CIARAN RYAN: Cyber attacks are on the increase, as we’ve seen in recent high-profile security breaches at a number of companies. During lockdown, with so many millions of people worldwide working from home, the potential for cyber attacks has multiplied and South African companies have been found to be especially at risk. I’m Ciaran Ryan for Moneyweb and, to discuss this, I’m joined by Colin Erasmus, Modern Work Business Group Lead at Microsoft South Africa. Welcome, Colin. First of all, how prolific are cyber attacks in South Africa, and why aren’t we getting better at preventing them?
COLIN ERASMUS: Ciaran, thank you so much. Yes, I think if we go and read and see some of these stats, in two or three of the stats that we’ll mention, last year South Africa experienced the third-highest number of cyber crime victims in the world. Those are some of the stats that we’re seeing and it’s very difficult to sometimes put numbers to these things. But we believe that it cost the economy just over R2 billion, and that really talks about how you recover from a lot of these things. That’s outside of things like reputational damage as well.
One or two of the other stats that are quite interesting to read, and these are a little bit more worldwide, is that we believe that hackers are attacking around about every 39 seconds, which is equivalent to over 2 000 times a day. And there again, this stat refers to close on $4 billion [R67.5 billion] to actually remediate some of these attacks. So I think you can see that they are fairly prolific.
To answer the second bit of the question on why they are so prolific, I think a lot of this has led to the way we used to look at architecture, especially with all this remote work that is going on. So let us just look at the architecture piece for one second, before we get into the rest of it.
If we go back 10 years, maybe even five years ago, we were very specific about what made up a network for an organisation. And even for ourselves and our assets, we were inside that network – and by assets, I would typically mean PCs, our employees, [those] were well defined. You had a network around that, you knew exactly where everything was.
With the internet and the explosion of devices and explosion of data, those lines are very, very blurred nowadays. You now have vendors inside your network, you have contractors, you have employees who are bringing their own devices, and you have a strategy like that. So I think what really has happened, and what we’re struggling with, is that networks are no longer really well defined.
And the other thing that we struggle with in a big way is the fact that these attacks are now a dime a dozen. They are a lot more sophisticated, and you can no longer have somebody sitting behind a screen or a pane of glass looking at these, and actually patching. You now need to look at security from an intelligence point of view and an automated point of view. I think that what has made these things so prolific is that our networks have changed, and the attacks have got a lot more sophisticated and are at a speedier space than ever before.
CIARAN RYAN: Some of those stats you gave there are quite staggering – a R2 billion cost to the economy, R4 billion to remediate the problem. What are some of the pillars that an organisation should consider then as part of its security strategy? You mentioned you can’t have a guy sitting there doing patch-up work all the time. You’ve really got to start from the bottom up. Is that right?
COLIN ERASMUS: One hundred percent, Ciaran. We talk about them. I talk about four things specifically, and you’ll see that intelligence security is going to come through this quite a bit.
I’ll start at the first one, which is identity and access management. I think that is really where we start. You know, we’ve been talking about this for years and years and years, but we still find that the vast majority of breaches are because of compromised passwords. You can sometimes have the best security in the world, but to compromise a password becomes a lot easier. So really the first thing to think about is identity and access management. And, Ciaran, we’ve got to think about identity based on this “new normal” that we have around not really having a defined network any more.
In other words, we are saying to other people: “Consider things like having your identity in the cloud, no longer an on-premise solution, so you can authenticate against all these applications that sit either in the cloud or on-premise, or owned by you or not owned by you.” So I think that the first one is looking at identity and access management from that perspective.
The second one becomes absolutely key and critical, which is threat protection. This is really where AI [artificial intelligence] and machine-learning kick in in a big way. A lot of our CISOs (chief information security officers), are doing a great job at the moment. The problem that you have there is that these attacks are coming from all angles, and you now need an intelligent way of looking at this. This is where something like Microsoft Graph comes in. This is a system that Microsoft has that actually monitors up to six billion bits of information a day –and that’s everything from emails to our Xbox servers, to our Bing servers. We are seeing what sort of attacks may be coming before they come, and actually put this out to our customers and say: “Hey, look out for this.” And the systems that they have are actually automatically taking defence against what may potentially come. So that’s threat protection.
The third thing is information protection. Now, at the end of the day, the information is what criminals are after. So we need to make sure that we are protecting our information as well; so we are classifying, we are tagging, our data. We are making sure that data is being taken care of from an encryption point of view, as an example as well.
