Hacking South African companies takes less than one minute

Originally published in: http://www.camargueum.co.za/article/21062017/hacking-south-african-companies-takes-less-one-minute


When it comes to securing a business against cyber threats, the talk, money and focus seems to be on internal networks, systems and virtually everything inside the organization. Antivirus software, firewalls and intrusion and fraud detection are often discussed with executives who are responsible for looking after their businesses. But when I asked, ‘How many passwords have already been leaked?’ and, ‘Is someone targeting your organization? Is your information for sale?’ I was met with blank stares from the company executives. Indeed, the external world isn’t considered in many business agendas.

The basic principle of cyberspace is that if you don’t know what you have, you can’t secure it. When it comes to ICT assets and systems, most companies seem to understand what they have on their premises. But nobody knows what’s outside. During discussions, no single company was using only their internal systems; everyone was relying heavily on external vendors, supply chains and cloud providers. And the future brings even more interdependencies – almost everyone has a plan to cut their own assets.

While reducing the number of systems on one’s own premises makes defending them easier and cheaper, the role of the known unknown – the external world – grows exponentially. Probability for an external data breach, exposed credentials, sensitive information disclosure or an actual data breach grows, and for self-centric organizations, there are no direct ways to reduce these risks. When we can’t control everything, the question is: ‘What can we do?’

Exploring cyberspace is like walking the streets – and South Africans are very streetwise. You need to know who to trust and which route to take in order to stay safe. The next thing is to get cyber-wise: choose smart passwords, avoid online scams and pick reliable service providers. The good news is that cyber awareness training is cheap and effective compared to technology investments. The bad news is that anyone who isn’t trained will act against you unintentionally! That means time is money.

Another thing is to understand your organization’s current and past exposure. What has been leaked already? Are hacker groups targeting you? Where is leaked information coming from, and whose passwords have been compromised? This is a starting point, but it’s the most valuable security measure you can have when going asset light. Get your exposure assessed (and preferably monitored) at a pace you can handle.

Just to give a ballpark figure: The top 100 Johannesburg Stock Exchange companies have over 1,000 active usernames and passwords available – EACH. Those credentials provide instant hassle-free access to the organization without anybody asking or noticing. So my recommendation is to find what’s out there already; mitigate any findings; and train your staff so that you have your entire team working with you – not against you.