In the face of the growing cyber risks to Kenya businesses and the role of human error, the concept of a Human Firewall and how organisations can achieve this is gaining currency. And with technology investment being key to sustained business growth, how then can businesses minimise the corporate risk of human error and what actions are needed to ensure this achieved?
To get a better understanding of current and emerging cyber threats for businesses as well as the concept of Human Firewall, we recently conducted an email interview with Bethwel Opil, the Enterprise Sales Manager at Kaspersky Africa (top). Below are excerpts:
Q: Recent research from the Communications Authority of Kenya (CA) show an increase in the number of cyber threats targeted at Kenya’s cyber space with over 10.2 million cyber events detected during the quarter October-December 2018/19 as compared to 3.8 million in the previous quarter. Is this trend unique to Kenya or the same for other countries globally?
Bethwel Opil (BO): Unfortunately, cybersecurity is a global issue that many countries are faced with and cybercriminals are not showing any signs of slowing down. This is certainly worrying for consumers and businesses in all growing economies like Kenya.
Despite the increasing number of cyberattacks globally, many Kenyan businesses still view cyber-security as an administration of more software and not as an essential. The challenge that we face is that companies often believe that cybercrime forms part of IT’s mandate and if IT can manage it – all the better. However, that is certainly not the case, as it has to be a business-wide priority. According to our research, only 44% of companies, globally, with 50–250 employees have a dedicated security department (or at least a dedicated role) – and within 2% of these businesses, cybercrime is not managed at all. Furthermore, in 54% of these companies, security functions are merely managed as part of overall IT work. Unfortunately, this indicates that IT specialists do not necessarily manage security; as 1 in 5 companies delegate IT tasks to non-specialist staff such as accountants, office administrators, and managers.
Q: How vulnerable are organisations – both private and public sector – to these threats?
BO: Cyberthreats can leave any organisation very vulnerable and compromised when there are no security measures in place from data leaks to ransom demands on highly sensitive data. The aim of targeted attacks is to get a foothold in a target company, steal corporate data or damage a company’s reputation. We are also now in an era when a malicious code can be used as a cyberweapon. And while an organisation may not be in the direct firing line, it could suffer “collateral damage” if it isn’t adequately protected – making organisations more vulnerable than ever before.
As such, it is crucial for businesses to address their security needs and choose a reliable and comprehensive security solution that will make it easier to protect the business’s IT infrastructure. The right security solution will offer tools that include device security for different operating systems, traffic filtration and software updates. Secondly, once the solution is in place, the business must work with specialists or IT departments managing the solutions, to ensure that the solutions are consistently operational. Lastly, it is critically important to develop a cyber security policy for the business – one that clearly outlines all aspects linked to cyber security and the steps that should be followed and adhered to by all staff. This of course should be shared with all employees and enforced.
Q: Does human error have a major role to play with businesses increasingly becoming victims of such attacks? What can be done to address this?
BO: Absolutely, human error can play a role in companies falling victim to such attacks given multiple devices that each employee may use from laptops, mobile phones and of course tablets. What’s more, if they are not sure of correct processes when it comes to keeping such devices safe, they can accidentally infect these devices or compromise information that leaves the business vulnerable. As such, minimising the potential human error aspect of cybersecurity requires the business to look at building a type of Human Firewall. Staff training should be seen as an important way to achieve this – though it must be holistic training that touches on the following key aspects:
- Building strong cyber-hygiene skills through micro learning and reinforcement – to engage employees in the education process and to increase their personal cyber-awareness, targeted training that is easy to digest, memorable and practical to the employee is key.
- Agile fit – enterprise-level scalability – every employee will be at a different cyber awareness level and will be required to understand cyber security differently. The business must take this into account and provide training that is agile to meet the training needs of all employees and at any level, to ensure everyone can learn within their own parameters, so that the full business is armed and prepared accordingly – to avoid gaps or weak links in the broader cyber security chain.
To support companies in getting this process of training right and to build viable ‘Human Firewalls’ Kaspersky has developed an Automated Security Awareness Platform – making it easier for companies to ensure staff are armed with the very latest skills and knowledge. The online service aims to help companies boost the cyber-awareness of their employees enhancing training efficiency with micro learning, different lessons formats and continuous reinforcement. It is a web-based learning system which automates cyber-awareness training for companies of any size. The platform helps businesses to address gaps in employees’ cybersecurity skills and knowledge, with each lesson taking less than 10 minutes to complete. It is aimed to bolster the cyber-hygiene of employees with different risk levels – from basic to advanced – through an automated learning path which allows them to progress at their own pace.
Q: What kind of practices can businesses employ to ensure that staff are able to work flexibly and conveniently in this era of BYOD while at the same time ensuring that sensitive corporate data is not compromised?
