Homeland security

On the eve of the recent French presidential election, 9GB of data from the soon-to-be-winning candidate’s campaign’s private files was posted to a filesharing site. The leak was reminiscent of the repeated cyber attacks on Democrat candidates in the US elections last year, and underlines the point that currently, whether it’s the commercial, political or personal world, hacking is a fact of life that's not going away anytime soon.

As chance would have it, while that huge data dump was being uploaded to Pastebin, The Margin was hosting a roundtable discussion with 12 of South Africa’s leading cyber security experts. They gathered to discuss some of the big issues around security, channel opportunities and what – if anything – can be done.

Some issues remain that are perennial, some are new and rising fast, some global, and some are very local indeed.

Spending increase

The first topic was the thorny issue of spending. We know that, thankfully, CIOs and CTO s are increasingly concerned about security. But are the budgets there to match?

Vernon Fryer, chief information security officer at technology group XON/NEC Africa, believes budgets are rising.

“I was at a conference in KwaZulu-Natal recently,” Fryer says. “We did an off-the-cuff calculation and it came out to around a 3.1% increase, most significantly in the telecoms sector. This was primarily as a result of the threat landscape changing. The number of distributed denial of service (DDoS) attacks on telcos has increased tremendously.”

While spending increases are to be welcomed, the CEO of Tarsus SecureData, Mike Rogers, raises fears they aren’t rising fast enough against inflation, and taking into account rand/dollar depreciation might even be falling in real terms.

“That’s a big concern given that the threat landscape has definitely increased,” Rogers says. “There’s more data around, more businesses have digitised, and I would expect to see much bigger increases.”

It’s not just about the money. Simon McCullough, major channel account manager, F5 Networks, reckons that spending patterns aren’t keeping pace with new threats either.

“Ninety percent of spending is still going on perimeter solutions,” McCullough says.

“Whereas the attacks today are on user identity or the application space, because that’s the easiest way to get to the data.”

Is ‘good enough’ enough?

Jayson O’Reilly, director for sales and innovation at DRS, says there are still big gaps between verticals and market segments.

Large enterprises are maturing in their approach, he says.

“Moving into the commercial markets, though, ‘good enough’ is still the thing,” O’Reilly states. “And, for small companies they just need things done cheaper.”

“The problem for the SME and commercial market,” observes Fred Mitchell, division manager: software solutions at Drive Control Corporation, “is that they’re very small. There’s not even a board. There’s a leadership team of two people and they suffer from the ‘it won’t happen to me’ syndrome. They don’t realise the impact it can have on their business if someone accesses all their information and takes it away, their business can close down.”

Mitchell says that despite efforts to educate businesses about the risks, security is still very much a grudge purchase in many firms.

Panda Security MD Jeremy Matthews says part of the challenge is that as risks evolve – and notably with the increase in ransomware – there’s a financial shift that small businesses aren’t used to and haven’t been prepared for.

“They’ve got to begin moving from anti-virus (AV) to end-point detection and response-based security,” Matthews adds.

“But that’s going to cost them a whole lot more money, which is where you get resentment. They’ve been used to an AV bill of a couple of hundred rand.”

Attacks coming via mobile devices and malware which evades traditional AV signature detection are on the increase, but SMEs aren’t prepared to spend, states Matthews, until after they’ve already been hit.

The people problem

To a certain extent, a similar attitude can be found in big businesses, even if it’s not at the decision-making level. One of the big challenges for security practitioners is that people are still the weakest link. Even though they know they shouldn’t click on that e-mail attachment, they do. Company security policies are easily ignored in the 'bring your own device' age.

Craig Rosewarne, MD of Wolfpack Information Risk, says the best approach he’s come across when it comes to raising awareness and educating around risk is to talk about people, not policies.

“Once you explain that it’s about them and their friends and their families, and protecting themselves, they get it,” Rosewarne says.

“They stop pushing back and understand why they need security.”

Cisco’s Paul Beyleveld, a consulting systems engineer with the EMEAR security engineering team, concurs. “Once you explain that it’s their grandmother’s pension fund, or the photos on their laptop that might be at risk, it suddenly becomes real. If it’s a big company and the company tells you to do x,y and z to comply with policies, it’s just another thing that you do grudgingly.”

The panel agrees that education should be a priority. Lutz Blaeser, MD at Intact Software Distribution, says it should start as early as possible.

“It starts at school level,” Blaeser says. “If you provide the education department with tools they can secure their infrastructures with, and let the children learn about the necessity around security, it'll grow up automatically around them.”

