On the eve of the recent French presidential election, 9GB of data from the soon-to-be-winning candidate’s campaign’s private files was posted to a filesharing site. The leak was reminiscent of the repeated cyber attacks on Democrat candidates in the US elections last year, and underlines the point that currently, whether it’s the commercial, political or personal world, hacking is a fact of life that's not going away anytime soon.
As chance would have it, while that huge data dump was being uploaded to Pastebin, The Margin was hosting a roundtable discussion with 12 of South Africa’s leading cyber security experts. They gathered to discuss some of the big issues around security, channel opportunities and what – if anything – can be done.
Some issues remain that are perennial, some are new and rising fast, some global, and some are very local indeed.
Spending increase
The first topic was the thorny issue of spending. We know that, thankfully, CIOs and CTO s are increasingly concerned about security. But are the budgets there to match?
“I was at a conference in KwaZulu-Natal recently,” Fryer says. “We did an off-the-cuff calculation and it came out to around a 3.1% increase, most significantly in the telecoms sector. This was primarily as a result of the threat landscape changing. The number of distributed denial of service (DDoS) attacks on telcos has increased tremendously.”
“That’s a big concern given that the threat landscape has definitely increased,” Rogers says. “There’s more data around, more businesses have digitised, and I would expect to see much bigger increases.”
“Ninety percent of spending is still going on perimeter solutions,” McCullough says.
“Whereas the attacks today are on user identity or the application space, because that’s the easiest way to get to the data.”
Is ‘good enough’ enough?
Large enterprises are maturing in their approach, he says.
“Moving into the commercial markets, though, ‘good enough’ is still the thing,” O’Reilly states. “And, for small companies they just need things done cheaper.”
Mitchell says that despite efforts to educate businesses about the risks, security is still very much a grudge purchase in many firms.
“They’ve got to begin moving from anti-virus (AV) to end-point detection and response-based security,” Matthews adds.
“But that’s going to cost them a whole lot more money, which is where you get resentment. They’ve been used to an AV bill of a couple of hundred rand.”
Attacks coming via mobile devices and malware which evades traditional AV signature detection are on the increase, but SMEs aren’t prepared to spend, states Matthews, until after they’ve already been hit.
The people problem
To a certain extent, a similar attitude can be found in big businesses, even if it’s not at the decision-making level. One of the big challenges for security practitioners is that people are still the weakest link. Even though they know they shouldn’t click on that e-mail attachment, they do. Company security policies are easily ignored in the 'bring your own device' age.
“Once you explain that it’s about them and their friends and their families, and protecting themselves, they get it,” Rosewarne says.
“They stop pushing back and understand why they need security.”
“It starts at school level,” Blaeser says. “If you provide the education department with tools they can secure their infrastructures with, and let the children learn about the necessity around security, it'll grow up automatically around them.”
Incoming legislation
On the whole, the panel broadly supports incoming legislation such as PoPI and the Cyber Crimes and Cyber Security Bill.
Tarsus’ Rogers says that the Cyber Crimes Bill provides a necessary framework for prosecution, which will not only bring criminals to justice but also – along with new obligations to disclose security breaches to customers – helps raise awareness of issues.
“I still have concerns about our ability to enforce,” Rogers says. “There’s issues like our ability to protect an environment such that you can build a case around it. You have a conflicting pressure if there's been a breach, you want to get back to business as quickly as possible. You want to minimise the damage and get back up and running. That’s a conflicting requirement to protecting forensic evidence for a prosecution.”
Concerns about enforcement go even deeper through the industry. The Cyber Crimes Bill, for example, calls for a coordinated hub and task force, but the skills required are currently in desperately short supply within the police agencies (outside of forensics).
“It’s going to take a while before we can build up those capabilities,” states Rogers.
“It took 11 years just to get that document [the second draft of Cyber Crimes] together,” agrees Fryer.
Outside of criminalisation of cyber security offences, legislation is having some effect.
“Last year, we had talks to the boards of 12 big companies, and we thought that was brilliant,” says Rosewarne. “Normally when you get to the CIO you’ve got to the top. But we realised it wasn’t that the board members wanted to be there, it was because they were forced to be there. Especially in the financial sector. Although we spent a lot of time with them, they were doing it purely for compliance. They’re concerned, but it’s very reactionary to PoPI and the auditing requirements of King IV.”
One area of disappointment with government approaches so far is the lacklustre attempt at industry coordination.
O’Reilly points out the huge amount of collaboration and data sharing that goes on between big vendors and their security hubs overseas, and laments how little happens locally. An industry-wide security alert service is mostly unused, for example, and there’s little real research that comes out of South Africa on the subject.
The proposed cyber security hub in the Cyber Crimes Bill could be a catalyst, says Beyleveld.
“The thing we need to be mindful of is that security is a hot topic at the moment, there's not been as much buzz in the marketplace since the Y2K bug,” Beyleveld says. “We have channels to take advantage of that, through social media, but on our personal levels, are we uploading videos, are we participating in science, maths and technology education? We're all busy, we're all running from dawn ‘til dusk fighting fires. We struggle to sit down and formulate a plan and take an approach. There could be an approach via the cyber crimes hub to get academics involved and formalise processes.”
Skills gap
It’s not just police and educators struggling with skills, however; there’s a critical shortage of security specialists industry-wide. The good news, says Rosewarne, is that there’s now more interest in security training than before, because it’s being seen as an exciting career rather than the dull sibling of app development. He dubs it the ‘Mr Robot effect’.
There’s still not enough skills to go round though, and the concern for government is that the private industry can afford to spend more on recruitment.
“I was at an RSA conference recently,” says Maherry. “There were about 40 000 developers there, and it seemed as though one half were just there to try and recruit the other half.”
The beneficiary of the skills shortage is the growth of 'Security as a Service'. From a channel perspective, it’s often the only choice available.
“Security as a Service is the only way to go,” Broeke continues. “Security needs skills, and you need the right attitude to develop the skill. Not everyone can be a policeman, it needs a special kind of personality, a special kind of mindset. You need the same kind of mindset to be in the cyber security world. Whereas pretty much anyone can learn how to install Windows or fix Outlook."
“But it's completely different and the majority can't migrate to security, because the mindset is different. Which is why in our managed business, we're doubling business year on year.”
In summation, then: few skills, not enough collaboration and lack of faith in the public sector’s ability to deliver on the most promising parts of new legislation leave South Africa – and we’re by no means unique – unprepared for the next generation of threats. But behind that, exceptional talent and understanding does exist within our security sector, the right tools in Security as a Service to help, and a willingness to come together to meet the challenges we face.
Let’s hope that willingness can be capitalised on in the future.