Is SA losing the cybercrime war?
• SA is the sixth most targeted country for cyber attacks, and quick detection of incidents is a priority, writes Lynette Dicey
Cybercrime is estimated to cost the global economy about $400bn a year and this figure looks set to grow in the future.
The World Economic Forum listed cybercrime as one of the three biggest threats facing Africa in 2019. As incidents of cyber attacks increase both locally and globally, the question is whether South African organisations are adequately armed against these breaches.
Many specialists don’t consider SA organisations to be particularly well equipped to guard against cyber attacks. According to the Cyber Exposure Index, which ranks countries based on the number of organisations which suffered cyber breaches, SA is the sixth most targeted country for cyber attacks, with a high concentration of organisations which are regarded as extremely exposed. Small and medium-sized enterprises (SMEs) are particularly vulnerable to cyber attacks because most don’t have the budget required to put the necessary safeguards in place.
In recent years a number of local businesses and institutions have suffered cyber attacks causing financial and reputational damage as well as business interruption. In 2019 the City of Johannesburg suffered a computer network breach impacting its customer billing system. Alarmingly, city authorities are one of the fastest growing targets for ransomware demands, according to global cybersecurity company Kapersky.
Other companies too have been victims of cyber criminals, including Tracker SA when it suffered a ransomware attack. Banks and other financial institutions are also at increased risk of cyber attacks. Nedbank was the recent victim of what it called a “data security incident” at an outsourced service provider which handles SMS and e-mail marketing on its behalf, potentially impacting 1.7-million clients.
The South African Reserve Bank says cyber risk is one of the main threats to the financial services sector.
However, many organisations don’t report cyber attacks due to the damage this does to their reputation which means there are no accurate statistics about the number of attacks facing companies in the country.
Like many other African countries which have developed legislation to better protect their economies from cyber threats, SA also has a number of pending legislative amendments in place which aim to better protect businesses and individuals. These include the pending Cybercrime Bill which proposes the codification and imposition of penalties on cybercrimes and that demands organisations are more careful of how they protect data.
The Protection of Personal Information Act (Popi), due to come into effect this year, aims to better safeguard personal information held by organisations and puts responsibility for protecting personal data on businesses.
Michiel Jonker, director of IT Advisory Services at BDO in SA, says these regulations, once implemented, will aid the fight against cybercriminals but still won’t be sufficient to address the problem.
“We’re losing the fight against cyber criminals,” he says. “They are consistently a step ahead of any efforts organisations make to protect themselves against cyber breaches.”
If organisations are losing the war against cyber criminals, what is the solution? Many experts suggest organisations improve the levels of consciousness and awareness around cybersecurity among their employees. Research indicates that human error is one of the most significant cyber risks for most businesses.
Jonker, however, argues that while this approach has merits, it’s an approach that also has limitations.
“Simply making employees more conscious and aware of these issues is not going to entirely solve the problem. Increased staff training and greater awareness may help to mitigate against the possibility of a security breach to some extent, but no matter how aware staff are, in many instances they are not going to outsmart cyber criminals.”
The only way to completely protect against a cyber attack is to totally switch off all computers — something that Jonker, of course, concedes is neither practical nor realistic.
“Most cybersecurity programmes are built on the assumption of success — in other words, by investing more money on preventative tools we can ultimately control to protect our networks. That’ sa fundamentally flawed assumption because no amount of money spent on preventative measures can provide comprehensive and guaranteed protection.”
REBUILD CONTROLS
What’s required, he says, is a paradigm shift. Organisations need to accept that they are not going to succeed all the time at adequately protecting their networks and instead “rearchitect” to redesign and rebuild their controls.
“This ‘re-architecture’ needs to be implemented on the assumption of failure (and not success). If organisations accept that cyber breaches will occur and instead of putting all their efforts into prevention, focus on detecting breaches more quickly, they are more likely to mitigate against some of this risk. Essentially, it’s about how quickly we can detect an incident and then correct it.”
One of the biggest challenges, he explains, is the amount of time it typically takes an organisation to detect a network breach. “On average, hackers are able to spend about 200 days on a network without being detected. If we can detect their presence on networks more quickly we can in part mitigate against the risks of a hack rather than being overly reliant on preventative controls.”
However, to achieve this will require organisations allocate more funding to detection, rather than focusing on investing on only preventative measures only, he says.
ORGANISATIONS NEED TO ACCEPT THEY ARE NOT GOING TO SUCCEED ALL THE TIME AT ADEQUATELY PROTECTING THEIR NETWORKS