The people are the most critical part of any organization. They form the first line of defense.
The rate at which cyber crimes are being reported from 2019 to date has been rising. In 2022, end of the second quarter, it was noted that cyber attacks in Kenya had increased by 142% despite the increased advisories. It was also noted that the target of cyber criminals had focused more on small traders and financial spaces – Microfinance and Saccos – being part of the target.
According to the Kenya National Bureau of Statistics (KNBS), cyber security advisories issued to companies increased by 3,693%, from 81,727 in 2020 to 3.1 million advisories in 2021. These advisories are attributed to the organization adopting new technologies to secure itself against attacks. Saccos put in Next Generation Firewalls, Monitoring solutions, and access management solutions, among others, that aimed at increasing the institutions’ cyber resilience.
Since the early 1960s, there was a framework that focused on three arms of any organization, which was popularized in 1990 by Bruce Schneier into the infosec world that focused on PEOPLE, PROCESS and TECHNOLOGY. This framework guides Saccos in balancing their investments in security with a focus on Processes, People and Technology.
Focus on the People
The people are the most critical part of any organization. They form the first line of defense, and as the saying goes, “The people are the weakest link” if they are not sensitized enough on matters of Cyber Security. Cybercriminals have changed tact due to the heavy investments done by Saccos in the technology aspect of security. So, the focus has changed on the people as they are less aware.
As a cyber security firm, 70% of our success in cyber attack simulations in Saccos’ networks and systems during a Vulnerability Assessment and Penetration Testing (VAPT) or Information System Security Audit (ISSA) is attributed to the human factor. 20% is process-oriented, and 10% is due to technology. Understanding the change in adversaries’ tactics has helped us build our clients’ cyber resilience.
In the wake of the Covid-19 pandemic, organizations were forced to facilitate their staff to work from home. New security challenges emerged from this, and as of 2022, the technology allowed most of the staff to work from home, away from the firewall’s setup at the office. Although this facilitated and still is facilitating the staff, the organizations have missed out on sensitizing their staff on matters of Cyber Security.
The human aspect is an easy target since adversaries exploit the ‘Trust’ entrusted to the staff to secure the organization. In any event, a legitimate user account is used to access the Sacco’s network; no red flags are raised, allowing the cyber criminals to inflict maximum damage. Some of the common methods and tactics used in infiltrating Saccos through the users include:
Social Engineering – also known as “The Art of Human Hacking”, is the most effective means of soliciting information from people entrusted with the information by any entity. There are, however, different techniques in social engineering; the most known and common one is Phishing, where cyber criminals target staff through emails soliciting information or deception to malicious sites. With technological advancement, anti-spam solutions have greatly protected people from these cyber attack techniques. However, the number has not significantly dropped.
The adversaries are now compromising legitimate users and using their emails to conduct criminal activities. This has been made easy through bad human cyber behaviours like saving passwords on browsers. There is a false perception that a saved password on the browser is secure, whereas it is not. The attackers’ devices mean to steal these credentials regardless. The staff should avoid, at all times, saving passwords on browsers but opt to use password managers to store passwords securely.
Another avenue adversaries are using is through the introduction of new devices on the network. Did you know that a simple-looking flash drive could actually not be a flash disk but a supercomputer? The adversaries have resulted in devices that are unsuspecting to the users. Tools such as rubber duckies – a look-like flash drive but identified as an input device by computers, a keylogger disguising as a fan, and a remote-controlled access cable disguising as a USB charger as just some of the few tools that adversaries are using to steal information and penetrate Saccos’ system.
Another common and very effective method is physical contact between criminals and the staff. This may seem like staff collusion, but in most cases, n it ends up as a social engineering case. Criminals have mastered that humans trusting nature can give them access to whatever they need. Therefore, disguised as either a new staff member, vendor support or a 3rd party well known to carry out duties in the Sacco, interact with the staff and solicit information or access to systems. This form of attack is usually successful as most staff members don’t verify with the relevant party. This type of attack doesn’t only target staff but also the subordinate staff.
Saccos should also develop a culture where everyone is responsible for anything. This has been seen as a weak area for most Saccos as people tend to distance themselves from matters of technology. Example: When a person walks into the organization and mentions ICT and maintenance, most staff tend to trust them and leave them unattended on machines within the Sacco. Other instances are where staff is not concerned about what an unknown person would be doing on-premise unsupervised—a culture where everyone is responsible increases the cyber alertness level, ensuring that criminal efforts are unsuccessful.
It should be known to the staff and any support system to any organization that cyber criminals could be anyone, the era of robbery with violence is slowly fading away, and the result is intelligent criminals who steal by beating the system.
The management of any organization should be keen on strengthening their human firewalls through scheduled training and awareness and assessment of the staff on cyber security matters. From the cyber security framework, the organization would not consider itself secure and resilient to cyber-attacks without the PEOPLE.
In conclusion, it wouldn’t go without saying that “In this cyber age, we are no longer working towards securing Saccos, but we are protecting humanity” and that the best line of defense starts with the people who work with you.
The author Michael Felix Ngugi is a Professional Penetration Tester, Certified Digital Forensics Investigator and Certified Network Security Specialist (CNSS), among other industry certifications, with six years of experience as an ICT Security practitioner. He has consulted and led investigations in Kenya and the East African Region, majorly in the financial sector, on incidence response and security strategy. He is currently serving as the Chief Operations Officer at Yelbridges.
“In this cyber age, we are no longer working towards securing Saccos, but we are protecting humanity” and that the best line of defense starts with the people who work with you.