BO: Within this digital world we operate in, it is increasingly rare to come across business professionals who don’t use their own mobile device for work purposes. Be it a laptop, tablet or smartphone, these devices enable us to do a large part of our business tasks while on the go and remotely – and from any location.
However, these devices also open business up to risk including the loss of important corporate data via personal devices, as well as a negligent attitude towards the security of mobile devices. The challenge is that mobile devices tend to not stay inside a company’s security perimeter and can be exposed to unsecured public Wi-Fi or just be lost or stolen. Furthermore, BYOD, if not managed effectively by the business, could expose a business to cyberthreats in the case of an employee accidentally downloading a compromised application preloaded with a spying module or ransomware, for example. They might try to root or jailbreak their device and expose it to even more threats.
Taking such risks into account, it is imperative for a business wanting to invest in a BYOD strategy (as such a strategy does offer ample benefits), to do so with security top of mind. Security here includes device protection along with employee training and education around the cybersecurity threats they could be exposed to and the appropriate action to take and precautionary measures to follow.
Q: As a follow-up to the above question, which solutions (and products) does Kaspersky currently offer its customers to ensure that staff who use of their devices at work (i.e BYOD), do so in a secure and safe environment?
BO: Kaspersky has a product that can address this issue called Kaspersky Security for Mobile which covers all major platforms, protecting and controlling corporate data on mobile devices and securing the device itself. It has a multi-layered real-time protection that is delivered by advanced, proactive and cloud-assisted technologies which prevents unauthorised access to corporate data and has remote administration capabilities in the event of loss or theft.
Q: Moving to awareness creation and continuous education about emerging cyber threats, which programmes (or initiatives) does Kaspersky have to ensure that its clients are protected round-the-clock and not susceptible to these attacks?
BO: With digital innovation happening in the world around us, cyber security must always be part of the journey. Ensuring continuous education on how you can protect your company is the only way to stay on top of potential threats as this is a never-ending struggle with cybercriminals always working on new ways of hacking and stealing. It’s also advisable to install security solutions that will undertake environmental scanning and alert you of anything suspicious and unsafe. Additionally, having a security partner on board that ensures that you know the necessary steps of what to do should you find yourself compromised might just be what saves you and your company some money. Don’t assume your data is safe.
Below are some basic tips that organisations can follow to raise awareness and training for staff to ensure that cyber protection and data security are maximised:
- Always assess your employees’ understanding about cybersecurity attacks.
- Educate employees to understand why their security discretion is vital to corporate safety.
- Host a training program for employees to address what vulnerable targets look like online.
- Teach employees to recognise potential threats and how to make correct security decisions.
- Always check the link address and the sender’s email if they are genuine before clicking anything. Even better, do not click the link, but type it into the browser’s address line instead to be sure that the name of link in the message doesn’t cover another hyperlink. If you are not sure that the website/sender is real and safe, never enter your credentials. If you think that you have probably entered your login and password on a fake page, immediately change your password!
- Only use a secure connection, especially when you visit sensitive websites. Do not use unknown or public Wi-Fi without password for maximum protection, use VPN solutions that encrypt your traffic. If you are using an unsecure connection, cybercriminals can unnoticeably redirect you to phishing pages.
- Use a proper security solution with behaviour-based anti-phishing technologies, such as Kaspersky Security Cloud and Kaspersky Total Security, which will warn you if you are trying to visit the phishing web page.
Q: Explain the concept of a Human Firewall and what it means in non-technical terms.
BO: The concept of building a Human Firewall is the process of minimising or possibly eliminating the risk of human error in the approach to cybersecurity. To ensure staff are no longer a cyber security risk, thorough and adequate training, across all levels, is a necessity to ensure that staff are informed and equipped to be Human Firewalls for the business and don’t bring the business cyberthreat harm through unwilling or careless actions. Achieving this can support a business in building a strong cyber security defence – one that exceeds relying purely on solutions-based protection. It’s about ensuring that staff are a business’s biggest security asset and not their biggest security risk.
Q: How can corporates build and utilise the concept of Human Firewall and what does it entail in terms of costs?
BO: For the concept to be realised the first step is protection against cyberthreats must start with education — users must be trained to never click on suspicious links and always guard their log-in credentials, even at the office or at home. Remember that all the technological gadgets and defence mechanisms mean next to nothing if you don’t know how to use them.
Cyber security today is as much a defensive strategy as it is an offensive one. A strategy that incorporates a threat prevention, detection, response and prediction scope is a successful one.
And Of course every business is different and different strategies, security concerns and risks need to be identified to create a cost effective solution (usually a combination of product and education programmes) that will work for the business.