[Column] Karien Bornheim: Cybersecurity - There are consequences
There is a misplaced confidence in existing cybersecurity solutions and the beleaguered IT department that is leaving corporate doors wide open for attack. The World Wide Worx State of Enterprise Security in South Africa 2019 report found that 99% of IT departments feel confident that they can protect the company and yet 45% say they don’t have the skills they need to cement this confidence and 43% don’t think they would detect a breach within the first few minutes. There is a disconnect between the reality of the security systems in place and the overconfidence of the enterprise.
“The security landscape across the African continent is a complex mix of overconfident belief in the ubiquity and capability of the IT department and the complete lack of security skills and employee awareness,” says Karien Bornheim, CEO of FABS. “Cybersecurity isn’t embedded into the culture of the organisation nor is it addressing the biggest vulnerabilities in the systems – outdated software, poor employee training, and third-party vulnerabilities.”
The World Wide Worx survey found that a staggering 77% of IT decision-makers were concerned with the risks inherent in outdated software systems. That’s a huge slice of the corporate pie left wide open for attacks that could cripple the business and its reputation. This isn’t just hype. The Ponemon Institute found that the lost assets and expenses experienced by a breach can damage brands badly, often causing up to $1.6 million in costs and taking nearly two months to resolve. Perhaps even more concerning is that the same research found that 60% of these breaches were caused by a negligent employee or third-party contractor.
“The challenge doesn’t lie exclusively in the infrastructure that helps the organisation minimise the risk of cybercrime,” says Bornheim. “It is equally reliant on the training that the company provides to its IT department, it’s employees and its third-party vendors. Without understanding the risks or the protection against them, people will always be the weakest link in the security chain.”
It’s surprising how few organisations invest in cybersecurity training programmes such as those offered by the EC Council, especially considering how easy it is for Goliath to fall to that worm. In July 2019, one of South Africa’s largest electricity service providers fell foul of ransomware. One of the most common ways for ransomware to penetrate any defensive system is via that click made by the untrained employee who really, really thinks that the email is genuine. Human error was also the reason for the BlackRock data leak in January 2019, SAA and Liberty were both victims of successful hack attempts, and the number of cyber-attacks per day in 2019 has risen to 13 842 according to Kaspersky.
“The risk isn’t manufactured by the media or only inherent in someone else’s business,” says Bornheim. “Every organisation of any size and in any market is at risk of being hacked, breached or subjected to the whims of ransomware. In fact, the research is increasingly pointing to a shift in cybercrime focus with many attacks directly targeting small to medium companies. They are less likely to have invested in training and security tools and more likely to have usable vulnerabilities as a result.”
The cost of training up staff is barely a scratch to the budget compared with the cost of recovering from a hack. The Accenture Cost of Cybercrime study that spans more than 11 countries and 16 industries found that the average cost of cybercrime rose to $13 million per company in 2018. That’s far more than any company could spend on establishing a business culture that’s cyber-aware and security savvy. The same applies to the training and management of third-party service providers. Investing in training, policy development, skills development, and a cohesive cybersecurity posture is a small price to pay considering the potential business and reputational loss. The laws in Africa have yet to deliver the robust smack to the business that they should, but any business looking to expand its footprint is going to have to deal with the compliance and regulatory requirements of the various cyber security and data protection acts in the African countries, GDPR in Europe, the Australian Privacy Principle 11 (APP 11) in Australia, and the Federal Trade Commission Act in the United States, to name just a few.
“Training courses that emphasise skills development, recognise the importance of educating employees, and that focus on providing the business with robust third-party cyber-posturing, are essential,” concludes Bornheim. “This will not only set robust, long-term foundations for the company’s cybersecurity policy but ensure that all compliance boxes are ticked, and that employee negligence is minimised significantly. There will always be the risk of a hack or a breach, but with training, this is minimised and managed properly.”