Thanks to the recent publicised outbreaks of ransomware, cybersecurity is suddenly a hot topic amongst most C-level executives. Most are scrambling to understand the impact of cybercrimes, what cybersecurity means and what they should be doing to protect themselves and their companies. But is the threat real?
Cybercrimes in South Africa
South Africa has suffered from the most cyberattacks on the continent and we are ranked the third worst country for cyberattacks in the world, as revealed during the 2015 Security Summit.
The Global Economic Crime Survey conducted last year, revealed that cybercrime was the 4th most reported economic crime. An estimated 32% of SA companies were affected, 57% believe they will soon be affected, yet only 35% of companies surveyed, had a cybersecurity plan in place.
In a recent interview, Cay-Bernhard Frank, Head of Strategic IT: A.T. Kearney South Africa, revealed that: “South Africa is a very attractive target here, as a regional hub on the continent. A lot of banking industries, a lot of company headquarters are located in South Africa. Compared to the rest of Africa, the business hub of South Africa makes it attractive for cyber-attacks. That’s more on the demand side.”
The South African Banking Risk Information Centre reported that our economy suffered losses exceeding R2.2 billion, just from internet fraud and phishing attacks alone. This number is increasing daily.
Symantec’s latest Norton report shows that 8.8million South Africans were victims of cybercrime, adding that one in every 214 emails sent in South Africa was a spear phishing attack.
Whose responsibility is Cybersecurity?
Who is managing cybersecurity in your company? In most cases, cybersecurity is seen as an IT task, another aspect your IT manager should be taking care of. However, the responsibility of cybersecurity in any business, ultimately lies with the board of directors. Directors failing to secure data in their companies, may face hefty fines of up to R10 million, or even jail time. Cybersecurity can no longer be seen as a simple IT problem and should be addressed at board-level.
The POPI legislation specifies penalties, including ten years’ imprisonment and fines of R5m to R10m, for failure to protect sensitive data.
With the stakes being this high, why do only 35% of companies have cybersecurity plans in place?
The reason is simple – cybersecurity is such a highly complex topic, with several thousand articles, products and advisors. Combine this with an ever-changing landscape and the lack of education in the corporate sphere, and you have an ever-changing moving target that’s almost impossible to achieve.
What does a good cybersecurity strategy look like?
A good cybersecurity strategy is more than just a good firewall and antivirus. It goes far beyond, and can almost be compared to a block of Swiss cheese. When you slice Swiss cheese, each slice will contain a few holes. However, the entire block of cheese is pretty solid as a unit.
An effective cybersecurity plan should consist of several layers of protection and should include the following ten items:
- Ongoing security awareness training for all employees
- 24/7 monitoring of your digital assets, user behaviour and network changes
- Regular internal and external vulnerability checks
- Quarterly penetration testing
- Simulated ransomware and phishing attacks
- Review of data access and permissions
- A managed firewall and antivirus, antispyware and anti-ransomware
- Regular software patch management and reporting
- An up-to-date email platform with SPAM and virus filtering
- Comprehensive information security policies and procedures (including an incident response plan)
Start securing your business today
If your company does not have a cybersecurity plan, implementing and continuously managing a good cybersecurity strategy should be prioritised immediately.
Cybersecurity skills are hard to find, and there are several firms offering some of the recommended layers, simply to check the compliance box without understanding the changing landscape well enough.
If you cannot afford to employ a full-time cybersecurity professional, you could consider outsourcing the function to a third-party provider, who can help you implement a solid cybersecurity strategy for your business.
Not all cybersecurity providers offer the same services – it is important that you find a partner who will work with your specific business and offer you a comprehensive service that aligns with your short- and long-term goals. Your cybersecurity partner should be proactive, provide you with world-class systems and layers of protection, and able to easily navigate the ever-changing landscape with you.