It is truly amazing how far we’ve come universally, in our digital transformation drive as individuals and businesses in this space. It is an indication of how we have come to truly appreciate the essence and criticality of digitalization or adoption of the Internet in our lives and businesses as a major drive for modernization, increasing productivity, achieving operational efficiency, cutting out waste and mobilizing resources.
Whether early or late adopters or for those who are now trying to catch up with the digital acceleration, it’s a significant depiction of what lies in store for us and the vast opportunities up for grasp.
Notwithstanding, it will be bias of us not to also point out the negatives or the seemingly exploitation of the same technology that is tripling the profits of businesses, being used to attack, destroy, defraud, spread misinformation and violent extremist conversations across platforms and online forums.
Cyber-attacks or incidents clearly have been a major negative to most businesses since the inception of the digital drive. Same way businesses have scaled and maximized revenues through digitization, other businesses have also lost a significant amount of money, suffered a significant decline in brand reputation and public confidence, and several legal battles through the ills of cyber-attacks or incidents. Some businesses have also, to some extent suffered collapse or termination of operations. Statistics prove that 60% of start-ups go out of business in 6-months after a cyber incident.
It is therefore paramount that businesses pay critical attention to cybersecurity, but a much closer look at information security, thus, if they still want to keep harnessing the benefits and opportunities in store for digitalization.
Information Security is the foundation of cybersecurity. Security, since the inception of the Internet, has always been about securing business information from the reach of bad actors. The questions that were asked when the Internet and WWW were invented had to do with how businesses migrating part or full operations onto the Internet and Internet-driven business start-ups as at that time, will be able to ensure confidentiality, integrity, and availability of their information. Since then, there’s been a conscious integration of security measures and controls into hardware and software to ensure safety and security.
Now, there are a lot of security products, standards, policies, laws, and regulations with the true purpose of tackling cyber-attacks which are now rampant, overly complex, and sophisticated. These initiatives seek to secure Internet users, business processes, and the technology or devices that are being used on the Internet.
Upon all these great initiatives and directives, cyber-attacks are still widespread across small, medium, and large organizations. Organizations that have nearly all or satisfying levels of security measures or controls in place still get hit or targeted even more.
Basically, what really is the cause of these cyber-attacks? How and why, after many years of using policies, laws, regulations, directives, Machine Learning and Artificial Intelligence integrations security products to secure businesses, combat threats and incidents and even stay ahead of hackers or threat actors, have proven less effective or simply insufficient?
Elders advise that if you are saving money to purchase land, you should also save money to fence it. Even some socialist extremists advise that you put up at least a temporal structure on it just to ultimately guarantee ownership. Buying land doesn’t even guarantee ownership, and therefore people still need to go to some extremes just to fully assure ownership. Same for securing digital assets; extreme ownership, extreme security.
Security is and has always been a part of our lives since inception. Humans have been conscious of the possible implications or dangers of not securing lives and properties. However, it seems not so for cybersecurity.
Since the inception and adoption of the Internet for business, communication and information sharing, there has been seemingly a complete disregard for security. It is surprising to know that most companies factor in cybersecurity considerations at the end of their set-up or as a less-needed option/focus area.
There are some fundamental considerations for businesses that want to fully utilize the digital space whilst ensuring safe or security of their information;B
- Businesses need to make sure that controls are in place to mitigate Critical to high/medium risk levels. There is no bargaining on this. Businesses that do not have the financial muscle to deploy controls to mitigate some risks should resort to other risk treatment mechanisms. Many businesses are aware of their risks but still act on the lines of likelihood and probability. Underbudgeting your cybersecurity needs basically means that you are aware of the risks or potential risks, but you are not ready to resolve them. This is all because most businesses tend to think they are not targets for hackers or susceptible to any attack. For small to medium businesses, treating risk by tackling it in levels of severity and impact is a good start and a step in the right direction as this will reduce operational impact in case of cyber-attack.
- Surprisingly, many if not all businesses, do not factor cybersecurity needs as part of the draft of their business plan. It is disturbing to know that 70% of tech start-ups do not budget for cybersecurity, nor perform a risk assessment and feasibility study in relation to cybersecurity before commencing operations. It is a bad practice. A cybersecurity feasibility study will enable businesses to discover areas of possible or potential risks and exposure in order to assess and mitigate them before beginning operations. Knowing your strength and weakness is the first step into winning the war.
It is astonishing to find businesses operating for over 10 years with no international or domestic cyber/information security certification or accreditation, putting their business life, customers, and the nation at risk.
- When it comes to industry and international standard certifications and regulations, the “Trotro” driver-seat-belt scenario is triggered. Most of these African commercial drivers give the impression that the government is more concerned with their lives than it actually is. They do not appear to be interested in wearing seat belts. When approaching police officers, they fasten their seat belts but remove them after driving pass the police officers. Similarly, for most firms, they seem to just certify and comply with the directives of the regulator, international standard certifications, and the governing statute. They completely have no interest to practice or extensively implement since it’s a ‘nuisance’ requirement or directive, so they put in every structure and process to pass industry certification and after that they kill the implementation, and somehow still get to pass auditing and re-certification- exactly like the “trotro“ scenario, they flash seat belts on the face of the policemen(auditors) making them believe they are conforming when rather they are not. These standards and laws are seen as a nuisance by businesses other than a framework to rather help them in many ways. This is so because most businesses do not have the monetary capacity to fully implement standards or directives, or they just don’t get the buzz about cybersecurity.
- The focus of security solutions lately seems to be derailing from information security, the core of cybersecurity. Companies need to approach cybersecurity from the information security perspective. Focus on products or services that protect your data or information first before expanding or extending to cover networks and infrastructure. Deploying Insider threat security applications; Privilege Identity Management (PIM) systems, Identity and Access Management (IAM) systems, securing data using passwords, encryption, security awareness training, file lockers, and back-up mechanisms should be the core strategy for businesses, especially small and medium businesses that cannot afford high end products and security teams. These mechanisms are fundamental, simple to implement and help reduce impact in the event of any cyber incident. Security must be built from the inside out, focusing on securing data or information artifacts first.
- Threat intelligence is of major benefits to organizations of all shapes and sizes by helping process and correlate comprehensive threat data to better understand their attackers, respond faster to incidents, and proactively get ahead of a threat actor’s next move. For SMBs, this data helps them achieve a level of protection that would otherwise be out of reach.
Cybersecurity is supposed to be woven through the operational fabric of a business. It must be a necessary consideration in the conceptual business plan. There is no business that does not interface with the Internet at any point in its supply or value chain and therefore completely absurd to think that you are special or free from cyber-attack or cyber fraud.
It has been a usual practice of some businesses to only increase their cybersecurity budget only after it has experienced an attack or cyber incident. This is a very poor practice as to some extent of attack; money might not be a solution to the impact of the attack.
Daniel Kwaku Ntiamoah Addai,
SOC/Digital Forensics Analyst,
Cyberteq Falcon Ltd.