Cyberattacks on the increase as more South Africans come online
Increased digitisation leads to increase in cyberattacks
With this increasing digitisation - especially in the banking sector - the magnitude and frequency of cyberattacks aimed at breaching security walls has inevitability increased. The estimated cost of worldwide security breaches in 2015 ranged from as high as $2.2-trillion down to $400-billion, which is more than the GDP of South Africa, without factoring in the long-term damage to a brand from loss of trust.
Senior manager in A.T. Kearney's Vienna office and global leader of information security for A.T. Kearney, Dr Boris Piwinger, said the rapidly changing landscape of information security attacks meant the price of weak security was also increasing.
SA leading target for cybercrime
South African businesses, need to place a much higher priority on their handling of cyber and data breach risks, as the country is fast becoming a leading target for cyber criminals. According to some reports, recent statistics revealed that South Africa is the third most attacked country globally.
"Some industries and companies are tempted to relax and justify their slowness with statements such as 'We are secure; nothing has happened to us before' or 'Our firm is not important enough to be a target' or 'Security costs are greater than the potential damages,'" said Piwinger. "Unfortunately, many executives have learned the hard way that these statements simply aren't true. System-critical infrastructure, in particular, faces the risk of cyber war and cyber terrorism, but every firm is a potential target, and the costs are huge. The worst might not be the direct damage of the attack, but the potential scale of public awareness and ultimately the loss of trust in the entire system."
The most critical trends
Piwinger believes the most critical trends are global surveillance, intentional weakening of IT defences, Attack-as-a-Service (AaaS), and massive attacks on infrastructure and automation systems. He cited ransom demands as another potential threat, with attackers refusing to stop until they are paid while continuing to demonstrate they have control.
"Sensitive data is proliferating as the modern enterprise becomes progressively more connected and cybercriminals are increasingly turning to attack internet infrastructure rather than individual computers or devices," added Cay-Bernhard Frank, Partner at A.T. Kearney Johannesburg. "This is particularly relevant as Africa and the Middle East regions are expected to post an almost ten-fold increase in cloud computing traffic growth rates between 2013 and 2017."
Cyber-attacks not only steal significant data, but also open the door to sabotage by enabling the crippling of physical systems such as wind turbines, gas pipelines, and power plants. Such attacks can have dramatic and far-reaching consequences for manufacturing (where the past focus on safety meant avoiding accidents, not security breaches) and infrastructures such as traffic and utilities.
Security risks are business risks, not IT risks
"For businesses, the first step to prepare for cyberattacks is to understand that information security risks are business risks, not IT risks," said Frank. "Corporate leadership is the ultimate owner of information security risks-not the IT department or the CIO."
A.T. Kearney's work has found that leaders in information security consistently address five dimensions to achieve cutting-edge security: strategy, organisation, processes, technology, and culture. A solid information strategy is directly linked to the business strategy and provides the foundation for all information security decisions.
Assume you are already a victim
"You have to assume you are already the victim of an on-going, successful attack every second of the day," said Frank. "It is therefore hugely critical that the importance of cyber security is comprehensively communicated and constantly highlighted within the organisation."
The right organisational setup allows the organisation to steer through tough decisions and situations. Well-defined processes ensure that risks are properly evaluated and addressed. When it comes to technology, the leaders in information security care most about the one attack they might miss and are efficient in their use of technology.
"At the end of the day, a strong corporate culture is one that values information security as a business enabler," said Frank.