In this present technological age where almost every single organization seems to be reliant, to an extent, on technology and telecommunications, it is not a case of ‘if’ a cyber security breach will occur but rather a matter of ‘when’. As businesses and organizations such as banks, small and medium scale enterprises (SMEs), and educational institutions are now migrating their activities and services online, this comes with it the threats of cyber security breaches.
So many businesses and individuals in Ghana are now reliant on ICT to serve, as a critical tool to deploy innovative business operations, products and services and customer directed strategies which aid in achieving their business objectives. Security breaches, when they occur, may result in a myriad of issues such as customer data loss, systems compromise leading to their unavailability, issues with integrity, reputational and revenue loss amongst others. In order to make direct cyber-attacks on traditional targets like banks and other online based entities difficult, improving defensive measures is now a must more than ever before.
Due to present and emerging threats such as Malware, Distributed Denial of Service attacks (DDoS), Phishing, Social Engineering, Zero-day attacks and a host of others, there is the need for businesses and organizations especially to adopt preventive instead of the reactive approach. This will go a long way in preventing such threats.
Businesses and organizations should consider these and other information security strategies in helping to protect the Confidentiality, Integrity, and Availability (CIA) of their technologies and data;
- Putting in place an information Security Strategy governance process which should be in alignment with the business goals and objectives. This must have buy-in and acceptance from the board of directors, senior management, and other critical decision makers.
- Putting in place security awareness and education programs to educate everyone from the senior management through to the system administrators and all other users in the organization. This should not be a one-off process but should be carried out periodically.
- Staying current with preventive and defensive controls in terms of security tools to protect the businesses’ infrastructure. This includes putting in place Firewalls, IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems), WAF (Web Application Firewalls), and Anti-malware software, Logging, and Monitoring.
- Putting in place a hardening and patch management process to ensure that all business systems are properly up-to-date with the latest software/application. This would prevent the likelihood of hackers using vulnerabilities in software to attack systems which are vulnerable.
- Perform proper security assurance on all products and services before they are launched. This will include performing also regular vulnerability and penetration assessments to validate that critical security controls are in place before and after launch.
- Making regular backups of key business data and systems; make sure they are stored in secure environments. This will aid in the fast recovery of the business operations in terms of a disaster.
Cyber criminals can be equated to antibiotic-resistant bacteria, the more you treat the illness, the quicker they evolve and try to find new ways of infecting your system and doing damage. Looking at this, Information Security is a never ending process. The important thing is to stay ahead of the game, and this can be achieved by conducting business securely in an environment of increasing threats, with a balanced and right strategy and implementation as not to affect the business objectives and goals.
Author: Hector Dotse, Security Assurance Consultant (Member: Institute of ICT Professionals, Ghana)