Has anyone else noticed that when you log into Facebook from a different device or location, it asks for an additional method of authentication, just to make really sure that it's you and not an imposter? Yet you can log into your bank account from anywhere in the world using pretty much any device and it still asks for the exact same login that it does when you're on safe South African soil? Worrying, right?
Businesses are starting to realise that there's a new generation of customers that want to interact with them anywhere, anytime and on any device. Equally, there's a new generation of employee who also wants to be able to work anywhere, anytime and on a device of their choosing. However, there are potential pitfalls in both scenarios, most of them around security. Gary de Menezes, Country General Manager, Sub-Saharan Africa at Micro Focus, says this is the primary driver behind the rise of the chief information security officer (CISO) as the latest addition to the c-suite. "Security used to be a function of the chief information officer (CIO) but instead of reporting into the CIO, the CISO has a separate role within the organisation."
De Menezes puts it all down to Generation Y – or, as he refers to them, Generation Y not. He says, "Generation Y want to be able to do whatever they want, wherever they want, whenever they want, and they want to do it all on their smartphones. And if they can't, they want to know ‘why not?'."
Generation Y only use their smartphones 3% of the time to make and receive calls. In fact, they often won't answer calls but prefer to chat via text. They interact with the world in a different way, and face-to-face communication isn't a strength or a preference.
They also work differently to previous generations and if they can't work how they want to, they move on to somewhere that will accommodate them. A survey done by a large international company showed increased friction between the workforce and management over the past two years, specifically where a Generation Y workforce was deployed.
However, says De Menezes, Generation Y has the spending power of the future, and organisations will need to adapt the way that they interact with their customers to accommodate this major shift in society and behaviour and so that they can meet this need for instant gratification. He continues, "In order to be available online across all types of platforms and devices as required by Generation Y, organisations will have to amend their security standpoint significantly. The traditional approach of security through obscurity is no longer relevant."
Security has traditionally been fairly simple and entailed controlling the access points to the organisation. However this approach doesn't give business much in the way of flexibility when it comes to reaching various target markets through different channels. Any business that wants to be relevant going forward has to be able to cater for Generation Y's demands. Which is where the CISO role becomes vital, according to De Menezes.
"We're talking about the next evolution in security; perimeter security is no longer sufficient. South Africans understand security very well. The average house has an electric fence, beams, a security firm, a couple of dogs, sensors on doors and windows and possibly even a firearm or two; there are several layers of security that cater for all eventualities. Organisations have to take a similar approach.
"Today's users are more educated about technology and how it works than ever before, which opens up the business to malware attacks like the recent Wannacry event. However, close on 65% of company losses are internal, and these attacks rarely make headline news. The internal attack is the biggest financial risk that companies face."
A good local example is the recently uncovered collusion between employees of a telecommunications organisation and those of a financial institution to conduct a sim-swap scam that sought to defraud smartphone users. Over and above the financial impact, the reputational damage caused to both businesses is immeasurable.
"This is the crime of the future," says De Menezes, "the question is, how do companies protect themselves?"
The first port of call is generally a password, so the user signs on and instantly has access to everything that they need to access to do their job. However the downside to this is that if a cyber criminal gets just one person's login details, they can access everything across the business. Paul Cripsey, Presales Solutions Consulting Director at Micro Focus says: "Security within the organisation has to evolve to a far more intelligent level where it becomes dynamic security as opposed to static security."
Dynamic security takes into account when the employee joined the business, their level of seniority (or otherwise), what applications they can access, and how that person's access has evolved over the duration of their time with the company. It also considers things like which applications that person might need to access remotely, whether it's likely that the person would want to login at 3am, and what types of transactions should be permitted both remotely and at unusual hours or even using a different device or network.
Cripsey says: "We need to introduce analytics and create a dynamic risk profile for the user base with differing levels of authentication. It's no longer just about who you are, what your password is and what you can access, it's also about where you are, what time you are, the device you're using. However, this dynamic shaping of the security environment is proving challenging for businesses to implement, and where security has always traditionally been the domain of the CIO, it now requires input from HR, the business and IT in a collaborative approach to security. The bigger the workforce, the bigger the task."
He's quick to point out that not all applications within the business will require such stringent levels of dynamic authentication, but better to have, and not need it, than need it and be caught short by ransomware.
It's fairly clear that there's no single solution that will meet all of these requirements, which is where businesses need to turn to the CISO for help. The CISO has to come up with a security strategy that's adaptable enough to allow the business to reach Generation Y, but at the same time provides a level of security that isn't offered by a single solution.
De Menezes says: "As much as businesses are having to change the way that they do business to accommodate Generation Y, IT vendors are having to reinvent themselves and evolve from being purely product-based to become integrated solution providers. This is why we're seeing companies in our sector going through mergers and acquisitions, in order to better collaborate on solutions that meet the rapidly evolving demands of our customers, driven in turn by the evolution of their customers." De Menezes refers to the recent acquisition of HP Software by Micro Focus, saying, "Even we as a business had to change and evolve to provide the required enterprise-wide solution instead of an assortment of single solutions."