Arguably the biggest cybersecurity threat facing organisations is their people, often falling victim to attacks through ignorance. But there are also some new and frightening threats on the horizon.

By Kathy Gibson

According to IDC, ransomware is still a major threat in the cybersecurity space, along with phishing and whaling. Other threats include data leaks and theft, vulnerability or patch management.

Detection and mitigation remains a problem, adding to the threat landscape.

The new technologies now becoming popular in the market are ripe for cyber-attacks, says Jon Tullet, research manager: IT services Africa at IDC, speaking at the research organisation’s recent CIO Summit.

Internet of Things (IoT) is becoming mainstream now, but the crooks are ahead of us, he says. Botnets targeting IoT networks have already been seen, and they will become more pervasive, and we will start to see more instances of automation subversion.

Machine learning can offer major benefits, but they results are only as good as the data that is put in. “We are seeing cases of false data being put in,” Tullet says. “And this stuff is happening right now.”

Shadow IT is prevalent in most organisations, and this opens up new threat opportunities. “But shadow IT is usually a result of IT’s failings,” Tullet says.

“We don’t need to stamp out shadow IT, we need to get it under control. Don’t punish the guys who are doing it, we need to know what they are doing and bring it under the umbrella of IT.”

Digital transformation is happening in most organisations, but it has to be secured. “Security has to be baked into all the new projects,” Tullet says.

In the traditional way of securing and controlling the environment, focus is placed primarily on the physical technology, says Luyanda Ntuane, independent consultant for Imperial Car Rental.

But as digital transformation takes off, there are areas of the environment that can’t be controlled directly, while the traditional definitions of things like perimeter, host, applications and even data are changed.

Digital transformation therefore requires a paradigm shift from the traditional approaches to security, with disruption greatly increasing the vectors and threats.

“There is a gap between the things we have in terms of security and what we need to have,” Ntuane says.

What we need today is to go beyond cyber-security and into the realm of digital security, he adds.

Organisations therefore need to have a multi-faceted approach to security, although the basic principles remains the same: detect, prevent, protect and remediate.

Digital security however, needs to add governance, intelligence, control and access.

“IT and security strategies are directly impacted by digital transformation,” Ntuane says. “You will see a lot of digital transformation projects taking off, but the IT security strategy must address the very key new touch points”

To build an effective security strategy, the CIO needs to start with focusing on risk.

Identifying the critical outcomes and transforming those into security tactics would be underpinned by an agile risk management framework that can keep pace with the evolution of collaboration networks.

CIOs are urged to focus their interactions with the digital world and how they impact on the organisation’s past, present and future.

“You cannot protect everything – unless you have enough tie and all the money in the world,” Ntuane says.

The final is to remember the biggest threats, monitor and manage them.

Perhaps the biggest threat is that there is still a huge gap between what the treats are, and the professionals dedicated to addressing them.

“If you want to approach the digital transformation journey and still apply best practice, there must be governance with management and board approval. A strategy can then be developed that ensure s alignment with all shareholders.