Spoiler alert: the answer to this question is "not really". However, the subtle differences that do exist are important to acknowledge in order to successfully implement or provide Cyber Security in those locations.
I was interviewed recently for an upcoming article about Cyber Security in a regional African and Indian Ocean magazine called Eco Austral. As I answered the journalist's questions I wondered how different those answers would be if it was for a European magazine.
In this blog article, I will first provide the answers to the four questions I was asked in the wake of recent Ransomware attacks that generated a lot of public attention. I will then expand on those questions and will be looking at the different Cyber Security contexts for those regions in terms of advantages and disadvantages to, finally, identify common opportunities and challenges.
PART 1 - CYBER SECURITY QUESTIONS
- What are the consequences (of Cyber Attacks) for Mauritian and Indian Ocean companies?
- What type of companies are more vulnerable?
- The year 2017: why such relentless attacks from hackers?
- How to avoid Cyber Security risks and protect your company?
1.1 What are the consequences (of Cyber Attacks) for Mauritian and Indian Ocean companies?
With the technology advances of the last two decades, companies rely more than ever on their IT systems to operate. This is true at many levels: infrastructure, processes, raw data. As such, the consequences of global Cyber Security attacks have the ability to be very damaging to Mauritian and Indian Ocean companies.Very damaging indeed as once inside a company's network those attacks/hackers can badly affect key services and infrastructure. For example, the inability for employees to access their emails or their customers' data, the loss of documents, the denial of services (Web Site, electronic transactions, etc.) or even the use a company network as a proxy to attack other companies.
The negative consequences can therefore be financial, reputational and legal.
1.2 What type of companies are more vulnerable?
From the moment a company relies on an IT infrastructure to operate, is connected to the Internet and handles data electronically, it is vulnerable to remote Cyber Security attacks. The companies that are the most vulnerable are those without a clear Cyber Security strategy and contingency plans, often this means with no dedicated staff to Cyber Security and no adequate Cyber Security operational procedures.Most of the time, those companies consider IT as just a mean to do a task/job without really appreciating the related risks and needs for protecting their operation from a Cyber Attack.
They are typically small to medium size organisations but we can also find large organisations that did not invest enough, or have stopped to invest, in their IT department.
1.3 The year 2017: why such relentless attacks from hackers?
Hackers have not been more relentless in 2017 than in previous years. Cyber attacks with global impacts have been going on for a while, remember "Code Red" back in 2001.What is changing, however, is the growing attack surface as well as a better coordination, preparation and sophistication from those attackers ("threat actors") who are improving in competencies and are driven by an exponential growth of monetary and geopolitics gain related to Cyber Security attacks.
Furthermore, with companies increasingly integrating and relying on IT and the Internet to conduct business and operate, those Global Cyber Attacks will only gain in visibility and ability to disrupt which is probably why there is a feeling of "relentlessness" from hackers of late.
This situation is unfortunately the new reality that companies must face daily as part of their operational planning consideration.
1.4 How to avoid Cyber Security risks and protect your company?
The primary prevention measures are not necessarily directly linked to IT Security but instead are linked to a form of "IT Hygiene". As such, companies should start following "operational best practises" when it comes to day to day IT operational procedures: To have a patching policy, up to date asset inventory, infrastructure visibility, etc.Then, once an "IT Hygiene" baseline has been implemented, there must be a Cyber Security strategy defined: Being able to monitor that infrastructure, detect potential attacks, know how to respond to those attacks, protect the infrastructure and endpoints with adequate technologies, alert at different level of the organisation with an adapted message to the organisation risk profile, inform and train staff, do regular vulnerability assessments, etc.
PART 2 - REGIONAL CYBER SECURITY CONTEXT
The above answers would not be much different for companies in Europe, even though the technological, economical and political landscape is rather different in Africa and the Indian Ocean.
Does that mean we are all equals when it comes to Cyber Security? Not quite, and the second part of this article will look at the different Cyber Security contexts for those regions in terms of advantages and disadvantages to identify common opportunities and challenges.
I am focusing on Mauritius, Africa and Europe for three reasons:
- I have experience in delivering cyber security work in each region;
- Those regions suitably provide a template for developing economies (Africa), economies in transition (Mauritius) and developed economies (Europe);
- There is an increasing demand and understanding for Cyber Security expertise in those regions.
2.1 European Cyber Security regional context
Europe, the UK and the USA share a similar context when it comes to Cyber Security and have the following advantages:- Part of a mature economical market, yet with a need to constantly evolve and thus quite dynamic and innovative;
- Cyber Security is a recognised mandatory necessity for most companies, it helps drives resources, time and budget allocation for it;
- There is a large choice of technology and expertise locally available;
- General public, staff and key stakeholder's awareness on Cyber Security is increasingly improving and facilitating conversation on the subject;
- Regulatory requirements such as GDPR, CBEST, SOX, etc. help drive Cyber Security forward.
