“Users are the weakest link in security”

H.L.-B |

29 May 2017


You can have the best firewall, and it takes only one employee to click on something he should not, and your company is hacked. For Rudi Dicks, Graham Croock and David Cohen, three experts from BDO South Africa, it all comes down to training and creating awareness because companies will never be cyber secure, but cyber ready. 


Even the most sophisticated computer in the world cannot protect you against a possible cyber-attack or any malware. Why? Confidential data, even secured, can be accidentally undone, in a matter of seconds, by one employee. Hackers are being creative, and they find means and ways to attack the weakest link in cybersecurity, that is users. It is called social engineering.

“Users are the weakest link in security. You can have the best firewall, and it takes only one employee to click on something he should not and you are done. Take the Stuxnet virus example a few years back. There was no internet or wireless. It must have been spread largely by human hands”, says Rudi Dicks, Cyber Security Expert at BDO South Africa, during the BDO Cyber Security Seminar held on Wednesday at Voilà Bagatelle.

 Creating awareness

Social engineering can take many forms. It relies on the user’s carelessness, lack of awareness or sometimes their human kindness to get the information that helps hackers sneak in a company’s system or physical location.

For example, a person who comes to the receptionist and secretary saying coffee fell on his Curriculum Vitae (CV). He really needs it for an interview, and asks the employee to help by making a new printout. Once the employee inserts the USB in the company’s system, the hacker gets full access to the data. Another example might be where the attacker may make emails appear to come from someone the target knows, a source they would trust or which contain information relevant to the target’s professional role. One click on the link and the damage is done.

“It all comes down to creating awareness. It’s about education. Nearly half of all ransomware attacks begin by criminals persuading an employee to click on an email,” explains Graham Croock, director of IT Audit, Risk & Cyber Lab at BDO South Africa.

Some of the other key lessons learnt during the seminar are:

  • In the WannaCry attack, companies received messages saying that their “files are encrypted” and the hackers asked for payment in bitcoin. One bitcoin would be around MUR 70 000. “The problem with paying the hackers is that they are going to take the money, invest in further research and develop another virus to attack you again because they know you are going to pay,” warns Rudi Dicks.
  • Five or ten years ago, no one focused on cyber risk. Nowadays, cyberspace cannot be dissociated from what we call risk management. The best security against ransomware is to continuously update the system.
  • The board of directors has the overall responsibility for the organization’s cyber and information security. “You should have the right people talking to the board about cyber security management. You can also have an IT Steering Committee,” suggests Graham Croock.
  • The best places for open source are universities, and cyber criminals exploit these.
  • Vulnerabilities are created via connected devices. Everything is connected, from the watches to the houses. “We used to talk about the Internet of Things. It is now the Internet of You. All it takes for a hacker is to the information, and he can do his job. Connectivity is the problem, but we cannot do without it,” says Graham Croock.

Because attacks are becoming easier to create, prevention is better than cure. The experts suggest to do the best risk assessments, get explicit approval to process privacy information, make sure that processing agreements with third parties are secure and involve the Board of directors to get things done. One should also understand the role of cyber drivers, that is being aware of all sensitive data and ensuring a constant monitoring, to know what is happening on the company’s system.

Next, we should identify determining factors. “Is it a lack of management? Are policies and procedures lacking? Are your staff educated and motivated regarding cyber exposure?”

“Make sure to have an up to date cyber security strategy and allocate sufficient funds to the IT. You cannot keep up to date with the rate malware is being developed,” explain the experts.


Cloud does not fix everything

It backs up and centralizes the content in one safe place no one can see, but you. “People think Cloud fixes everything. It does not. You still have responsibility and liability. If I get access to your computer, I get access to your data,” says Rudi Dicks.

For Graham Croock, people should not be “fooled in thinking” that Cloud is secure. “It’s the next big area where attack will come. Don’t rely on a single Cloud with all your data. Distribute the data among different Cloud, else if the only one you use is brought down, all your data goes away,” he added.