There are two types of companies: those that have been hacked, and those who don’t know they have been hackedJohn T. Chambers
There was a case of a strange man who went to a receptionist at Company X and asked the receptionist whether she could verify a document he had in his flash drive. The strange man, very smartly dressed, approached the receptionist and told her that he had been invited for an interview at Company Y, the next floor. According to him, they had been asked to come with their CV as softcopy for the interview. Unfortunately, when his time to present the CV came, the attendant at Company Y said that the document, a pdf, could not be opened. He had therefore been asked to find another computer to verify that indeed the document could be opened. This would show that the problem was with the attendant’s computer as opposed to the document or the flash drive.
Seeing the urgency of the request, the receptionist at Company X took the flash drive from the strange man. She plugged it into her computer, navigated to the drive and opened it. She saw a document named “CV.pdf” and quickly double-clicked. Her computer screen flashed for a few seconds followed by a prompt indicating that the document could not be opened. “I am sorry the document cannot be opened on this computer either. I am really sorry!” She said with compassion for the strange man. “That is fine, thank you very much for your help.” The strange man responded, took the flash drive and left the premises. Whatever happened next, your guess is as good as mine!
Humans as the weakest links
Social engineering is a form of hacking where the weakest link in a cyber-security set-up, human, is targeted and exploited. It involves exploiting the physical, mental, spiritual or psychological facets of a human being in a bid to convincing them to divulge information or take an action that they otherwise would not. In our case above, the secretary for Company X was easily persuaded to plug in a foreign flash drive, and even click on a document, by a complete stranger. Please note that social engineering is not carried out by strangers alone. Another employee could very well exploit your weakness and compromise you. When Company X was hacked, guess who was implicated – the receptionist.
Cyber-security Awareness In Organizations
Here comes the big question: how many organizations have employees who are cyber-security-aware? In Kenya, well, sadly, not many! Organizations have not carried out cyber-security training for their employees and do not have an incidence response plan or even a cyber-security policy. The closest many have come to such policy is a disclaimer on their employees’ contracts that all assets (tangible and intangible) solely belong to the company. Employees do not even know how to respond to a threat. For example, when one boots up their computer at their workstation and sees some strange flashes on the screen, they simply ignore it or call their “IT Guy”. The IT guy, without a plan, will come, probably restart the computer, see nothing wrong, and chastise the employee for not being “tech savvy” — “these things happen. Next time call me when something serious happens, like the computer fails to start!” I know, many IT techies are somewhat arrogant.
Data Protection Laws In Kenya
As if this is not enough, Kenya is still an infant when it comes to cyber-security awareness. We do not even have a comprehensive data protection law. So, if your information is stolen or misused, you may not essentially get the justice you need. Furthermore, many legal practitioners may not be of much help. I was privileged to attend a mini-conference by Kenya Cybersecurity and Forensics Association on 30th May where we discussed (among many things) the vacuum of competent cyber-savvy lawyers. One thing of note is that many of our judges are not up-to-par with the latest technological trends so having a lawyer and a judge who know nothing much about cyber-security to adjudicate such a matter appears to be dead on arrival. Also, another conference held at the Lawyers Hub on 18th, dubbed “Cyber Crimes & Digital Forensics -Investigation & Prosecution Policy Issues” on June 2019 made a similar observation. So, you can imagine the pressure and legal hurdles you would go through if your carelessness (for lack of a better word) resulted in you losing critical assets to a cyber-attack.
Solution, have a cyber-security policy and incidence response plan. Train your employees to be able to identify the critical assets in your organizations and protect them. I cannot emphasize enough the need for training. If you need help with this, we can help. Also, consider having an independent cyber security department. Please note, I did not say an IT department. I have clearly written, a Cyber Security Department. We can help with that as well. At the end of the day, when all is said and done, security starts with you… Ama namna gani my friend :-)? Don’t be the company that was hacked and did not even know that they had been hacked!