Rapidly evolving cyber threats and attack modes mean that every organisation should assume it has already been breached. The question now is – what to do next?

Not only have cyber criminals become more sophisticated, but enterprise exposure to risk is growing fast, thanks to the advent of the '3rd platform' in computing, delegates heard at the IDC - Fortinet Advanced Threat Protection Network Security Conference held recently in Johannesburg.

Security experts and analysts noted that the external threat landscape has changed, new legislation is set to force greater security awareness, and new technologies are changing the exposure business has to cyber risk. There has never been a greater need for organisations to ramp up their information security strategies, they said.

Lise Hagen, Research Manager, Software and IT Services, Africa at IDC, explained that the so-called '3rd Platform' – encompassing mobility, cloud, big data/analytics and social business – is challenging assumptions about technology use and presenting new opportunities to cyber criminals. "Security has to remain top of mind now," Hagen said. "Organisations must have an actionable security strategy. They need to assess their exposure and security requirements, and procure appropriate security solutions as part of an overall security strategy," she said.

Hagen said the rapidly-changing risk environment means that organisations have to be agile and flexible around network, data, endpoint and even physical security. Among other measures, she recommended that organisations consider a hybrid approach to security, develop a clear strategy on mobile security and not overlook the human factor in mitigating risk. "Critically, organisations cannot afford to be reactive any longer. They cannot sit back and wait for something to happen. Organisations today must be proactive about risk management and governance. An effective security strategy is not a piece of paper – it's a living, breathing approach," she said.

Paul Williams, Major Account Manager at Fortinet, outlined evolving attack mechanisms, from the advanced persistent threats (APTs) that began emerging three to four years ago, to advanced targeted attacks (ATAs) in which attackers seek out specific data that is potentially lucrative for them. Attack lifecycles today can be as long as several years, he pointed out, since attackers might breach a network and test it over a lengthy period before carrying out a large-scale attack.

"Now, companies need to look to proactive threat protection including networks, payloads and endpoints. Their strategy must include mitigation, detection and remediation, because trying to block external threats is not enough. You must assume attackers are already in your systems and ensure you are able to detect them and take action within your own networks," said Williams.

He noted that security had become a critically-important investment for business. "Many people see it as a grudge purchase until they have been hacked," he said.

Hagen added that security solutions spend was set to increase over the next few years as South Africans realised the significance of the risks they faced. "To date, South Africans have been very aware of physical security, but this awareness has not translated to cyber security," she said. This is expected to change in the face of ever-increasing cyber attacks and legislation such as POPI, which will make businesses accountable for the safeguarding of personal information they collect and store.