Telling your boss that your company computer has been phished – victim of a campaign to obtain sensitive information through fraudulent emails – needs to be seen as a corporate win, not a danger to your job.
That’s the change in culture needed at African companies as cybersecurity threats flourish on the back of Covid-19, Lehan van den Heever, enterprise cyber security adviser for Kaspersky in Africa says.
South African, Nigeria and Kenya are seeing the biggest increases in cybercrime, which correlates with the presence of business hubs, van den Heever says from Johannesburg.
Culture crisis
Corporate culture is part of the reason for the problem. There are many examples of employees who are in possession of important critical corporate information falling for phishing e-mails. Yet many are scared about losing their jobs if they report it, he says..
Advanced persistent attack viruses, which use clandestine techniques to try to break into corporate systems, have been shown to lurk for an average of 218 days before being detected, says van den Heever. Cutting down that time would reduce threats to companies
- “Companies should make it easier for people to report,” and could even consider rewarding staff for identifying a threat, he adds. “If you can stop the problem at entry, then nothing further develops.”
- Companies that have been hit by malware attacks recently include shipping giant Maersk and oil major Saudi Aramco.
Virus spreaders and hackers for hire may be based anywhere in the world. Van den Heever sees a risk that Africa’s relative lack of sophistication in cybersecurity will attract threats that are being successfully defended against elsewhere. Companies need to start with awareness campaigns tailored to individual skill levels, he says. “The basics were never taught at school.”
Artificial intelligence
Van den Heever now receives phishing e-mails that are vastly more sophisticated than a few years ago and, in some cases, he finds it hard to tell the difference.
Perpetrators are now using artificial intelligence and machine learning to gather large amounts of information about individual targets. That’s allowing them to customise e-mails for individual recipients and maximise the chances of them being opened, he says.
Companies relying on people working from home has multiplied the number of potential entry points for viruses into corporate systems. Those people are currently the weakest link in protecting against cyber threats, he says. “They need to be the first line of defence.”
- Routing systems used at home were set up with convenience and accessibility in mind, rather than security, says van den Heever.
- Employees at home need to download more free online tools to be able to function, further increasing the risks. “There’s never been a better stage for cybercriminals than Covid-19.”
- Basic employee training can go 80% of the way to ensuring safe systems, argues van den Heever.
- That includes teaching about simple steps to avoid phishing, the need for strong passwords and limiting computers to business-oriented use.
But companies grappling with the challenges of dealing with Covid-19 are mostly failing to do such training, he says. Doing nothing is like leaving each employee with a loaded gun and without weapons training, he explains. “The human factor is the weakest point.”
The final 20% of system security comes through spending on security infrastructure, says van den Heever. He recognises that it’s a hard sell in the current economic environment.
Cybersecurity, like insurance, is a “grudge purchase” where you may never see a physical pay-off. But a successful virus or ransom attack, he notes, has the potential to sink a business.
Practical steps
Kaspersky, a global cybersecurity company, gives the following basic tips to individuals:
- Apply for government support payments only on official websites. Do not follow links in e-mails about support payments and do not open attachments.
- Check the information in the e-mail: if you do a search and the organisation promising a payment doesn’t show up, it probably doesn’t exist.
- Pay attention to the sender’s address: if it looks like gibberish, it is hardly likely to be from a government body.
- A demand to pay an up-front fee to get any kind of payment process started is a sure sign of fraud. Government departments and banks do not do this.
Bottom line
African companies need to educate their workforces, especially those working from home due to the coronavirus pandemic.