Information security has become a global battlefield, with attackers becoming increasingly sophisticated. Cyber crime is one of the fastest-growing areas of crime today, and the most common target is enterprise information.

Staying ahead of potential attacks and mitigating the risks is now as much the responsibility of business management as it is of the IT department. And business management must ensure that all staff are trained and aware of the potential information security risks, making information security partly the responsibility of HR and training executives.

Local information security experts note that people are still the weakest link in information security strategies.

Henry Peens, MD of Yelloworx Information Security says, “The ignorance factor is immense. Management cannot just assume that all staff are IT- and security-savvy.” Peens has been involved in implementing new Symantec Staff Security Awareness training modules at local enterprises in recent months, and says the pre-training assessment ratings that are being seen are exceptionally low. “On average, we are seeing staff have an information security knowledge rating of between 18 – 22%. This came as a surprise to their IT departments.”

The assessment questionnaire covered issues as basic as who staff should report security breaches to, says Peens, and many did not know.

“HR needs a better understanding of the information security issues and the training that is available to help the company avert these threats,” says Peens.

Another area where HR needs to focus on information security is cyber forensics. In cases where employees have committed crimes using company networks and data, the ability to prosecute depends on the availability of evidence within the systems. Cyber forensic specialist Danny Myburgh, head of Cyanre, says South African enterprises are hampering their ability to prosecute cyber-based crimes against them, due to a lack of forensic readiness.

“In the past eight months, we’ve seen a sudden increase in the number of local individuals and organisations targeting local companies for industrial espionage. The spyware in use is very sophisticated and appears to focus on company communications, including email communications, internet usage and online chat,” he says.

The main targets for this spyware, Myburgh says, are senior management, finance departments, R&D and sales. Cyanre’s investigations reveal that spyware is most often introduced into the target system by “thumb drive thugs” – employees who knowingly install it using a memory stick or mobile device.

Myburgh says: “In around 75% of cases we investigate, we find there was inside involvement - usually deliberate.”

Forensic readiness is crucial to successful investigations and prosecutions, says Myburgh. “Enterprises need to conduct audits of their systems and processes to ensure that if there is a breach, their systems are configured to allow a successful investigation. Often, you will find too many people have the system administrator password, for example, or their system recording is not switched on. Organisations need look at forensic readiness as part of their overall risk management and corporate governance. They must focus on ‘can we determine after event who did what on the system, and how we prove it?’.”

Combating cyber crime and reducing risks to the company’s data and reputation depends on awareness and effort by every employee in the company. Andrew Potgieter, Business Unit Manager at Westcon Security, says more focus is needed on security awareness at an individual level. “This is particularly true in the bring your own device era, where enterprise information and personal information reside on the same mobile devices.”

The information at risk is not only customer contact details and financial results, he points out. Serious reputational risk could occur if an email containing a random comment found itself in the wrong hands; or if communications relating to a pending merger or acquisition went public, for example.

Potgieter says: “Enterprises have a responsibility to their shareholders and customers to secure information, and it is the responsibility of business management and HR to create awareness and deliver the necessary training.”

HR and training managers will have the opportunity to discover the latest information security threats facing enterprises, and what solutions and staff training tools are available, at the annual ITWeb Security Summit at the Sandton Convention Centre from 7 – 9 May 2013. The conference, to be addressed by the world’s top cyber security experts, will also include a solutions expo and workshops aimed at both business management and information security specialists.

For more information about the ITWeb Security Summit, visit www.securitysummit.co.za

Editorial contacts
Jacqueline de Gouveia 
jacky@tradeprojects.co.za
(+27) 11 869 9153