There has been rapid technological developments in the recent pasts such as Internet of Things (IoT), Artificial Intelligence (AI), and Machine Learning (ML), and the advancements of cyber. This has counteractively also led in the increase in the sophistication of cyberattacks and cybercrimes. Companies and governments are left worried on how to navigate these murky waters as technology outpaces the policy making.
Three key themes have emerged:
- How do we build a resilient framework for cybersecurity challenges both locally and globally.
- How do we integrate cybersecurity policies into the strategic mission of public and private institutions.
- The need for a robust identity and access and management (IAM) for enterprises.
- Cloud computing trends – Security Mesh, Hybrid and Multi-Cloud Environments, and Cloud-Native Tools and Platforms.
Why Cybersecurity A Compelling Issue
Research reveal that the total cost of cybersecurity attacks across East African community in 2020 was $US 597,028, 294. In addition, small businesses are the most attacked accounting for 43% of all cyber-attacks (Agora). It gets worse as Kenyan companies are expected to incur annual losses of up to US$307 million which is equivalent to 0.3% of the GDP (Agora). East African countries have lost 0.26% of their GDP cumulatively since 2017 to cyber-attacks (Agora).
The Communications Authority of Kenya (CA) reported a 47.3% increase in cybercrimes in 2021 amounting to 37.1 million attacks in Kenya, making EA have the fastest growth rate in cybercrimes globally (Agora). Despite the case nearly 90% of cybercrimes occurring within the country are not being reported.
The government has a huge role to play with regards to these worrying cybersecurity trends. The digital transformation has seen the high IT adoption rate even within government as evidenced by the Kenyan digital services and infrastructure such as the KRA, e-Citizen, iTax, TIMS, IFMIS, and NIMS to name a few.
The government in its National Cybersecurity Strategy has committed to improve the state of cybersecurity through four major themes.
- Enhancing cybersecurity capability and posture.
- Building cybersecurity awareness
- Fostering cybersecurity collaboration, information sharing and innovation.
- Improving national leadership, cybersecurity vision and goals through capacity building.
The country has also established key policies such as the Computer Misuse and Cybercrimes Act (2018) to provide a coordinated approach to cybersecurity matters; Data Protection Act 2019 to spearhead data privacy and protection of critical personal information; and the CBK Guidance note on Cybersecurity to provide banks on best practices to mitigate cybersecurity risks. In addition, the cybersecurity blueprint is set to guide the country towards bridging the current cybersecurity gaps. Establishment of bodies such as the NC4, which is the current point of contact and a coordinator of all cybersecurity initiatives is yet another effort towards securing the country’s cyberspace. With these efforts and many more, it is anticipated that Kenya’s digital economy will grow exponentially especially since the massive losses to cybercrime will be reduced a great deal.
Privilege Access Management
Privilege, with regards to cybersecurity, refers to the ability of a user to change or alter the working of an IT system, hardware or services. A privilege account on the other hand is one that provides administrative specialized levels of access to system and data. Therefore, privilege access management (PAM) involves using policy-based software and strategies to control who can access sensitive software and systems. It has been found out that most attacks are perpetrated through access to or abuse of privilege accounts. More precisely, 80% of breaches involve privilege accounts according to Forester as reported by McGee of Delinea. Also, 85% of cyber-attacks are done through compromised endpoint and a whopping 96% of critical vulnerabilities can be mitigated by removing local admin right.
Most Important Risks for Businesses
The Agora Group report that cyber incidents are the most important risks for business to consider averaging at 41% for the past five years. It is closely followed by businesses interruptions at 40%. Interestingly though, cyber incidents still play a key role in business interactions, making the former a way more compelling risk to focus on by organizations.
Ransomware has been identified as the largest cause for concern for businesses across the globe. Over 123 million dollars was lost to ransomware in 2020 alone. This has been exacerbated by the increase in the Ransomware-as-a-service business model, where threat actors develop ransomware tools and sell for profit to other cybercriminals who eventually use them on clients. This double-pronged attack contributes to about 59% of ransomware-related cases in the cyberspace.
Away from ransomware, it has also been discovered that 20 million devices use default admin passwords, especially on Industrial Control Systems. This has led to burgeoning cases of supply chain cyber-attacks. In addition, it was discovered that the Linux and Unix operating systems that had initially been regarded to as safe have received a year-on-year 40% increase in the rate of attacks.
Integrating Cybersecurity Policies into Strategic Missions of Organizations
Majority of the organizations represented in the meeting had been attacked by cybercriminals at some point, a good number had policies and in most, employees had some cybersecurity awareness.
Awareness of staff on cybersecurity is among the most critical issues worth paying attention to. Secondly, attribution of cyberattacks has proven elusive to organizations making it hard to effectively solve cyber-attack cases. The best chance at cybercrime is to push for organizational preparedness through robust policies, infrastructure and awareness spearheaded by the C-level management.
Ad hoc measures taken by most organizations does not allow them to define responsibility to everyone within the organization, while a good cybersecurity strategy policy needs collective effort from everyone. Policies provide a coordinated approach to cyber risks.
What Should be Included in the Policies?
- Awareness creation
- Compliance requirements
- Business continuity plan
How CISOs Can Get Top Management to adopt Cybersecurity
CISOs often fail to convince top management of the need for serious cybersecurity strategies including budgeting for the same. This is often due to their failure to put these measures in a less-technical manner to the business-oriented management. This needs to be changed. They also need to consider pitching value addition brought about by cybersecurity strategies rather than the cost to implement the same. They also must stop operating in silos, rather, involve the whole management and staff in drafting the policies to increase the sense of ownership or reduce cost of ownership. Finally, they need to peg such policies on well acknowledged standards and frameworks.
To make the most out of training, CISOs are advised to make the sessions interactive, fun, and automated. More importantly, gamification is increasingly being prescribed by experts as an extremely effective training strategy. They also need to set clear cybersecurity KPIs that are aligned to the KPIs of all the other departments.
The Need for a Robust Identity Access Management (IAM)
Identity Access Management can help improve the productivity of staff as well as improve their cybersecurity posture. The rapid development of technology has made the management of user identity and access to systems and infrastructure the more difficult. For effective management, IAM should go beyond just the policies. There is need to secure it across the infrastructure including APIs, loopholes often used by hackers and the points of integration with other parts of the business. It should also include other aspects such as ability to educate users on best access practices, ability to help with research management and features to alert the CISO or admins of any attempted logins via mail or their phones.
Challenges to Managing Privileges
- Users with local admin rights
- Application control
- Privilege elevation
- Application-to-application (A2A)
- Staff turnover
- Service Account Governance
- Hybrid environments
- Lack of visibility
- Securing remote access
- Linux/UNIX account management.
Modern PAM Security Best Practices
- Establish trust
- Always verify
- Enforce least privilege
- Redefine privileged access management.
Privilege Management Journey
- Paper-based password and credential
- Personal vaults
- No or minimal password
- Complexity requirements
- Clear text password hardcoded in apps
- Basic account inventory
- Automated privileged account discovery
- Application control
- Multi-factor authentication
- AD bridging
- Full audit trail
- Session Monitoring
- Service account onboarding
- Password hiding
- Zero trust policy
- Application in application management
- Immutable privilege activity auditing
- Privilege elevation control
- Local Admin right removal
- Full asset onboarding compromise and software-as-a-service.
- Service account provisioning and decommissioning workflow
- Proactive Decision
- Behavioral analysis and automated remediation
- Complete service account governance
- DevOps workflow privileged account management
Agora (2022). African Congress on Cybersecurity. https://www.agoragroup.ae/events/African_Congress_on_Cybersecurity