Think about this question for a second: What is the probability that your organisation might fall victim to a cybersecurity threat?
The Mimecast 2020 State of Email Security Report
reveals that 61% of South African organisations have experienced ransomware attacks during 2020. If the last few years have taught us anything, it is that statistics more often than not tell a story.
Plainly said, if there are ten organisations residing in your office block, six of them have, on average, experienced a total of six days of downed tools as a result of some form of cybersecurity threat.
The threats experienced may not even be as dramatic as the recent Transnet ransomware attack. It is true that extreme and sudden incidences of ransomware attacks are most likely to dominate news cycles for a week or more. Indeed, these ‘front page’ events cause considerable financial and reputational damage. But organisations should also be prepared for a spectrum of attacks that might be preceded by slow and systematic infiltration.
Examples of these trickled down attacks could be in the form of impersonation fraud where a rogue actor known to employees finds themselves compromised. Email phishing is another example – the golden rule is if an email feels ‘off’, it probably is. Even disgruntled ex-employees with sufficient access to back ends of systems or employees that have stolen information upon exiting the organisation pose a considerable threat.Why are cybersecurity threats seemingly endemic to South Africa?
We cannot deny that the business of cybercrime has exploded. But we would be wrong to assume that cybercriminals are spotting and taking opportunities simply due to the sudden global jolt over to remote and hybrid work models, which can potentially leave private organisational and personal information vulnerable. Accenture’s Insight into the Cyberthreat Landscape in South Africa
offers some insight into why South African companies are particularly vulnerable to cybersecurity threats, and why the country has seen a definitive uptick in cybercrime reports since 2016:
- The first finding is quite obvious – South Africa has had a noticeable lack of investment in cyber security. Other socio-economic factors such as high crime rates, inequality and poverty, high unemployment and a shortage of skilled labour enjoy bigger priority.
- A second finding shows that until recently South Africa has been slow to adopt cybercrime legislation and related law enforcement training.
- A third finding attributes poor public knowledge of cyber threats resulting poor ‘digital hygiene’ to the uptick.
- Shadow IT is the use of applications and infrastructure without the knowledge of an enterprise’s IT department, and this is another factor directly attributing to South Africa’s cyber blind spots.
Data Privacy and Cybersecurity legislation ramps up
Fortunately, South African law has decisively stepped up to global standards to start defining the country’s cyber governance. Together with the POPIA, when the new Cybercrimes Act 19 of 2020 comes into effect, this piece of legislation would form a key component of South Africa’s artillery in the fight against cybercrime.
At its core, the act would criminalise malicious communications. The act would set clear parameters that will define contravening actions. These may include unlawful access to a computer or device, illegal interception of data, the unlawful acquisition, possession, receipt or use of a password, and it will also define online forgery, fraud and extortion.
Unfortunately, while South Africa may have world-class legislation, the implementation thereof remains the most significant challenge. Many organisations interpret the POPIA simply as a tick-box compliance exercise. They fail to recognise that our laws also serve as best practice guidelines for organisations. It is in the best interest of organisations to assume responsibility to apply these pieces legislation, as it is intended to protect the best interest of all their stakeholders and the data processed, stored and managed by organisations.Eyes on people and systems, and the processes connecting these variables
Keeping precious information safe from cyber criminals and protected in line with more sophisticated legislation need not be a complication or an unknown factor to fear. The responsibility of strategically and practically safeguarding digital information lies with the organisation’s Information Officer (IO) anointed under the POPIA (Protection of Personal Information Act) regulation.
In my opinion, when you work with an imminent threat, or risk, the best course of action to take would be to focus on controlling the variables you are able to control. Which is why the respective third and fourth findings of the Accenture report (people and systems) may be two of the more realistic factors to navigate from a change perspective on organisational level.
I would go further than that and suggest a third variable to include in your offensive strategy triangle – processes, the bridge that joins the other two factors. Let’s investigate these three variables:
People remain the most significant weakness in cybersecurity. The responsibility and accountability fall upon IO leaders to truly take its people on an online safety journey – to plan for and practically implement offensive strategies. Threat detection awareness may take the form of experiential learning drives or real-life cybersecurity drills and tests at work.
