Picture this; xyz bank (or any other organization) hires the crème de la crème of IT graduates and Information Security experts, takes them through a thorough systems security and incident management trainings, and to cap it all, the organization has employed state of the art cyber security solutions available in the market. Now, we can say that xyz bank is beyond any possible breach of their systems; Right? Wrong! I will tell you why an organization that only invests in its IT, OT and security infrastructure and personnel and stops there is far from being secure in this era when system attacks have become more sophisticated.
Xyz bank (read any organization) above will only be secure and its systems safe if the only people who work there are those in the IT department; the ones that have been well trained on matters of keeping the network and systems secure, and fully understand the concept of social engineering and therefore know how to deal with attackers who decide to use that mechanism. They understand phishing in and out and know what to click and what not to click when browsing the web through the company internet connection or when they receive that suspicious email. They are not tricked through vishing, smishing and impersonation, and if an attacker tries to tail-gate them, they can see through that too. Such is an ideal workplace where systems and network breaches are at a near zero level. But is that the nature of our workplaces? No. In fact, in many organizations, IT departments make the smallest number of employees.
From finance department to customer care, from the top management to the entry level staff, the big chunk of employees in a typical African organization knows nearly nothing about technology, not to talk about keeping systems secure. It is a sad state of affairs. Most of the cases I have followed of system breaches that have led to tremendous financial and reputational losses to these organizations, the attackers targeted the non-tech staff. It is, needless to say, way easier to siphon sensitive information about the company and its infrastructural management from this group of people. Worse still, Companies have lost humongous sums of money because of an employee unwittingly falling victim to a well crafted fraud scheme. You are wondering how? Picture this; an employee in the marketing department receives a mail labeled ‘urgent’ and is directed to respond to it the soonest possible by clicking the provided link. That action alone, which to this good employee is harmless, opens the organization’s network to a barrage of threats and attacks. However, the attacker’s goal today is not to bring our systems down. He is looking for information. He will then use social engineering to siphon information about the company, and the whereabouts of the CEO. Talk of the gift of the gab, something professional cyber criminals have perfected.
It doesn’t stop there. After a carefully done spear phishing research, the cybercriminal knows that the company CEO is traveling. An email is sent to another company employee (this time the finance manager) that looks like it came from the CEO. There is a slight discrepancy in the email address though – but the spelling of the CEO’s name is correct. In the email, the employee is asked to help the CEO out by transferring Kshs 500,000 to a new foreign investor. The email uses urgent yet friendly language, convincing the employee that he will be helping both the CEO and the company. The email stresses that the CEO would have done this transfer herself but since she is travelling, she can’t make the fund transfer in time to secure the foreign investment partnership. Without verifying the details, the employee decides to act. He truly believes that he is helping the CEO, the company, and his colleagues by complying with the email request. A few days later, the victimized employee, CEO, and company colleagues realize they have been a victim of a social engineering attack and have lost Kshs 500,000. Just like that.
“Only amateurs attack machines. Professionals target people.” – Ross Anderson – the world renowned security engineering expert and a professor at the University of Cambridge – in his book Security Engineering
You see, gone are the days when criminals used to spend their days analyzing your perimeter firewalls, network IDS/IPS, endpoint antimalware programs, application and data security measures and any other tool you have put in place to secure your systems. Nowadays they are more subtle. They attack from the loophole you least expect, and from my observation, that loophole is the other staff in your organization. ‘Other’ here meaning those that have no clue about what link to click and what not to click, what to disclose to a friendly stranger about the organization and what not to disclose, how to ascertain that that call from the ‘manager’ directing you to channel some amount of company money to a certain account is really coming from the manager, and so forth.
Having been in the industry for close to a decade and having worked in the IT departments of various organizations – both public and private – I can say that the biggest challenge in curbing cyber attacks in the African workplaces lies in the employees. Although nowadays recruitment managers are insisting on their potential employees to be equipped with digital and computer literacy skills, that rarely translates to the practice of digital awareness in the office environment especially when browsing the web using the workplace computer. I need not talk about the devastating effects of cybercrime in Africa; it has cost us more that we can bear. It has brought our economy to its knees, and if something is not done about it, Africa is likely to suffer unimaginably in the hands of cyber criminals and financial fraudsters. So how do we check this? Move beyond the IT department, and train employees – both the top management and the entry level staff and anyone in between – about keeping the organization network and systems safe. Let them know the tricks used by attackers, from baiting to voice impersonation, from pretexting to water-holing.