printer friendly version

Securing your estate’s technology

Cybersecurity is one of those topics that has been in the media and in almost every print and online publication, even in verticals that have nothing to do with cybersecurity, for years. Today it’s one of those topics that we gloss over or perhaps don’t even see unless the headline is catchy or mentions a company we know.

Another reason for this ‘boredom’ with cybersecurity is that the so-called solutions always seem to be the same, but the breaches and problems never go away. There is always another major company losing large sums of money and millions of personal details and these are mainly in the US or EU because the law compels these companies to spill the beans. In Africa there is no telling how much of our personal information has been lost as it is only recently that companies have been required to admit a breach. At the same time, we know how important following the law is in this country and we know how law enforcement struggles to keep up.

One individual in the cybersecurity industry told this writer that unless you have lost over R10 million, preferably more, there are simply no resources and no motivation for the SAPS to do an investigation. I leave it to the reader to judge the merits of this statement.

Residential estates would be very careless to think they are not a target for cyber-attacks. The large estates are believed to be flush with money, plus they hold the personal details of some wealthy people criminals would love to find out more about – like their address, habits, bank account numbers and so on.

Estates also at risk

And while cybersecurity is complex and beyond the scope of most people, even those in IT, it is not impossible to secure your estate or organisation to the level where it’s more trouble than it’s worth to break in. And these defences, although extremely complex at the core, are not all that complex to implement. The Verizon 2021 Data Breach Security Report states that 85% of successful cyber breaches now involve a human element, a critical factor to consider.

Roy Alves.

Roy Alves, national sales manager at J2 Software, explains that irrespective the size of the business, email is the primary business communications platform today and it is therefore also the primary attack vector for cybercriminals wanting to get into your systems.

If you think about it, if someone has access to your email, they have access to your whole organisation and can send internal emails with malware or phishing attachments – which most of us would not think twice about trusting since they come from inside the company. This email danger is even more risky when the people using corporate email systems are not educated as to the potential threats.

To and from your supply chain

An attack vector that is becoming riskier by the day is the supply chain, adds Alves. Estates have many suppliers and if one of them is compromised, they can then spoof emails to estate personnel to tell the accounts department to change the bank details of a supplier or send fake invoices with all the required purchase order numbers etc. The opposite can also happen. If the estate is compromised its suppliers and residents are open to attack from a supposedly legitimate address.

And the criminals have advanced beyond simple email too. These days they call their victims and persuade them to provide sensitive information, such as bank OTPs etc. This is not a call from someone with a foreign accent, but a local accent who already knows things about the estate, like the name of the HOA chair etc. Combining a call from your ‘supplier’ with an email from the same company is a common trick; the caller will tell the victim they just sent an email, which looks legitimate and ask them to open the PDF file – and they’re in.

Playing by the rules

Another email trick is to change the rules your email software executes whenever an email arrives. Nobody bothers to check if their rules are in order and only contain those rules set by the user – most don’t know where to check since many applications make it easy to set up rules.

An intruder may set up a rule that forwards any emails with the word ‘invoice’ in the subject or body to another email address which allows them to get copies of all your suppliers and their invoices, or even invoices sent to residents. This information may not provide an immediate profit, but it provides useful information that can be used in further attacks or phishing attempts.

Targeted attacks

While you may consider yourself and your estate well protected, social media is a great tool for criminals. LinkedIn, for example, allows us to boast of our position as estate manager at Estate A, or HOA chair at Estate B. It also allows us to provide a full history of employment and education. Other platforms have pictures and information of you and your family. And the list goes on.

Alves explains that cybercriminals today are less inclined to work on a ‘spray-and-pray’ basis where they send spam to every email address they can steal, but spend time collecting information targeting people and organisations where they know there are rich pickings. An estate may simply be a step in getting into wealthy residents’ bank accounts.

The more the criminals collect about you, the better they can target you. They are also clever and would probably send a phishing email late in the afternoon when people are tired, or send one late in the afternoon at the end of the month when the accounts department is at its busiest.

Standard protection

Alves says it is critical that estates (any organisation for that matter) protect their ‘post office’ to ensure that malicious emails don’t even get to the user. Even then, some can still get through, which means that users need to be educated and aware. He also recommends moving away from POP (Post Office Protocol) and IMAP (Internet Message Access Protocol) as these are old and vulnerable (although reliable) email protocols.

He also suggests using multi-factor authentication (MFA), like the one-time PINs (OTPs) banks often use. This requires a second input before you can log into an email or accounting package. An MFA doesn’t have to be via SMS, but can be easily installed and used via an app like Google Authenticator (and many other options, like biometrics), which requires authentication every time you log in.

And while it is less convenient to spend a few seconds using MFA, it makes your systems more secure. Even if only some people use MFA, access to important accounts, servers and accounting packages, for example, should be protected. And of course, using complex passwords should also be compulsory.

For those who have a clever password which they use on all their accounts, Alves warns that criminals can scan the dark web and find lists of users’ information from breaches in the past, check their password and try to see if it works again in their current environment. Many of us use different passwords, but create them in a similar format, changing certain dates or letters depending on which account we are using. Scanning breaches passwords also allows criminals to detect your pattern and guess what a new pattern may be.

To check if your email has been featured in a breach (past and present, personal and work emails), simply go to www.haveibeenpwned.com. This website has over 11 billion compromised accounts at the time of writing, entering your email will show if it has been in one of the many breaches published by cybercriminals. If you reused one of those passwords, it’s a sure bet someone will try to log into an account of yours with that email and password, or perhaps using a new email address with the same password.

Naturally, the ‘normal’ protections should not be neglected as well, such as securing servers and computers with sensitive information via a firewall, malware prevention and encryption. And these should be kept up to date continually. Often smaller organisations can outsource this to third-party service providers who automatically monitor and check their systems, but the human element can’t be outsourced as an errant email can still get through.

Talk the talk

Many people talk about cybersecurity, but Alves says they only get serious when something happens: they lose money, suffer a ransomware attack, lose sensitive data etc. Of course, then it’s too late and an estate will lose money and the estate manager or security manager will probably have to take the blame – or if they are lucky, a service provider can be blamed. However, the blame will not reduce the money or reputation lost or the amount that must be spent in recovery.

Alves says he has seen businesses close because they could not recover from a cyber-attack. It can take weeks to rebuild your company if you don’t have up-to-date paper records to fall back on (if your backups can’t be restored or are also damaged, which happens more often as criminals delay their attack in order to encrypt or destroy your backups as well). And South Africa is one of the most unprotected countries in the world in terms of cybersecurity, meaning it is a juicy target. There are about 37 ransomware attacks per day hitting the country.

While those in control of budgets will complain about the cost of prevention, it really is minimal when compared to the cost of recovery and that excludes reputational damage and possible future legal action for negligent handling of personal information – and we may even see fines from the Information Regulator in this regard in the near future as well.

Share this article:

Further reading: