» Articles and News

In the world of Cyber, knowing your vulnerabilities or patching up your vulnerabilities is key to security. A zero day attack is when your vulnerability is exposed to a threat before you patch up or when you are not aware of the vulnerability. In countries such as Zimbabwe, or the rest of Africa being prone to zero day attacks is prevalent due to a number of reasons,of which the main reason we shall discuss in this article.

The way ICT is viewed in an organisation determines the level of investment it will receive. Though risk assessment may be done with the appropriate identification of vulnerabilities and threats, however the cure for the identified areas of weakness is the investment into the security. The dilemma in IT/ICT Governance is the level of appreciation that exists in the management, the executive structure as well as the board level.

If the discussion on IT needs is left to the technical guys the resultant is always an unwillingness to invest more into IT. Where company management does not understand that IT is not only the business but is also the value enabler they then tend to focus more on costs and profit. The bottom line tends to dominate the hidden line which is your technology foundation.

A great governance structure allows the IT resources to be optimized in order to extract value from the company. Value must not just be viewed as the bottom line but as what makes the company tick.

What is value to a company?

# Threat Threatened Value
1.         DoS Revenue for the Day
2.         Virus Attack Reputation/Work Productivity loss/Revenue Loss
3.         Worm Reputation/Work Productivity loss/Revenue Loss
4.         Back door attacks Reputation/Work Productivity loss/Revenue Loss

Value to a company can be defined as “What makes a company viable”. When a company is not able to trade, or employees are not able to complete a task then that is viability being lost and eventually value is lost somewhere within the occurrences.

The ability to see threats not just as technical words means that we must be able to translate these threats into business value threats. If the Governance framework in use does not allow for this translation then the end result is that investment into IT will not match the values being threatened.

Misunderstanding of the budget items presented by an IT Head can lead to those IT budget items being rejected or being reduced. A failure to patch up a vulnerability found in a website can lead to a threat mix of cyber incidences which threaten the value of the company. Some vulnerabilities are free to patch up such as updating your website software however there can be vulnerabilities that require new developments.

Costs that go beyond the budget

Some zero day attacks maybe known when vulnerabilities are identified in time before budgeting day comes, however cyber space is an ever growing universe and new threats are identified regularly which is where the question of investment becomes a sticking point. Does the organisation recognize the seriousness of a newly discovered entity which may threaten the organisation by willingly investing before the attack occurs?

Think of the ransomware attacks that have grown since 2017, when we are aware of such attacks do we as an organisation invest in advance to prevent the same attacks? Take the statistics  where there is a collectively agreement that the damage costs to business are estimated at  USD 8 billion  in 2018. Sitting and waiting to be attacked and dealing with it is not the solution, a good governance structure brings preparation and response together.

The NIST Cyber Security framework is a good reference for coming up with your internal cyber security framework.

There must at least be two sides to the coin, on one side you are protecting and on the other side you are detecting and responding. In all things being considered the company must be proactive. Zero day attacks will continue to be on the radar of any cyber related infrastructure however the ability to deal with it must be set in the boardroom and cascaded to any other point of meet in an organisation.

By Winston Zvirikuzhe

So you are an ICT Auditor and are enjoying the job so much. What are the things that you should never do? As much as it is an awesome job there are somethings that you should not get yourself into

  1. Becoming the Policy Writer

There is always this temptation by management of mistaking the ICT Auditor with the ICT Security Specialists. You might get the odd request to develop one of the ICT policies. WORD OF WARNING! Once you start you have compromised your independence. You cannot audit what you have drafted. As much as you know what is needs to be in a policy it is not the ICT Auditor’s job to draft the policy, our is to audit.

2. Fail to Communicate Business Value

There is always that temptation to write ICT jargon in the report. To state that the “The interface between the ERP and the Payment Application has no secondary authentication resulting in mistimed posts into the system Ledger”. As much as it makes sense to you as the Auditor is will not make sense to those reading your report or finding. Make it simpler and understandable and even better give the issue a business value. Later in a separate article we will cover what is business value in auditing.

3. Sending Issues that have no Concrete Evidence

This is computers, evidence can be changed. Make sure you have print screen , data extract, or …to be continued.

By Winston Zvirikuzhe (CISA,CGEIT)