Organizational cyber code of ethics
Updated on October 23,2022
Africa, generally, is to be counted among the lucky lot when it comes to cyber-attacks.
Africa isn’t that educated when it comes to hacking. Hence most attacks are often secondary, with the primary ones being the acts of script kiddies like defacing websites.
However lucky we are, having escaped an attack by a hungry tiger doesn’t mean that you will never die someday. You will, eventually.
How I wish most African organizations knew this. The reason for my painful plea is that cyber, to most African organizations, is an alien world with its own occupant species.
You dare mention the term ‘cyber-attack’ to a well-groomed high profile employee in some organizations; trust me, their imagination is beyond that of Einstein’s E=MC². Some may imagine a cybercafé raining down upon them (attacking).
A day ago, I took my time and skimmed through the organizational employee code of conduct of one of Kenya’s high-profile banks.
No single rule targeted cyberspace. It is like, I, the customer, am allowed to give the receptionist or the secretary a flash drive so that my documents can be modified or viewed from her computer. If you are my other eye, then you know how dangerous this is.
Caught unaware
Cyberspace is like the heavenly space, so infinite it is, yet it continues to expand.
Africa, you should worry more. Performing a successful hack into Los Angeles’ Metro subway is, as of now, kind of difficult. What of an African metro subway? It is extremely cheap, easy, and not risky at all.
Where are the established laws that will be used against you? Better still, where will the white hat hackers or cyber security experts detect your malicious activities?Very few, indeed. Imagine this kind of world. The point is Africa is the gold mine of hackers, you only got the identity (not even the lives) of the miners risked, but the product is far much invaluable.
Currently, the tank projectiles (loaded with cyber-attack mechanisms) are facing other continents. When they face defenceless Africa, I pray for your survival.
Never forget the coming, even larger, IoT cyberspace. Africa is voted best for loving ‘cool products'. IoT products will ensnare you like a staged trapped rat is to a foolish snake.
The need for a cyber code of ethics
Security starts with you and not your machine. Your organization might have deployed cutting-edge intrusion detection systems, unbreakable public key cryptosystems, and hashing algorithms for information integrity.
Still, I could bring down all these by just being me. I would social engineer you into speaking out your account credentials, or I just need to hack your personally-owned machine.
The latter would work since your organization allows you to Bring Your Own Device (BYOD).
The best weapon to beat an enemy is to possess foreknowledge. This is knowledge about a future likely event. Consider ‘dumpster diving’; if an organization knew that there is a likelihood of an enemy searching through the organizational trash, collecting some info, and using the obtained info to hurt the organization in a particular way. Only then will the organization have rules governing the nature of documents to be trashed out.
Documented and enforced security policies and awareness programs are the most critical components of any information security program.
Good policies and procedures aren’t effective if they aren’t taught and reinforced to employees.
The policies must be communicated to employees to emphasize their importance and then enforced by management.
After receiving security awareness training, employees will be committed to supporting the organisation's security policies.
The concerns
The following issues need to be addressed in the cyber security policies.
Help desks
An organization (or just a department) without a help desk is worth being renamed a ‘disorganization.’
Without a help desk, a hacker could just act confused and then walk to a high-profile employee loaded with his attack weapons, ready to deliver a virus. The wise ones would walk straight to their targets, even a manager (‘since he was never directed’, he will use this to his advantage).
Help desks also help the organization to have at least a few records about the current ‘activities’ going on.
Even if the receptionist at the help desk doesn’t record (they ought to) anything, at least they are aware that the manager has a visitor by the name of Hack Me.
It is also a visitor screening stage; the receptionist should be able to smell the danger and at least sound an alarm.
Employee check-ins
Reports have it that hackers have pretended to be employees and, in the event, reported earlier than the real employees to perform their malicious activities.
A pretender garbage collector or janitor may report earlier and collect/clean your useless (often useful in some way or the other) trash.
