This second installment in the security series was written by Farirai Takavarasha (BSc, CISSP, CCSA, Security+, CCNA and ISCW). You can find the first installment here.
Due to the harsh operating environment in Zimbabwe, businesses tend to focus more on their core business areas and neglect information security. This is viewed as a non value adding activity. In order to address the security loophole, companies then invest in cheap ineffective solutions which are highly vulnerable to security threats. In most of the organisations, information security roles, skills and capabilities are not clearly defined.
Information security has become a critical area in any business structure, due to the highly computerised environment we are operating in. It should be incorporated in the long term strategy set by the Board and be treated with the same value as other functions such as finance, human resources and marketing and sales. Most companies (ICT service providers included) in Zimbabwe do not have a designated ICT security department to advice and guide the business on information security issues. Engaging a skilled security department will develop and ensure that security policies and procedure(s) are adhered to during all business processes.
Organisations must have a security policy which must be fully supported by the senior management, must be clear and understandable. Individual roles and responsibilities must be clear and the consequences of breaching the security policy must also be clear. It is very critical in Zimbabwe that we train our users to understand that security is everyone’s responsibility. Security awareness is supposed to be a continuous process to make sure that users are aware of their security responsibilities and obligations as per the organisational security policy
Information security vulnerabilities are too dynamic and not a once off threat. Businesses are also not aware of the Internet security threats that they are exposed to, successful attacks or attempts to their IT infrastructure. A designated team must be appointed that must actively monitor the security system and follow security tech blogs for new threats and advise the business on ways to mitigate the new risks.
At the present moment it is difficult to (maliciously) access ICT systems in Zimbabwe from outside due to slow Internet connections. But Zimbabwe expects an increase in cheaper international broadband this year through fibre-optic installation projects being carried out by private internet access providers Africom and Econet. High speed access will also increase the chances of security attacks from the global community.
However, internal threats are also very possible and relatively easy to accomplish. These days hacking has been made easy by the use of readily available tools, unlike before when one had to be a computer expert to hack into a computer system.
Regular vulnerability assessments must be carried out to determine the risks that organisations are facing and rectify them accordingly. Information security companies must embark on ICT serious security awareness programs in Zimbabwe to cultivate the appreciation of these issues by business leaders so that they can start to seriously invest on security and protect their valuable information and corporate image.
Medium and large enterprises must have a designated change control board that control all the changes to the infrastructure. This board must understand security and the business processes. Only a few companies in Zimbabwe have a Change Management Process, so many changes done by ICT staff are not logged or controlled, effectively exposing organisations to both otherwise avoidable external and internal threats.
What must organisations do to ensure the existence of basic security controls:
- Have a written Security Policy document – all users must sign, accept and follow the security policy.
- Set configuration baselines – These are minimum requirements for any device before it is installed on the production network.
- Have a designated ICT security person (or department depending on the size of the organisation) to advice and supervise on the security aspects of ICT projects.
- All network infrastructure must be hardened to the latest patches
- Organizations must invest in a robust enterprise class firewalls with an extensive feature set that includes Intrusion Prevention System (IPS) not just packet filters
- Monitor their networks and must know their benchmarks so that in case of an intrusion they can easily pick up any abnormalities in traffic flow patterns, not just to monitor network interface status
- Consider security at the beginning of a project (planning stage).
- Put in place change control processes to reduce the risks of a change.
- Document and update network architectures.
- Pressure to finish projects must not compromise security.
- Perform vulnerability assessments during and after every project.
- Invest in training of information security personnel.
In conclusion I can expertly say that security is not considered a serious issue by Zimbabwean businesses and in Zimbabwe in general. This is largely because there have not been any major threats or reported security breaches.
Information security systems are viewed as unnecessarily costly to implement by Zimbabwean businesses but they are a vital tool. In light of the increasing security vulnerabilities businesses must now start to serious consider security for their survival and must not view it as an expense that can be avoided, but to see it as a critical tool to their survival.
I can safely say that a very big percentage of the Zimbabwean users are not aware of the security risks that they expose their organisations to when they are on the Internet, downloading free software, music, video, interacting on social sites like facebook or just visiting malicious sites. So user training is equally critical to ensure ICT users understand their information security responsibilities. Most importantly, top management must provide the necessary budgetary support for information society programs.
Our Next publication will focus on: Information Security Governance