No surprise that hackers found chink in Armscor’s armour
THE only thing more surprising than South Africa’s main arms procurement organisation being hacked this week was its official response: “Armscor can confirm at this stage that information accessed does not contain sensitive and classified content.”
The statement was made despite Armscor not knowing the full extent of the breach — it was awaiting analysis from “a team of cyber experts [that] has been convened to conduct a forensic analysis to determine the full extent of this incident”.
The hacker umbrella organisation responsible, which calls itself Anonymous, has revealed it was able to access the identities, with names and passwords, of 19 938 suppliers. That’s the cybercrime equivalent of a nuclear explosion.
One aspect of the hack that is not surprising is that it happened at all. A recent survey by World Wide Worx and global cloud computing leader VMware showed that almost a fifth of information technology decision-makers at South African corporations do not believe their boards or executive suites provide enough attention to cybersecurity issues.
Far worse, however, was the finding that 52% of respondents said there either was no plan in their business strategy for addressing a security breach, or that only a small part of their organisation was aware of there being one. A fifth of corporations expected an attack within “the next few days”.
Lack of budget and employees who are careless or untrained in cybersecurity ranked as the highest forms of threat, behind only outdated software and systems security. Despite this, no less than 24% of respondents said funding would be reduced for encryption, 23% said their mobile security budget would be cut, and 18% said it would be cut for threat monitoring.
In other words, information systems have long been a disaster waiting to happen. Cybersecurity companies were not surprised by the breach.
“The malware industry has evolved so much and become so much more intelligent and complicated that hackers now have numerous routes into company systems,” says Steve Flynn, South African director of sales and marketing for ESET, a global security solutions company. “They rely on lack of awareness, lack of education and lack of IT ownership.”
The last refers to companies and their IT departments refusing to acknowledge that they have vulnerabilities. This simply exacerbates their vulnerability.
“The biggest weakness in a business is its employees. You can have great antivirus software and security firewalls, but the moment an employee accepts a dubious e-mail attachment, that counts for little.”
Flynn cites CryptoLocker Legion, a virus that recently shut down a South African law firm. “That comes from lack of awareness. Someone clicked on a file they shouldn’t have and that let the virus into the environment. But the issue is much more complex than only getting a virus in the mail. The more we use social media inside a business, the more malware will get through. And you can’t block social media.”
Echoing the VMware study, Flynn says it is sad to discover, when speaking to organisations, that they see security as an easy place to reduce their IT budgets. “I find it unbelievable that they see that as the first place to cut costs. That generally means reducing staff. And that makes them even more vulnerable.”
Goldstuck is founder of World Wide Worx and editor-in-chief of Gadget.co.za. Follow him on Twitter and Instagram @art2gee