What if it were clearly established that employees must report their arrival, presence, and departure at established stations?
Pretenders’ paradise would be doomed.
DoDs and physical accesses
The destruction of paper documents and physical access restrictions are additional areas the security policy should address.
In a nutshell, the organization should be keen on identifying the right types of document shredders. This would avoid the disposal of readable sections of documents.
What kind of shredded documents are to be disposed of should also be addressed. Documents relating to key infrastructures, such as server configurations, should be properly shredded.
Lastly, who has access to what rooms and sections and who doesn’t should be clearly outlined? If the company has deployed radio frequency ID tags (RFID) tags to be used to access rooms and facilities, then rules should also be outlined that govern their use.
Is an employee allowed to offer a fellow employee their tags if the latter misplaces theirs? Are they allowed to hold open doors for fellow employees without tags to pass? This is how reports have it that hackers obtained physical access to facilities.
Bring Your Own Device (BYOD)
If you bring your WannaCry vulnerable (with their Samba/SMB protocols unpatched) Windows 8 PC to your office, connect it to the corporate’s network, which happens to be connected to the internet, then the whole corporate’s devices would be vulnerable to the WannaCry ransomware attack.
Better still, your computer might have malware (like a virus or Trojan horse). Office files (digital only, please) might be infected if connected to other devices in the corporate network.
So what do we do? The extent to which an employee-owned device should get close to an organization’s devices should be clear.
The organization should also deploy more than one network, one for the organization alone, maybe an intranet, and another for the employees, maybe the Internet.
What devices and/or personnel can access the network should be clear.
If presented, reject, else, stay cautious.
Technology has gone so far that I can hide a video inside another video, an executable (.exe) inside another executable, an audio inside another audio or video or executable, an executable inside an image etc.
This is basically ok. The only problem, on opening or just clicking the visible file, the invisible file may have been programmed to run, sometimes without your knowledge. How unfortunate.
So, how can you be sure that the resume word document presented to you by a self-proclaimed interviewee, so that you can edit it on your desk machine, doesn’t contain a hidden executable?
The answer is you can never be sure. Flash drives, compact disks, other memory sticks like hard disk drives (HDDs) and mem cards should not be accepted in the office.
Just to be sure you keep your human nature, as God prescribes it, you cannot just refuse to help a genuine stranger in need on the pretext that he may be loaded with a virus.
Just like the Ebola virus, there should be a quarantine for handling the alleged virus-loaded gadgets and files.
I would recommend that the organization should have a quarantine centre for any other third-party servicing like printing, document editing, and the like.
This quarantine zone is, of course, isolated from the corporate network. It should be for validating the security of gadgets and files before they are plugged into a corporate system.
Better still, they should be able to handle everything and just forward the documents to appropriate recipients, if necessary. Security comes at a price, indeed.
Accounts’ security
The corporate security policy should address how and when accounts are set up and terminated, how often passwords are changed, who can access what information, and how policy violations are to be handled.
Also, the policy should spell out help desk procedures for the previous tasks and a process for identifying employees—for example, using an employee number or other information to validate a password change.
Employee education
Above all, employee education is paramount.
All employees should be trained on how to keep confidential data safe.
Management teams should be involved in creating and implementing the security policy to fully understand and support it throughout the organization.
The company security awareness policy should require all new employees to undergo a security orientation.
Annual classes should be required to provide refreshers and updated information for employees.
Another way to increase involvement is through a monthly newsletter with security awareness articles.
Conclusion
One of the advantages of a strong security policy is that it removes the responsibility of employees to make judgment calls regarding a hacker’s request.
These decisions are always a big burden to whoever is to make them.
If the policy prohibits the requested action, the employee has guidelines for denying it. This is a difficult task simplified, which is at the core of the strategy.
It would melt my heart to see African organizations implement these recommendations to further their claim as the motherland. The mother ought to be more strategic than the child.