And then the fourth point really is cloud security. I think this one is equally important because all organisations or most organisations are on the cloud today. They’re in many clouds. Their replications sit in those clouds, their data sits in the cloud, so we need to think about how are we securing our information when it’s on the cloud as well.
Those really are the four ways – or the four ways I like to think about a security strategy.
CIARAN RYAN: Okay. So Microsoft talks about “zero-trust” as a security strategy. Just explain what zero-trust is, and how companies can apply it.
COLIN ERASMUS: That’s brilliant. I think the way we put this all together at the end of the day is the zero-trust security strategy. And really, at the end of the day, you’re coming at security from the premise that you trust nothing as the starting point – that really is where it starts.
Now, let’s just break it out a little bit and maybe into a little bit more of a formal definition. We see this as an integrated approach. That’s the first thing. What we’re trying to do is we’re trying to integrate security into everything that we do, as opposed to a bolt-on on top of it. I think that’s critical from two aspects. One is being able to streamline your productivity so you’re not affecting your productivity, and secondly, getting those bits of information that I spoke about to connect and speak to each other.
Then the second bit of this is around adaptive controls. What do I mean by that? Let me give you a really good example. You’ve now got this great security in place, you’ve got some identity and access protection in place, and somebody logs on in Johannesburg. Two hours later you get a log on from the same IP address, for example from Hong Kong or the US or whatever it is. Now you go, hang on, that’s not possible. So what we do on the fly with those adaptive controls is we say: “Hang on, we don’t believe you are who you say you are. So we now want you to provide a second or third piece of authentication to understand who you may potentially be.” That may be something like: “Well, we’re going to phone you on your phone now, and you need to authenticate on your phone.” So it’s something that you have in your possession. That’s the adaptive controls piece.
And then the last piece is the continuous verification and monitoring across your entire digital estate. We’ve spoken a little bit about that as well, and that’s really where the AI comes in – to make sure that there’s nothing untoward going on in your network. That really is the zero-trust approach. Ciaran, we do find that a lot of organisations today have actually started to look at this, and started to implement portions of this architecture.
CIARAN RYAN: Okay. Let’s pivot now towards the Protection of Personal Information Act. The act came into force on July 1 of this year. I think a lot of companies kind of understand it, but are they prepared for it? That’s the real question. There are huge obligations on them if they fall foul of this act. So it’s going to become a part of everybody’s compliance and regulatory issues going forward, right?
COLIN ERASMUS: Correct. At a very high level, this has now been promulgated into law. So, to your point, it is going to become something that we need to comply with. I’ll say again, and there’s a little bit of a mantra that we talk about with organisations, which is “know your data”. So know what you have, protect your data. Apply the technologies against those that it’s protecting, and then govern your data at the end of the day. So make sure you’ve got good governance structures in place. That’s what we need going forth.
CIARAN RYAN: Okay. Let’s talk about remote working because millions of people around the world and in South Africa are now working from home. That also does have an impact on cybersecurity issues, because you’ve got people logging into the cloud from different locations. What are some of the issues that have to be confronted by companies when it comes to remote work?
COLIN ERASMUS: Ciaran, that’s a good point. I think everything that we may have spoken about needs to be considered under “remote working”. I think we talked about things being in three stages when we were looking at remote working specifically. And those three stages were really a response.
We’ve passed the response now when we got locked down as a country or as a globe, people [were] responding to this and they were deploying video conferencing facilities and so on. Then we go into a recovery mode, which is, I think, where we pretty much are today. Everyone’s now in that recovery mode. And then I think the third one is reimagine. I think that’s the exciting bit.
Now everyone talks about this “new normal” potentially. What does it look like? I believe we are potentially going to be there. I think that organisations, as they start going back to work, are going to adopt this hybrid approach to the workspace, where people can come in and work. They can then be off-site and work. And, in fact, we’ve seen some great productivity increases with remote work as well. But, having said that, to your point we need to make sure that we are doing this securely. So, as people are now working from home, as we’re extending our networks and we are changing our network parameters, we need to make sure that with everything we’ve spoken about – things like applying a zero-trust principle, looking at things like insider risk management – what are these guys doing? What data is being collected [and] where it’s been sent. These are all critical to look at under the “remote work” banner as well. So I think with everything we’ve spoken about – people need to think about the fact that things have changed, networks have changed, devices have changed, and they just need to apply those security principles to choose the remote work scenarios.
CIARAN RYAN: All right. There’s a lot to think about there. Colin. Thanks very much for that. That was Colin Erasmus, Modern Work Business Group Lead at Microsoft South Africa.
Brought to you by Microsoft South Africa.