Head office (South Africa)

​The Campus, 57 Sloane Street
Cnr Sloane Street and Main Road
Bryanston, Johannesburg, 2021
+27 11 575 0000

Technical support

+27 11 575 2571 / 0860 221 221
+61 3 9626 0497 / 1800 638 457
+55 11 3878 6500
+31 342 402 859
North America
800 974 6584
United Kingdom
+44 1252 779 779
Cybercrime - Don’t let your end user become your weakest link

Cybercrime - Don’t let your end user become your weakest link


​​​Cybercrime - Don’t let your end user become your weakest link

​As modern workers become increasingly accustomed to having real-time access to corporate data, they’re also becoming targets of criminals who have their eye on the same data sources. Worse yet, the user all too often becomes the attacker’s point of entry into the organisation. What can you do to raise your business’s defences?

Today, users are becoming the ‘new perimeter’ of the organisation, particularly those who are accessing key systems and data via devices that aren't comprehensively managed by the business. Jason Harris, Managing Principal Consultant: Security and End-user Computing, explains: ‘Cybercriminals know that if they can reach users, they have a chance to convince them to do something that will grant them access to the users’ data or profiles. 

‘End users are becoming more popular targets because there are multiple attack vectors available through which to reach them. ​Today, it's not just end points you need to worry about. The reach of cyberthreats has extended to mobile devices and social platforms.’  

​Concerning trends
Harris reveals that the security architecture assessments that Dimension Data carries out within its clients’ environments attest to the rise of this concerning trend. ‘We're noticing some significant people, process, and policy gaps, particularly with respect to bring your own device and end user computing initiatives. Most businesses have put in place some form of governance and control, but it’s not enough to provide adequate protection from the latest breed of threats. A cohesive policy across all the relevant technology layers ̶ users, applications, and devices  ̶  is generally lacking.’

Jaco Hattingh, Global General Manager: Enterprise Mobility, explains that, in an attempt to protect their businesses from cyberattacks on end users, many businesses are relooking their bring your own device strategies. ‘That’s not to say we’re seeing the demise of these strategies altogether. Rather, there’s a move towards standardisation of devices. Once you do this, it’s much easier to support your devices and ensure that they’re appropriately patched which, in turn, allows you to mitigate threats,’ he explains.

Regional nuances
The question arises as to whether businesses are tackling the challenge in a consistent way across the world, or if the approach and level of maturity varies by region. According to Neville Burdan, General Manger: End-user Computing, Asia Pacific, there are some interesting cultural nuances at play. ‘In Australia, New Zealand, the US, and the UK, organisations generally take a fleet-managed approach, which includes the management of PCs as well as tablets and mobile devices. 

‘In Asia, however, the consumerisation of IT is accelerating. Businesses are moving to a mobility-first strategy and are introducing mobile devices more quickly than fleet-managed devices. This means the attack surface for soft targets – the users – is greater.’

Burdan adds that in Asia, bring your own device strategies are morphing into what’s been termed a COPE strategy, where COPE denotes ‘corporate-owned, personally-enabled’. Another approach, which is gaining popularity in the US, is a choose your own device policy. Users are provided with a list of devices from which they can select their personal favourite. The organisation manages the device, but affords users a certain level of flexibility, for example, by allowing them to upload personal applications. 

Make policy a priority
‘Organisations need to focus on developing policies that are simple to implement yet effective enough to address the security threats they face and which allow violations to be flagged,’ says Hattingh.

"The aim of these policies is to govern or enforce certain behaviour in an organisation. In this case, enforce certain employee behaviour that is aligned with the overall business objectives; while at the same time instil behaviour that is sensitive to the most valuable corporate asset - information. Organisations differ vastly and policies should be created taking into consideration the nature of the organization, their business models and the cultural nuances associated with their mobile workforce. 

If, for example, you decide to allow users to make use of their personal devices in the workplace, you can specify certain restrictions within your policy to disallow "jailbroken" devices, in order to mitigate the security risks associated with these devices.’ 

User awareness and education 
User awareness and education will also go a long way to minimising risk. If you encourage people to behave in a consistent manner, according to clearly communicated, and centrally developed and monitored processes and procedures that cover all the devices in use, you're not going to avoid attempted attacks taking place, but you’ll certainly make your organisation safer.

‘You need to do more than simply educate people about the technology; they also need to understand the importance of policies, systems, and processes,’ cautions Burdan. ‘You also need to decide how you’ll deal with policy violations. It’s inevitable that, at some point, the rules will either be ignored or unintentionally broken.​​

‘Also bear in mind that employees will oftentimes be reluctant to alert their IT support team if they believe their device has been compromised in some way. In fact, in certain cultures, admitting that you’ve made such a mistake implies a loss of face. So you need a reporting and insight engine that enables you to approach users and say: “We think that there may be something wrong with your device. Can we help you with that?” You need response mechanisms that are designed to help users and avoid putting them in an embarrassing position.’

Incident response – mind the gap
Unfortunately, incident response remains one of the most yawning gaps in organisations’ defences. In fact, today many businesses don't have an instant response plan at all. Harris believes this is concerning: ‘How do you manage if a user’s device is compromised and there’s no incident response process that w​ill detect the breach and put into effect immediate measures to secure your key data?’ 

He explains that Dimension Data has spent a significant amount of time with clients in recent years to develop a ‘data-centric’ security approach, which includes more advanced controls and monitoring. ‘With this approach, even if users are authorised to access certain data and systems on certain devices, you’re able to make sure they're not doing anything completely out of the ordinary, for example, suddenly transferring two Gigabytes of content from a database onto a connected mobile device. In this way, you can be proactive about flagging, and responding to, anomalies.’