Incoming legislation

On the whole, the panel broadly supports incoming legislation such as PoPI and the Cyber Crimes and Cyber Security Bill.

Tarsus’ Rogers says that the Cyber Crimes Bill provides a necessary framework for prosecution, which will not only bring criminals to justice but also – along with new obligations to disclose security breaches to customers – helps raise awareness of issues.

“I still have concerns about our ability to enforce,” Rogers says. “There’s issues like our ability to protect an environment such that you can build a case around it. You have a conflicting pressure if there's been a breach, you want to get back to business as quickly as possible. You want to minimise the damage and get back up and running. That’s a conflicting requirement to protecting forensic evidence for a prosecution.”

Concerns about enforcement go even deeper through the industry. The Cyber Crimes Bill, for example, calls for a coordinated hub and task force, but the skills required are currently in desperately short supply within the police agencies (outside of forensics).

“It’s going to take a while before we can build up those capabilities,” states Rogers.

“It took 11 years just to get that document [the second draft of Cyber Crimes] together,” agrees Fryer.

Outside of criminalisation of cyber security offences, legislation is having some effect.

“Last year, we had talks to the boards of 12 big companies, and we thought that was brilliant,” says Rosewarne. “Normally when you get to the CIO you’ve got to the top. But we realised it wasn’t that the board members wanted to be there, it was because they were forced to be there. Especially in the financial sector. Although we spent a lot of time with them, they were doing it purely for compliance. They’re concerned, but it’s very reactionary to PoPI and the auditing requirements of King IV.”

One area of disappointment with government approaches so far is the lacklustre attempt at industry coordination.

O’Reilly points out the huge amount of collaboration and data sharing that goes on between big vendors and their security hubs overseas, and laments how little happens locally. An industry-wide security alert service is mostly unused, for example, and there’s little real research that comes out of South Africa on the subject.

“Even for those around the table,” says LAWtrust founder Maeson Maherry, “how often does this kind of thing happen? It starts with a willingness to get involved with these things. Even though in some areas we might compete, when we're thrown together we work quite happily. We're a like-minded community.”

The proposed cyber security hub in the Cyber Crimes Bill could be a catalyst, says Beyleveld.

“The thing we need to be mindful of is that security is a hot topic at the moment, there's not been as much buzz in the marketplace since the Y2K bug,” Beyleveld says. “We have channels to take advantage of that, through social media, but on our personal levels, are we uploading videos, are we participating in science, maths and technology education? We're all busy, we're all running from dawn ‘til dusk fighting fires. We struggle to sit down and formulate a plan and take an approach. There could be an approach via the cyber crimes hub to get academics involved and formalise processes.”

Skills gap

It’s not just police and educators struggling with skills, however; there’s a critical shortage of security specialists industry-wide. The good news, says Rosewarne, is that there’s now more interest in security training than before, because it’s being seen as an exciting career rather than the dull sibling of app development. He dubs it the ‘Mr Robot effect’.

There’s still not enough skills to go round though, and the concern for government is that the private industry can afford to spend more on recruitment.

“I was at an RSA conference recently,” says Maherry. “There were about 40 000 developers there, and it seemed as though one half were just there to try and recruit the other half.”

The beneficiary of the skills shortage is the growth of 'Security as a Service'. From a channel perspective, it’s often the only choice available.

“What we're noticing is the IT support jack-of-all-trades guys have seen the security opportunity, but they can't find the skills to exploit that themselves,” says Richard Broeke, GM of Securicom. “So they look for a managed provider, and they're hitting that SME, sub-2 000 seat market, that's really where the opportunity is.”

“Security as a Service is the only way to go,” Broeke continues. “Security needs skills, and you need the right attitude to develop the skill. Not everyone can be a policeman, it needs a special kind of personality, a special kind of mindset. You need the same kind of mindset to be in the cyber security world. Whereas pretty much anyone can learn how to install Windows or fix Outlook."

Westcon-Comstor's director: security practice, Andrew Potgieter, agrees. “The old PC engineer job, which flooded the market, came to be seen as what a career in IT was,” he says.

“But it's completely different and the majority can't migrate to security, because the mindset is different. Which is why in our managed business, we're doubling business year on year.”

In summation, then: few skills, not enough collaboration and lack of faith in the public sector’s ability to deliver on the most promising parts of new legislation leave South Africa – and we’re by no means unique – unprepared for the next generation of threats. But behind that, exceptional talent and understanding does exist within our security sector, the right tools in Security as a Service to help, and a willingness to come together to meet the challenges we face.

Let’s hope that willingness can be capitalised on in the future.