Research conducted by KnowBe4[1] found that one out of three people is likely to click on a suspicious link or comply with a fraudulent request. For this reason, phishing remains a valid concern for organisations. The primary objective of phishing is to get someone to click on the link or open a malicious attachment. For most cyber-attacks to be successful, all it requires is for a victim to click a malicious link or open a malicious attachment. These malicious attachments and links can be sent via email, SMS, or any social media platform.
Another concern is identity theft and impersonation. This refers to using someone else’s identity online to do things. This can be as simple as a fake social media profile where someone pretends to be someone else. It can also be as serious as someone taking out a loan or cell phone contract in a victim’s name.
System downtime refers to anything that prevents an organisations’ platform from servicing their customers. It is important to note that service providers such as authentication services and payment gateways can impact the ability of an organisation’s system to service its clients. Anything in the supply chain that can prevent customers from completing an online transaction is a point of failure that could impact system and service availability.
Lastly, standard cyber concerns such as weaknesses in software (vulnerabilities) and malicious software (malware) remains an active threat and area of concern. Given the interconnectedness of systems and platforms, our attack surface is essentially endless. Anyone with a computer device, anywhere in the world, of any skill level can launch attacks against us. Most of the time it may not be targeted at us, the impact remains the same.
Security Non-negotiables
As providers of technology systems and platforms, it must be acknowledged that security is a shared responsibility between the service provider and the customer. Customers, however, might not understand this. Specifically, it may be unclear as to what their responsibilities are as it pertains to cybersecurity. The below guidelines, in the order they are presented, provide the non-negotiable areas to ensure the protection of data.
- Educate customers: A study conducted by KnowBe4 in 2022 found that only 38% of the respondents believe they fully understand their security roles and responsibilities and only 21.25% strongly agreed that the cybersecurity training they received from their employers was adequate[2]. Given that security is a shared responsibility, the first step is to educate customers and users on their responsibilities and general cyber hygiene. User education must be consistent, yet not overwhelming, and should not adversely impact the overall user experience.
Secure the supply chain: All businesses are dependent on service providers in some way, shape, or form. In the eCommerce space for example, this may include hosting providers, payment gateway providers, external attorneys, marketing agencies, and so forth. Because suppliers can impact the availability of an organisation’s service offering, their reputation, and stakeholder trust of their customers, it is important to ensure that the level of service delivery and security from service providers meets your business requirement. In May 2023, one of
[1] 2023-KnowBe4-African-Cybersecurity-Awareness-Report-Research_EN-GB.pdf
[2] 2023-KnowBe4-African-Cybersecurity-Awareness-Report-Research_EN-GB.pdf
- Uber’s suppliers suffered a data breach, and Uber made news headlines where their reputation was negatively impacted because of a supplier[1].
- Secure the identity: Identity is the point of most friction for the customer, and therefore an area that warrants proper consideration and planning. In 2022, the world’s most used password was the word password, followed by 123456[2]. This makes identity the area of most concern as well. For organisations with sufficient budget, a Customer Identity and Access Management (CIAM) solution is ideal. For smaller organisations, at minimum support for Multi Factor Authentication (MFA) with a complex password policy should be implemented. User education is key as customers do not mind extra steps if they understand why, and the technology works. If a user’s needs to input an OTP that is delivered via SMS, ensure that the SMS provider can deliver the SMS in 3 seconds or less.
- Understand regulatory obligations: Depending on where you are located, the nature of your business, the type of data you collect and process, and the payment options you offer, you may have certain regulatory obligations. Things that could impact you are PCI-DSS, POPIA, GDPR, and similar. Like other statutory business requirements, you must understand your obligations as it pertains to data protection, privacy laws, information and cybersecurity laws, industry standards, and regulations.
- Maintain updated software: Software is inherently insecure and contains weaknesses (vulnerabilities). Software vendors regularly release software updates, also known as software patches, to address software vulnerabilities. It is important to update applications and hosting platforms to protect ecommerce websites from cyber threats. In July 2022, Palo Alto released a report stating that attackers scan for vulnerabilities within 15 minutes after a vulnerability is publicly disclosed[3]. This highlights the importance of having a defined process for software updates.
[1] Third Party Security Breach Is Uber’s Third Breach in 6 Months – BreachLock
[2] Most common passwords of 2022—make sure yours isn’t on the list (cnbc.com)
[3] Hackers scan for vulnerabilities within 15 minutes of disclosure (bleepingcomputer.com)
I’ve come to the cross-road where I’ve seen that at point where have all skill and no Certs you can’t…