While sitting at a coffee shop across the street from a large bank, a person pulls out their laptop, hacks the (secure) Wi-Fi network of the bank, and by their 3rd cup of coffee has access to a desktop computer in the bank with full local access. Sounds far-fetched? Think again. That person is now writing this article. Thankfully the entity in question had requested this test to occur, but it does highlight a very important topic for discussion: African countries are growing in ICT, fast. Are they ready for the attention they will attract from hacking syndicates and cyber criminals?
The recent hacking of the Zimbabwe Stock Exchange is a case in point. By now we all are well aware that a Joomla vulnerability was exploited and their site was compromised. The result? Apart from any financial loss, it has resulted in reputational losses – Google “Zimbabwe stock exchange” and you will see what I mean. The first results you get are any company’s worst nightmare. In this case the hacking attempt was not for financial gain, it was to deface, to cause reputational impact and to make a point – “Africa we know you’re out there.”
It is of no surprise then that many companies in Africa, as well as governments, are beginning to take their security very seriously, and that’s a good move. As Africa puts itself on the map to become a major world player from a business perspective, we are going to light up like a neon light for people looking to exploit and hack. Is your company ready? Had anyone asked Sony Corporation that same question 1 year ago how do you think they would have answered? How do you think they will answer now?
Having a security policy is the first step towards a secure business network. But it is by no means the final step at all. Do you have management buy-in? Does management know the potential threats and the impact they could have? As a CIO the onus falls on you to ensure your company is safe. You need to know your threat landscape, what are the attack vectors and how will you protect them.
I have seen many companies in Africa (and beyond) pull out a template security policy, risk matrix and a security product datasheet and say that will suffice. Penetration tests, vulnerability assessments, staff awareness, proper fit of security products – these are not even mentioned. To these people the question remains to be answered – When that neon light called Africa shines brightly, will you be ready?
This guest article was authored by Dimitri Fousekis, a Security Architect and Penetration Tester. Fousekis has worked for many large corporates to assist in securing their systems, and providing input to global vulnerability management companies. He is affiliated to Bitcrack Cyber Security and may be contacted at firstname.lastname@example.org