African states need resilience
The Fourth Industrial Revolution (4IR) has ushered in a new economy and a new form of globalisation, both of which demand new forms of governance to safeguard the public good, according to the World Economic Forum’s Klaus Schwab.
Most companies can ’ t afford to sit back on their laurels. “Many of the companies that have failed to innovate, including companies such as video rental company Blockbusters, have ceased to exist in recent years. The cost of failing to innovate can be substantially higher than the cost of innovating,” says Zamani Ngidi, client manager of Cyber Solutions at professional services firm Aon.
However, amid all the hype surrounding 4IR and its disruptive digital technologies there is potential risk. As companies around the world transform digitally, data breaches are becoming increasingly more prevalent.
“While the technology is being rolled out an exponential rate, infrastructural support and safeguards seem to be lagging behind, leaving Africa, in particular, exposed,” says Ngidi, adding that to mitigate against these breaches, African states need to become more cyber resilient.
He concedes that innovation comes with risk. As such, businesses need to understand the associated costs not only with a lack of innovation, but innovating without appropriately understanding the cost of the associated risks. Globally, cyber losses are predicted to reach $6-trillion annually by 2021.
“Cyber resilience is about protecting against these risks,” says Ngidi. “It’s a business enabler, key to sustainability and ultimately focal to any strategic objective that comes with digitalisation.”
There is no question that, potentially, 4IR has commercial benefits for the continent — particularly once these commercial efforts are taken to a global stage. But to achieve this requires that companies better protect data and keep it safe from unauthorised access. The challenge in Africa is more than half of its 54 countries have no data protection or privacy laws in place.
“Data protection laws need to be introduced if businesses in Africa plan to leverage the globalisation potential that comes with 4IR,” says Ngidi.
Businesses operating in Africa should not be looking to governments on the continent to communicate the importance and framework of protecting consumer data in this digital age, he says, adding that it should instead be inherent in every company’s operations.
He advises utilising General Data Protection Regulation (GDPR) — a global standard for protecting the rights of individuals whose personal information enters the digital world, pointing out that the data privacy principles of GDPR are fairly straightforward.
“It’s impossible to completely eradicate cyber risk or the potential consequential damage to reputation resulting from a cyber incident because the risk is pervasive,” says Ngidi. “However, resilience is possible for organisations that implement a circular approach, which Aon calls the Cyber Loop.”
The loop acknowledges that each organisation will start its cybersecurity journey from one of four entry points: assessment, quantification, insurance or incident response. Once in the loop, the organisation becomes an active participant in a greater cybersecurity ecosystem, engaged in continuous review, improvement and investment in cyber risk management. As data is collected, the loop brings everything together into one data ecosystem. And with each revolution around the loop, more data is extracted and then re-invested back into the loop.
The result, says Ngidi, is a fresh and large pool of data related to cyber risk that can be systematically accessed to inform and improve an organisation’s resilience.
“As a company circles the loop, it strengthens its ability to rapidly detect, respond to and recover from a cyber attack. At the same time, their ability to make informed decisions is improved, efficiencies are created and resilience is improved.”
Aon’s approach to cyber resilience aligns with a similar methodology developed by the US military to teach soldiers how to make decisions when there’s no time to gather all the data and when speed and agility are essential. For a company participating in the Cyber Loop, says Ngidi, thinking that is fast and informed by data and experience can be engaged when — or hopefully even before — a cyber event occurs.
Preparation, he adds, can be the difference between a company that is ravaged by an attack, and one that merely finds it a disruption.
“A company with an interdisciplinary leadership team that has practiced responses to common scenarios such as a trade secret theft, credit card data breach, healthcare data breach, personally identifiable information breach, wire fraud, business e-mail compromise, ransomware incident or hacktivist attack — or any other foreseen attacks — is likely to make better decisions under extreme pressure and, thus, reduce the risk to the balance sheet and stakeholders.
“Ultimately,” says Ngidi, “it’s about adopting a systematic process of dealing with the associated risks of 4IR; one that embraces a comprehensive and continuous framework that acknowledges the cyclical nature of the risk.”