Cyber-attacks can be costly and could result in business disruption, reputational damage, and potential legal liabilities. For example, the maximum penalties from the information regulator for serious offences are either up to a R10 million fine, imprisonment up to 10 years, or both. According to Interpol, South Africa, has the third-highest number of cybercrime victims worldwide. This costs about R2.2 billion annually.
The biggest threats are ransomware, supply chain compromise, business email compromise, and data breaches. South Africa is not immune to these threats. Here are a few examples of significant local incidents:
• Experian, SANSA, Solarwinds and TransUnion all suffered breaches of sensitive information caused by untrained employees and targeted third-party attacks.
• Last year, South Africa led the continent as the country most targeted by ransomware. A local gym company, Transnet, The Department of Justice and Constitutional Development, the National School of Government, and Life Healthcare were successfully targeted by cybercriminals. Key systems were encrypted, and core business operations interrupted.
Many organisations have the basics in place, but lack a formal strategy and framework to manage and reduce cyber risk. In some cases, key areas are neglected. There is no effective visibility of key cybersecurity metrics. This translates to leaving the ‘cyber gates’ wide open, making for an attractive target.
Business leadership needs to prioritise cybersecurity to ensure due care has been taken to protect their organisations. Key questions they should be asking are:
• What is the organisation’s threat and risk environment?
• How does the board stay informed about the threat and risk environment?
• Does the organisation know what data is held and where it is stored?
• Do they know what hardware and software is used in their organisation?
• Do they know if there are cyber risks in their supply chain?
Boards should obtain an understanding of the mitigation strategies deployed in their organisation. This can be tested by asking the following eight key questions:
1. What cybersecurity framework is used in the organisation?
2. Does the organisation routinely update and patch its systems?
3. How mature is the organisation’s cybersecurity?
4. How do employees or customers disclose vulnerabilities?
5. What is the organisation’s plan to prevent or detect cyber incidents?
6. Does the organisation have an incident response plan?
7. Does the board know its regulatory obligations?
8. Is the board prepared to respond to a cyber incident?
I recommend the following actions to reduce cybersecurity risk :
• Deliver a cybersecurity awareness programme to create a human firewall. This is important as people are one of the weakest links and the easiest to exploit. Many breaches can be traced to something that awareness training could have prevented. Phishing assessments go hand in hand with awareness training to assess the programme’s effectiveness. In general, up 15% of staff will be caught by the first assessment. Conducting another assessment after the training programme should show a significant reduction in the phishing rate and demonstrate a clear return on investment (ROI). The programme will create a culture of cybersecurity by encouraging employees to make informed decisions and fulfil their day-to-day duties according to the organisation’s cybersecurity policies.
• Conduct a third-party risk assessment. This involves inventorying all third-party relationships and conducting risk assessments of vendors that access or connect directly to your network, transmit, store or process personal information or sensitive data. Establish and enforcing security standards for third parties and the organisation’s supply chain.
• Conduct a cyber risk assessment using best-of-breed frameworks covering cybersecurity, privacy and resilience. This will assess the main adversarial threats to the crown jewels. These high-value assets would cause the most business disruption if compromised. The current cybersecurity posture will be established, versus what is required. A prioritised roadmap should be developed to address gaps to adopt cybersecurity fundamentals to preserve confidentiality, integrity and availability of data and information technology systems.
• Implement the roadmap to close all the identified gaps. This could include preparation for ISO/IEC 27001 certification via the British Standards Institute – the gold standard of cybersecurity assurance.
Resources
• https://www.comparitech.com/vpn/cybersecurity-cyber-crime-statistics-facts-trends/
• https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
• https://www.dailymaverick.co.za/article/2021-11-06-cyberattacks-south-africa-youve-been-hacked/
• https://newsroom.transunion.co.za/update-south-africa-cyber-incident/
About Bryan Baxter
Bryan Baxter has been in the IT Industry since 1992 in various roles, before recently joining Wolfpack Information Risk. He has helped customers successfully manage and deliver IT infrastructures to around 7000 users in several countries, where, of course, the recurring theme has been keeping customers secure from cybersecurity threats. For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, [email protected], www.wolfpackrisk.com
Tel: | +27 11 794 7322 |
Email: | [email protected] |
www: | www.wolfpackrisk.com |
Articles: | More information and articles about Wolfpack Information Risk |
© Technews Publishing (Pty) Ltd | All Rights Reserved