Weakest link in cybersecurity chain is people, here’s what SMES can do
While COVID- 19 pandemic has forced small businesses online, many lack the necessary capabilities to protect their network from cyberattacks. Experts continually emphasise how small businesses can protect themselves against cybersecurity threats within and outside the business. Since they are small, some businesses erroneously think they do not require ‘sophisticated’ security, even when it may not necessarily require more than standard knowledge and operating procedures.
With over 3 billion users connected globally, the internet has brought the world together enabling instant communication, remote work and business facilitation.
“It is also come embedded with a multitude of vulnerabilities which pose significant security threat to users and has led to the emergence of cybersecurity threats,” said Moses Umoru, the director general of the Franco Nigerian Chamber of Commerce and Industry (FNCCI) during a virtual conference on cyber security and process automation in today’s business environment, which held May 19.
In Nigeria, it is estimated that the annual financial loss due to cybersecurity breach was N250billion in 2017, N280 billion in 2018, N288billion in 2019 and in 2020, it increased to over N1trillion in damages.
What is even more disconcerting is that experts say that 95 percent of security threats are not reported. So if the figures reported are these huge, it indicates how much threat to businesses, to profits and operations, cybersecurity presents, Umoru said.
It is getting even more dangerous, as the coronavirus pandemic has shifted many businesses online, with remote working becoming a common trend, it is bringing the threat of malicious intrusion into the networks of businesses closer to home.
This is why taking control of the human element which constitutes the weakest link in the security chain is vital, analysts at the virtual conference said.
Funmilola Odumuboni, senior manager, risk advisory at Delloite and Touche, in her presentation said cyber security encompasses three things, confidentiality, integrity and availability, all factors vulnerable to human errors.
Confidentiality implies that customers’ records, phone numbers, account balances and other sensitive information do not get into the wrong hands.
Integrity entails an ability to prevent someone manipulating a customer’s information. It is the correctness of the information a business is processing and relying on to make decisions.
Then availability speaks to systems and processes not failing, being available so as to prevent an outrage because the business cannot render a service. These are the pain points for businesses when cyber security is compromised.
Threat landscape
With many businesses going online, the threat landscape in Nigeria is evolving. COVID-19 has forced many businesses online faster than they normally would. Many struggling to deal with impact of the virus are making the right investments to protect themselves online making them vulnerable to new threats.
“If your business needs to grow, you need technology, now we have remote working, remote customers, so you cannot afford to do business without leveraging technology but also the risks increase,” said Odumuboni.
This has led to the proliferation of bad actors in the cyber space. “Some people go into cyber crimes as a business and they are looking for low hanging fruits like small businesses to attack and there have been phenomenal increase in attacks on them. Many shift to remote work without the facilities to harden their systems,” said Odumuboni.
The threat landscape includes hactivists who in the name of a social cause hack into systems of public and private institutions. During the #ENDSARS protests in Nigeria last year, some hacktivist hacked into the website of the Nigerian police.
Nation states are investing in cyber security both from a defensive and offensive standpoint.
Malicious insiders, according to some experts constitute over 80 percent of attacks. These are people a business has given some level of access through their network and they want to cause harm.
Threats can also come from rogue suppliers and even competitors.
These bad actors are after sensitive data including corporate information, board reports, financial information and investor confidential details.
Some cyber criminals also seek to commit financial fraud such as wire transfers and payments. Some seek to disrupt a business or threaten the health and safety of a community.
According to Odumuboni, business email compromise has become rife. It is where the attackers take over an email communication between two organisations for financial gain.
Odumuboni explains that in this situation, a company is talking to another on a financial transaction, cyber criminals intercept that communication, and change their account detail.
The parties, oblivious to this intrusion, continue their interaction and when one party pays, they will pay into the attackers account instead of paying into the correct organisation’s account.
This is becoming rampant now because a lot of organisations are using cloud based systems for their emails and other processes, many on shared cloud service. Tactics
Obukohwo Obukonise, a senior systems and cyber security engineer at Schneider Electric, in his presentation said there are so many hacking tools available online and most do not require special skill set.
One common method used in cyber crimes is phishing in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data.
Ransom ware is another method deploying malicious software that is designed to block access to a computer system until a ransom is paid.
There are also cloud data breaches, which describes incidents that has the potential to disclose sensitive information to an unauthorized party.
Another common attack is a denial-of-service attack (DOS attack) in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
In Zero day attacks, a computer-software vulnerability unknown to those who should be interested in its mitigation is introduced and until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network.
Malware, short for malicious software, consists of code developed by cyber attackers, designed to cause extensive damage to data and systems or to gain unauthorized access to a network.
There has been an exponential increase in the creation of malware. Experts estimate that in the last seven years malware has grown from 470million created in 2015 to over 1.2 trillion on the internet today.
Other forms of attacks include negative social media coverage and impersonation, supply chain attacks and stolen credentials.
Many companies, even if they have smart cyber security systems are still susceptible to attacks due to third-party compromise.
Businesses have relationships with organisations and share information, sometimes their network is even extended to other organisations because of the kinds of businesses they do and if their partners are not implementing the same security procedures, they could be become the weak link.
Develop a strategy
In many organisations, cybersecurity threats are issues considered at the board level highlighting how important it has become to the well being of a business.
Odumuboni said that organisations need to have a strategy. “Its great to have firewalls, but you need a strategy, based on what my organisation does, this is how I will protect my business.”
She further recommended that business owners need to be aware of the cyber security threat landscape, routinely access their networks for vulnerability, maintain visibility across the system to detect threats before they fester and develop capabilities to respond quickly to attacks.
According to Babatunde Abagun, channel manager, West, East and Central Africa at Nutanix, research has shown that defensive capabilities of businesses such as antimalware are being eroded by machine learning and artificial intelligence employed by cyber criminals.
One organisation in the UK that was recently scammed of over $230,000 in phishing attacks, approved payment based on voice approval from the CEO. It turns out that it was an AI software that mimicked the voice of the CEO.
Abagun said businesses should protect their people from themselves. “If you have a child, you will child-proof the house, similarly you need to security-proof your infrastructure not just for threats available now but for those that will come in the future,” said Abagun.
One way to do is establishing technologies that actually automate certain processes. Some concept like list privilege, which means giving every individual the minimum amount of capability they require to perform their job function was highly recommended.
A few years ago, the Twitter account of former US president Donald Trump was briefly deactivated by a disgruntled Twitter staff on his last day on the job. This could be prevented with list privilege.
The experts also recommend maintaining a zero-trust security process, limiting devices that could be intrusive, effectively training personnel, and writing adequate cybersecurity policies for the business.