Data are now the most valuable asset to people and businesses in all rich countries. Since digitalization is taking place at an increasingly faster pace in the rest of the world, including Africa, the value of data is growing rapidly everywhere. That has prompted massive cyber attacks, on the one hand, and on the contrary, advanced cybersecurity build-up – both to counter the attacks and further ensure secure operations of the digital infrastructure as a whole.
And yet, pernicious and successful attacks are reported in the news frequently.
Why is the cybersecurity industry unable to provide fail-proof protection?
Limiting the discussion to the civilian sphere, it can be said that the problem lies to a larger extent in the double dimensional nature of cybersecurity.
Generally, cybersecurity may appear a technical matter only. But, in fact, it has both technical as well as behavioural dimensions.
It is tempting to attribute attacks to the failure of cybersecurity technologies. Nevertheless, investigations into several high profile cyber attacks have revealed that the vast majority were staged by exploiting behavioural weaknesses of users, partners or customers. For instance, the 2012 Data Breach Investigation Report (DBIR) of Verizon, one of the world’s top telecoms companies, shows that 96pc of the attacks could have been easily prevented through good practices.
So far, the focus of the public as well as businesses, remains pinned on the technical dimension of the issue. That may not be difficult to understand.
For one, it is a misperception or simply the lack of awareness. Businesses think hiring the best of class cybersecurity solution suffices to take care of the cybersecurity problem. As a result, they either do not take it as necessity or as their responsibility to cultivate good cybersecurity behaviour or culture. Similarly, the mindset of people about the security of their digital and analog assets are far apart.
The behaviour of people in relation to cyberspae, as is the case in relation to any other human issue, demands change that is naturally resisted. But little attention and effort have been invested in addressing the desired behavioural adjustment.
The simple point is, any initiative – be it national, organisational or personal – to improve cybersecurity, has to address both technological and behavioural dimensions. In a recent article on the US Cyber Security Magazine, Adam C. Firestone, president and general manager of Kaspersky Government Security Solutions, Inc, was straightforward: “… unless the defended are fully enfranchised and engaged in their own defense, the defenders, cyber or otherwise, cannot be successful. This principle is as true in physical space as it is in cyberspace.”
Claims and counter claims of capability between attackers and defenders are intriguing. While defenders posit the number of hundreds and even more years to crack a certain cryptography, attackers easily dismiss it by saying whatever is done by man can be undone by man. When defenders talk of artificial intelligence (AI) assisted security, attackers present a malicious AI.
What was touted an ingeniously secure communication protocol or computation application, is reported to have been bugged by attackers at some point – remember Heartbleed, a security bug disclosed in April 2014 in the OpenSSL cryptography library. This will continue to go on but to rephrase Firestone’s words, while the fight between the attackers and the defenders will continue to rage on, the defended should not undercut their defense by creating vulnerabilities.
Gradually, the case for the behavioural dimension of cybersecurity is gaining ground, thanks to the lessons from shocking experiences and the exhortation of persuasive expert views. Furthermore, some concrete measures have crystallized aimed at cultivating better cybersecurity behaviour or culture.
One bit of good news is that cybersecurity firms have begun integrating behavioural components into their solution packages. In addition, two areas of action meant to create a society-wide effect are taking shape: cybersecurity education and cyberhygiene.
Some bespoke (particular specification), or industry-wide standards have also been developed. In relation to these, businesses that can afford to do so, would benefit by applying standard cybersecurity management practices. Standards such as ISO-27000 would effectively help streamline their efforts in cultivating good cybersecurity behaviour or culture.
Surely, data are now enormously valuable but that is nothing compared to what is coming in the years ahead as the Internet of Things (IoT), mobile broadband, and digital platforms such as smart city, roll out with full steam. Cybersecurity is critical right now, but it will be existential in the coming years. That is why African countries, including Ethiopia, should put in place programmes and plans that help their people and businesses cultivate the best cybersecurity behaviour.
Doing so is crucial for cybersecurity firms, be they local or global, to protect their digital assets successfully to the extent that they would find working for Africans not only profitable but also gratifying. Only then can one say Africa has set a sound foundation on which cybersecurity technologies work effectively.
Leave a Reply