Protecting networks is no longer an option, it’s a necessity. This is especially when one considers the escalation of cyber-attacks, more stringent privacy requirements and data management regulations. This was the crux of a seminar hosted by travel technology innovator Amadeus in Gauteng in October.
“It has become increasingly important for the travel industry and other industries to understand the challenges that come with an increasingly connected, online world,” said Andy Hedley, Amadeus Southern Africa GTD General Manager.
South Africa’s workforce has increasingly come under threat of cyber-attacks recently, added Security Specialist Chris Buchanan. “Any person today spends on average 74 hours a week in front of a screen, but most of us are not office-bound anymore. Work is no longer a location, it’s an activity to which we are connecting from mobile devices. That means data is always on the move and under constant threat.
“There are over 390 000 new malware variants created every single day with over US$1bn ransomware payments made in 2017 alone,” said Buchanan, adding that attackers were getting smarter every day.
He also warned that internal security breaches have become rife, with 72% of employees willing to share confidential data externally. The focus for companies, he said, should be to protect data wherever it goes, control who can access their data and monitor data activity and location.
E-mail is one of the most common ways for attackers to infiltrate a computer, according to Mimecast’s Nick Saunders. The reason is simple: most of us spend over 28% of our week on e-mail with 225 billion e-mails sent every day. “Forty percent of e-mails have an attachment and 77% of those are potentially vulnerable PDFs or office documents,” he explained, adding that the average cost of a breach is $4m or $158 per record.
The onslaught is not about to stop either. Redstor’s Jason Kotze told delegates that a huge growth in infections has been predicted. “In 2016, there were 638 million devices infected. That number is expected to increase by 35% during 2017. Attackers are also demanding increasingly higher prices to ‘restore’ your data. In 2016, the average ransom was $1000. In 2015, the average was only $300.”
Kotze explained that ransomware is evolving and targeted attacks on businesses are increasing, with phishing e-mail attachments being the number one infection vector. Infected USB drives are also increasingly a risk for unsuspecting companies. So how should companies protect themselves? “Prevention is good, protection is better, back-up is a must,” said Kotze, adding that in no instance should companies consider paying the attackers.
The focus should not only be on computers when talking about cyber-security, as your printer can also fall under attack, said HP’s Rodger James-Green. There will be over 25 billion connected ‘things’ by 2020 and all of these ‘things’ are at risk. A grad student in 2011, for example, exposed a flaw in printing devices that could let hackers hijack the devices to spy on users, spread malware and even force the devices to overheat and catch fire.
DSI Secure’s Denan Erasmus explained that cyber criminals are finding new ways to gain unlawful access into corporate infrastructures across all industries. New vulnerabilities are found daily, web application attacks leave websites vulnerable and viruses become increasingly silent and stealthy. Often, the simplest things can be the cause of an entire company’s infrastructure being compromised.
McAfee’s Trevor Coetzee explained that the hospitality industry is the most targeted point for payment card information. “Small to mid-size businesses in the hospitality sector unfortunately don’t have the necessary protection to protect against a breach,” he said. “The biggest obstacle for these businesses is the recovery time it takes to get up and running after a breach. In 2011, 32% of companies were up within one day that has decreased to 20% today.”
The solution, according to Coetzee, is to have an integrated and unified platform. This allows businesses to be better protected, have faster response times and discover threats quicker.
Overconfidence of companies who think they are fully protected is still a challenge, according to Gordon Bailey-McEwan of F5 Networks. He warned that SSL doesn’t secure a website despite what your browser might tell you. SSL simply refers to the fact that the transfer of data between the client and the server is encrypted, but data at rest is not encrypted. It is therefore crucial for companies to look for solutions that will encrypt the data at rest. “Passwords must be encrypted in real time and not only on transmission to prevent credentials from being stolen,” he said.
The first step to creating a cyber secure company is education, according to experts at the seminar’s panel discussion.
“If you can educate your staff, you can annihilate 90% of the problems,” said Ricky Reynolds, SA Reynolds Travel Centre. Employees need to know they have to flag any suspicious looking mails or transactions to management immediately to minimise the risk of cyber-attacks.
Scholtz Fourie, CFO and COO Tourvest Travel Services, agreed that the education of staff around risks is crucial. “We’ve been trying to raise awareness about the value of data. It’s important for employees to see data is an asset.”
Although education is important, BCX’s Eric McGee explained that companies can’t only rely on employees to identify all the red flags. Companies also need to invest in systems that make it easier for employees to recognise and detect the threats.
Finally, the event highlighted that although the threat of cyber-attacks can’t be underestimated, if companies invest in technology and apply sensible controls, the risk can be managed. Forearmed certainly is forewarned.