The state of the nation’s cyber security

Is security front of mind for South African companies and state organisations?

Security dovetails with digital modernisation

Cyber attacks are a regular occurrence in South Africa. The most newsworthy was the Liberty hack, where criminals made off with terabytes of email data and then tried to blackmail the organisation.But because this is the one that hit the headlines, don’t think it was an isolated incident.

Read this next:

Security blanket

The ins and outs of a security practice

Numerous attacks are happening all the time, many going unreported and quite a few aren’t even noticed. The complexity of combining technology and connectivity has not only made it harder to police systems, but there’s a distinct gap between what companies think they need and what’s actually required to be resilient against attacks.

How widespread is the problem? Hard figures remain elusive, but PwC's ‘2016 Global Economic Crime Survey’ places cyber crime as the fourth most reported type of financial crime in the country. According to the paper, ‘An Analysis of Cyber Incidents in South Africa’ by Brett van Niekerk, attacks on the state are just marginally more than on companies. Further, the biggest types of breaches result in data exposure followed by financial and denial of service attacks.

A lagging market

Despite this, local businesses and institutions aren’t grasping the message with enough urgency, says Michael Colin, sales director at BitCo. “Security is still very reactive in spite of the drastic increase in breaches as the landscape in South Africa is at an immature stage. Organisations rush to get cyber security products once they’ve experienced a breach in the hopes of mitigating the crisis to get up and running again. At that stage, it’s already too late and the organisation has been compromised. The next step would obviously be preventing future breaches.

” Surveys by the Department of Telecommunications and Postal Services appear to reflect this. Noting that hard facts around company readiness are still scant, it nonetheless found that only 37% of local businesses have discussed a cyber security strategy and less than 30% have implemented one.

Nonetheless, awareness is spreading, if only because of more headline visibility and regulations putting pressure on business owners, says Henk Olivier, MD of Ozone Information Technology Distribution. “The biggest shift in security over the past decade is that people are much more aware that there are security risks or breaches when it comes to technologies. However, over the past three years, laws and compliance have changed and you can now be held responsible for any security breaches if you can’t prove you had sufficient security measures in place.”

Digital’s momentum

Another reason why security has a higher focus is that it dovetails with digital modernisation. Newer innovative workflows typically grouped as ‘agile’ can’t rely on perimeter security to keep them safe. For example, DevOps projects need to have security involved all the way, otherwise they develop complications down the line

“Organisations that take a concerted approach to digital transformation tend to bring security along,” says Tom Scholtz, research VP at Gartner. “What’s starting to emerge is that we’re seeing new approaches and new roles taking more responsibility.”

Security champions are more commonplace among certain projects, though this depends heavily on the company’s own digital values and understanding. Digital in itself doesn’t encourage better security. Instead, it’s down to the right attitudes, values and strategy the business applies from the top down.

This is becoming non-negotiable, since – like electricity – if digital fails, operations stop, says Olivier. “In the past, businesses might have still been able to continue operations when something happened or if there was a breach on security, but nowadays, businesses can come to a complete standstill,” he says.

Small to medium enterprises (SMEs) are much more vulnerable, but they routinely believe they’re unlikely to be targeted. Yet 66% of recent breaches globally affected companies with less than 1 000 employees, according to ENISA’s ‘Threat Landscape Report’. It’s fair to assume that reflects local SMEs as well. Here, though, there’s a problem: such companies can’t afford the costly security projects required. As such, many are looking to the cloud for help.

Cloud vs criminals

South African SMEs are quite conservative when it comes to technology. World Wide Worx’ annual SME survey found that small businesses are generally reluctant to upgrade due to concerns around costs. This supports previous surveys, which found reluctance among small businesses to even adopt cloud services.

But that’s changing. A notable fact from the World Wide Worx report is that fibre adoption is skyrocketing among small companies, as is a big interest in using IoT solutions. Both inevitably lead to cloud services. The cloud may also help SMEs manage some of their security woes, not to mention the onerous archiving and data safety requirements of regulations such as PoPI, GDPR and the Cyber Crimes Bill.

“SMEs are moving to cloud storage and backup solutions at a rapid rate, because there’s no onsite infrastructure to maintain, protect or upgrade,” says Olivier. “But it’s important for all businesses to be aware of what the specific cloud providers offer and what they don’t, as well as the security of the provider. It’s important for a business to be aware of the terms and conditions of a cloud service provider.”

Pitching security to the market

Suffice to say, there are a lot of market opportunities to offer security solutions. The trickier part is convincing a still reluctant market to spend on security. This could be through the carrot of digital’s advantages or the stick of meeting regulations. For example, small firms such as lawyers’ and doctors’ practices are deeply concerned about privacy laws, especially because they’re often considered soft targets. Many, though, don’t feel they can afford current solutions.

There are also other pitfalls that might fail customers. For example, compliance doesn’t equate a secure workplace. Nor are out-of-the-box security solutions effective unless they’re met with the right people and policy choices. The role of today’s security provider is quite different than in the past, says Scholtz. “We’ve long been advocating owner accountability – with the responsibility of security resting with the business owners. Five years ago, people laughed at that idea, but these days, many larger organisations are implementing that principle. So the security function is moving away from policing to being more of an advisor.”

South African businesses are certainly more security aware. But whether they grasp the scale and necessary action required varies significantly. Digital projects are definitely helping – numerous solution providers offer digital business services underpinned by a security value proposition. In other words, security is less a product of itself and more a necessary part of the digital whole. Yet most organisations aren’t in a position to appreciate this at face value. Solution providers looking for wins should consider this shortfall and tailor their offerings to close the divide.

The tech driving security

What are the technologies and concepts defining security solutions?

Artificial intelligence is growing more and more prominent in security practices, often part of Security-as-a-Service products. But it’s a very new field, so much so that legitimate AI professionals are in such a high demand there’s little evidence of AI use by cyber criminals (thus far).

Risk-based authentication determines the validity or risk of an action based on several factors. For example, a VP’s account accessing company financials at 2am is suspicious and warrants more attention. This is a leading way to administer security hygiene on complex environments.

The internet of things has graduated from concept to something every business wants a piece of. But IoT systems are notoriously fractured and feature very little in decent security. Demand for robust IoT security is growing fast.

Cloud services tend to have security baked in as part of their environments. More companies are relying on the pooled skills and scale that these service platforms can use to keep abreast of attackers. That being said, cloud service providers don’t necessarily cover all the bases and should be scrutinised closely.

Automation is big in security today. Nothing moves at the speed of a machine, so containment and response to an incident can be very fast. That being said, security automation is highly contextual and relies on modern digital systems to work effectively.