In the past year, more than half of South Africa’s companies have been impacted by ransomware attacks.Furthermore, according to a recently released report by cyber security firm Kaspersky, spyware attacks in South Africa grew by 18% between the last quarter of 2022 and the first quarter of this year.These statistics are more than a little alarming, as instead of the country making headway against such attacks, the opposite is happening.
Cybercriminals do not discriminate either. While the targeting of banks, payment processors and other financial institutions is commonplace, the public, healthcare, manufacturing, information technology and education sectors have all been in attackers’ crosshairs in recent years.
Cybercrime takes myriad forms, including phishing attacks, malware infections, ransomware, DDoS attacks and insider attacks. A new threat comes in the form of Business Email Compromise, or BEC, which targets an organisation for the purpose of defrauding it.
Clark Basilwa, IT security consultant at South Africa’s World Wide Industrial and Systems Engineers (WWISE), explains that BEC scams are typically orchestrated through the use of email messages that appear to emanate from known sources making legitimate requests, whereas the source is likely a cybercriminal.
“Organisations with particularly weak computer network safeguards are usually the target of BEC scams, specifically those with minimal controls over online banking systems,” he says.
Another reason for the rising number of cyberattacks on South African firms is the emergence of Advanced Persistent Threats (APTs) that can often stay undetected for months or even years. These complex attacks typically focus on high-value targets such as well-known companies and government departments and aim to steal information over a lengthy period of time.
“There are several factors that can lead to a proliferation of attacks,” says Kgotso Masenya, WWISE’s head of information technology.
“There may be a lack of information and cyber security awareness, or the firm might not have the skills and necessary controls in place to protect against cyberattacks. These include Intrusion Detections Systems, cyber law and requirements-compliant firewalls, endpoint managers, anti-viruses and effective incident, vulnerability management processes, and data loss prevention processes and policies.”
Companies also may not have the skilled personnel to deploy preventative controls to contain cyberattacks and their impact, while system vulnerabilities may be poorly monitored.
Both experts agree that if threats are to be averted, companies need to implement standardised cyber security measures.
ISO/IEC 27001:2022 and ISO/IEC 27032:2012 form part of the International Organisation for Standardisation’s range of globally recognised standards for combatting cybercrime within a company or organisation. These certifications will:
- Create awareness of cyber and information security that includes tips on how to combat and protect against cyberattacks;
- Implement preventative and protective controls/tools that will assist the organisation to identify breaches, vulnerabilities, threats, risks and controls;
- Meet international information and cyber security standards;
- Offer training and awareness around root cause analysis and vulnerability and risk analysis and management;
- Implement proactive technical measures, business continuity plans and insurance to mitigate the financial and liability fallout; and
- Compel organisations to regularly update technological hardware, software, and system security networks.
“There are several things you need for a standards-driven process to really bear fruit,” Masenya says.
“The most obvious is effective implementation of the standard in question, but you also need the ability to identify gaps and non-conformities and define corrective actions. You also need to proactively identify areas or opportunities for improvement.”
“Another key point is that standardisation should extend to internal processes to reduce errors, waste, and risks. And aside from effective communication, emphasis should be placed on frequent awareness training around the implemented standards.”
Clark Basilwa follows what he believes is a crucial four-step process in building a cyber-resilient organisation:
- Take it from the top: “Cyber risk management must be an enterprise-wide effort, but accountability needs to sit at the very top of the organisation, with the board understanding the costs and consequences of a cyberattack.”
- Unite your business: “Cyber risk is not just an IT security issue; it is a threat to the whole enterprise. It calls for a multi-discipline, multi-level response that involves every relevant stakeholder within the business.”
- Get ahead of the game. “Businesses can no longer rely on bringing in a response team after an attack. Incident-response training is critical in preparing organisations for a cyberattack and scenario planning helps to understand operational vulnerabilities and threats.”
- Protect your balance sheet. “Firms should look at how they are leveraging available risk transfer opportunities. Cyber insurance can help protect an organisation’s balance sheet by providing a financial pay-out after things have gone wrong and provide pre-loss prevention and post-loss services.”
By implementing these strategies, businesses will greatly improve their responses to attacks and even be able to continue operations when they occur, the experts say.