve got WhatsApp, and someone is using Google Hangouts because they don’t like Zoom, or Teams.

“Next year is going to be the year of the hack, but right now, we’re figuring out how to hack our lives and how to work from home or the office, but we’re not being consistent in how we do this. We’re so used to coming into our office with our physical security tag, and going onto our PC with our VPN network. Now we have a multitude of ways to get into an environment. “

Rectron's Elaine Wang says many small businesses are under the mistaken impression that they’ll be protected by consumer grade security software.

“It’s so easy to get the order. At the moment, especially with the economy so tight, you just want to pick the low hanging (sales) fruit, but I think it’s really important, as the channel, to say, ‘I’m not going to sell you that solution because it’s not right for your business and it’s not going to keep you protected’.”

She also warns that the sales manager, or admin person, choosing an unvetted app so they can get something done, is dangerous for a business. She adds that she’s back in the office, and says she can imagine Rectron’s IT team heaving a sigh of relief.

Colin Erasmus, Microsoft SA Colin Erasmus, Microsoft SA
Microsoft SA’s Colin Erasmus says it’s important to know what data you have, where it is, and when it’s at rest, or travelling.

“When you ask these basic questions, a lot of people can’t answer them, which is scary.

What are you doing to protect your data? And that’s a technology or people/training scenario.

And then there’s governance. In July next year, that’s when the rubber is going to hit the road.”