- Large, profitable and "more modern" companies tend to be a bigger target for the most advanced Cyber Criminals and Nation State actors;
- Shorter hardware and software technology refresh cycle means constant infrastructure change along all the security pitfalls coming with it;
- Money is being wasted on Cyber Security technologies that may be too new (unproven, buggy, short lived) or not required (redundant functionality, wrong priority, over promised sales pitch) and often leads to "bloated" security layers in large organisations.
- Legacy dependencies are frequent and increase the complexity of implementing security right;
- Retaining skilled staff is often a problem.
2.2 African Cyber Security regional context
This region has the following advantages:- Cyber Security Awakening - there is an increase demand and realisation that Cyber Security is important;
- Chance to do it right from the start and learn from developed economies' mistakes in that field;
- A lot of manual processes for key tasks are still present and provide a crude but effective defence mechanism in limiting some attacks' impact, i.e.: manual approval for international money transfer in some banks, etc.;
- Companies infrastructure are usually smaller and therefore less complex to protect;
- There is a lot of enthusiasm for Cyber Security and most companies are starting to pay attention to this area.
- Very limited local expertise in Cyber Security is driving the need for international and expensive services in that field;
- Use of old IT equipment that often are at their end of life and out of support increases the risk exposure;
- Cyber Security is often considered as optional and comes more as a reaction to an incident than as a preventive set of measures;
- Internal IT infrastructure is often not documented and not fully understood due to high staff turnover, thus increasing the time it takes to properly secure it;
- Budget is very limited and no full-time resources are allocated for Cyber Security in most companies.
2.3 Mauritian Context
This region has the following advantages:- The Cyber Security awakening has already occurred in Mauritius some years ago, what we see now is an acceleration towards Cyber Security programs in most companies;
- International regulation drives the need of Cyber Security work for compliance to certain standards;
- Budget for IT and Cyber Security are starting to be linked and recognised as significant for the companies' own operational success;
- Local expertise in general IT is high and allows for smoother Cyber Security technology implementation;
- IT Infrastructure is generally modern, allowing for the latest Cyber Security technologies to be easily integrated to the existing environment;
- Limited local expertise in Cyber Security with mostly a few years of experience and many overnight experts;
- Cyber Security is still seen as a luxury additional item in many companies leading to partial solution implementations;
- Most companies do not have a Cyber Security Strategy defined, approved and supported by their leadership;
- With a thriving offshore business, large Mauritian and International companies are also considered as prime targets by attackers;
- Limited and mostly part-time resources are allocated for Cyber Security.
PART 3 - CHALLENGES AND OPPORTUNITIES
3.1 Challenges
From an end user point of view, one of the main challenge is to sustain the pressure for business delivery whilst attempting to secure its operation in an ever-changing technology market and ever increasing toxic environment. Acquiring and retaining the right staff for the job is also an increasing challenge as Cyber Security staff is in short supply. Another challenge is defining the right security strategy and priorities; for some companies it means knowing where to start whilst for others it means knowing what to do next. Furthermore, as companies continue to modernise their infrastructure, the "manual process defences" mentioned previously, will eventually go away thus increasing the risk posture for those companies who haven't anticipated and implemented additional security controls.From a vendor/service provider point of view, one of the main challenge is the ability to identify the client's core needs and adapt the communication and security portfolio to those needs. There is also a need to be flexible with the expectation and implementation timeline. Pricing can often be a problem if not adapted to the targeted market. Another challenge is one of business visibility, in a crowded market place it is difficult to ensure potential clients know your services as well as for vendors to be informed of clients' opportunities.
The more technology advanced Africa and Mauritius become and the more vulnerable they will also become to modern and global Cyber Attacks. The irony is what allows those regions to grow their economy is also what contributes to grow their risk exposure and face the same challenges as more developed economies. Therefore, there is a need for responsible technology growth.
3.2 Opportunities
Through the world, the use of technology and reliance on connectivity is growing, not only at a corporate level but also at an individual level. This growth will only continue because of the very nature of technology evolution. Along with this technology growth comes conception and implementation challenges, and with those comes Cyber Security risks and vulnerabilities.This situation translates into business opportunities related to a demand growth in Cyber Security expertise and solutions. Because technology is becoming increasingly omnipotent in our lives around the world, those opportunities are true for Africa, Mauritius and Europe.
Although there is a maturity difference between those three locations, the needs are similar: being able to prevent, detect and respond to Cyber Security attacks as well as protect the Confidentiality, Integrity and Availability of data/services.
European opportunities tend to be part of a longer term Cyber Security Strategy as well as for recurrent technical security expertise as a service such as penetration testing and security audit.
African and Mauritian opportunities are driven with a high demand in education/awareness programs as well as more pragmatics solutions which are part of a shorter term Cyber Security project/program.
For more information on this topic and details on how we can help your organisation in their Cyber Security journey, do not hesitate to contact us at: consulting@elysiumsecurity.com