It’s important that an organisation maps its foreseeable security risks in a risk response plan and then rehearse these to familiarise employees with appropriate courses of action for the day the need would arise to act ‘in the moment’. It is only when human beings are presented with stress factors, calling for a flight-or-fight response, that they default to what is known and familiar to them. The best thing organisations can do, is to familiarise an employee’s fight or flight response with the most appropriate and correct process actions.
For example, have you noticed that during a stressful meeting at work, an employee may reach for a pen and paper instead of a digital way to capture information? Under stress, we reach out to a system that is most familiar or comfortable for us as our priority to deal with. Stress limits our cognitive ability to engage with new information or ways of working. An employee that has not sufficiently practiced and rehearsed ways in which they can default to autopilot mode under duress will default to behaviour that is most familiar. This employee may not necessarily act with a safety-first intent – we may contact the wrong number, or worse, engage with the cybercriminal directly.
In contrast, think about the training of a pilot – it is designed in such as a way that the pilot’s ‘autopilot’ behaviour averts any imminent threat safely, every time.
The second (and most commonly known) strategy is to adopt technology, cybersecurity experts and supporting systems that will circumvent, proactive defend or mitigate against cybersecurity vulnerabilities. This creates a protective barrier against which cybercriminal has a really hard time accessing or getting past the protected information.
Think about the ways in which we safeguard our homes. We use locks, perhaps a guard dog, electric fencing, burglar bars, responsive security technologies, beams and real time cameras to provide as many extra protective layers as possible.
In case a threat does occur, just as when we are securing a home, we need to think about how we layer technology systems to slow down rogue actors enough or create the barriers needed. For instance, an organisation may need to supplement existing systems with additional back-up systems as part of its contingency planning. Very rarely should defaulting to a manual system be required as a last resort, as we’ve seen with various large organisations who have been victims of cybercrime.
All journeys have bridges joining various parts together. A wise consideration for IOs would be to adopt or review its systems, which are essentially the bridges that connect people or behaviour to the correct systems.
Organisations with a defensive security strategy are usually those that have treated it as a tick box exercise. Here you might find policies are hidden somewhere in a folder. Perhaps an email went out to inform all employees of the existence of this document detailing the organisation’s risk response plans. But finding that document may be a challenge for most employees.
However, when organisations employ an offensive security strategy, IO leaders have most likely consulted with its teams to design risk response and mitigation processes
when the need arises. Most likely these processes are led by anointed change champions to motivate groups of people and hold them accountable for acting in accordance with safety principles and guidelines.
These organisations will be the ones you don’t hear from and will never grace news cycles for falling victim to cybersecurity criminal activity. As in the case of the rehearsed pilot, they will be the ones flying the planes that safely reach the destination, every time.
The most sustainable way of processing new information and cultivating new behaviour really is via experiential learning in a safe space. Alert employees are able to respond quickly and correctly, and they are the best at safeguarding against slow or immediate threats. As the name implies, experiential learning should happen as part of a normal work-day. There are several ways in which these learning experiences can manifest.
During the foundation phases of children’s learning journey, educators incorporate as many senses as possible during the learning process. Designing supportive policies in the workplace should be treated no differently. Regular town hall sessions provide an opportunity for a consultative process with employees – together with teams and change champions, the most effective processes can come alive.
It reminds me of a Stephen King quote from his novel Different Seasons
“There's no harm in hoping for the best, as long as you're prepared for the worst.”More about Kriel & Co: Kriel & Co is an IMCSA-accredited management consulting practice specialising in change management, data privacy compliance, digital transformation and mentorship. The practice actively serves clients in a variety of sectors with a proven track-record of delivering innovative, cost-effective and sustainable strategies for digital change. Consultants are primarily retained on a long-term project basis by clients to oversee holistic digital transformation projects and initiatives. Get in touch: moc.ocdnaleirk@olleh