Interpol’s African Cyberthreat Assessment Report shows South Africa has the third-highest number of cybercrime victims in the world at an annual cost of R2.2-billion.1
Key insights
Cybersecurity – the foundation of a successful digital strategy
Today’s threat horizon is more complex than ever
The 3 Ps matter as much as the technology
The mindset shift: from risk to opportunity
Case Study
Expert Perspective
1. For SMB CEOs, cybersecurity risks are not just a technology issue, but a threat to the viability of the business.
2. For hackers and malware authors, SMBs are, if anything, more attractive targets than large enterprises
3. SMBs face a new breed of security threat and the information security models of the past will not be enough to address them.
4. Go back to basics and audit the business’s security practices and environment to see if they are appropriate for today’s risk landscape.
5. Identify champions in the business to take responsibility for the top cybersecurity risks.
6. Take note of the three Ps: People, Policy and Process. These take precedence over technology in the security blueprint.
7. Policy and end-user training are more important than ever, so make these a priority.
8. Forward-thinking IT departments will make security as easy and invisible to the end-user as possible.
9. Successful cybersecurity needs to balance the security imperative against the end-user’s productivity and experience.
10. Cybersecurity doesn't only mitigate business risk, it covers business expansion through digital transformation.
Today, digital technology touches every aspect of a small and medium business’s (SMB’s) operations—from finances, human resources and production to sales, customer service and logistics. This technology has enabled us to become more productive, efficient and effective. But at the same time, our reliance on computer systems exposes us to complex cybersecurity risks.
The reliance on information and communication technology (ITC) exposes businesses to complex cybersecurity risks and for SMB CEOs these risks are not just a technology issue, but a threat to the viability of the business. Consider how a ransomware attack can bring a business to a grinding halt, potentially unable to serve customers, process financial transactions or manufacture products for days or even weeks, while its systems are being restored.
Consider the consequences of a data breach, where a hacker steals customers’ personal data. At worst, such an incident can leave a business’s reputation in shreds, facing legal action from customers, as well as fines from the regulators. Depending on the entity’s health, such an incident could even be the death blow for a business.
For hackers and malware authors, SMBs are, if anything, more attractive targets than large enterprises, because they don’t have the same level of in-house skill or as large an IT budget for security. Some cybercriminals see SMB businesses as easier pickings than, for example, a bank that is locked down tighter than Fort Knox. Thus, SMBs cannot afford to be complacent in the face of the multiplying threats they face.
Before we’d even heard of COVID-19, cyber-threats such as malware and social engineering scams were growing in number and sophistication. Unfortunately, in their haste to prepare for the hard lockdown in 2020, many SMBs took shortcuts to get digital platforms up-and-running. The wake of the pandemic has exposed new vulnerabilities in SMBs’ infrastructure, because of this accelerated move to digital channels, cloud apps and work-from-anywhere, which widened the already existing security gaps.
Companies that originally designed their IT security for an office-bound workforce are now supporting many employees working from home on non-trusted networks and consumer-grade devices and apps.
At the same time as businesses retool their cybersecurity processes and tools for a more decentralised workforce, SMBs face a new breed of security threat. Today’s easy-to-use malware tools have made it quick and simple for cybercriminals with limited technical skill to launch low-risk, high-reward attacks. SMBs with looser security and slipshod data backup processes are particularly vulnerable.
Social engineering scams are also proliferating because they are cheap, easy to launch, and relatively low in risk for the perpetrator. Cybercriminals use elaborate phishing emails or even convincing, personalised phone calls to convince people to give them their access credentials or to run a malware-infested file on their computers.
Another gamechanger is the advent of tougher data privacy and protection regulation with laws and regulations such as South Africa’s Protection of Personal Information Act (POPIA) and the European Union’s General Data Protection Regulation (GDPR). This new regulatory environment means that businesses may face serious legal and reputational consequences for not locking down their data.
As these trends show, SMB CEOs cannot afford to be complacent about cybersecurity. It’s also clear that the information security models of the past will not be enough to address today’s threat landscape. There is more to getting this right than purchasing antivirus software or installing a new firewall—in fact, it’s as much about the people as the technology.
A good starting point to improve information security is to get back to basics and audit the business’s security practices and environment, to assess if they are appropriate for today’s risk landscape. In the absence of inhouse skills, many SMBs may need to turn to external service providers for advice. A cybersecurity expert can offer guidance about legal and regulatory obligations, as well as conduct a risk assessment of the entire environment.
In addition, we recommend identifying champions in the business to take responsibility for the top risks. This shouldn’t only be a job for the CIO—risk management, finance, compliance and human resources could all have key roles to play. Collaborating with the business can help an SMB’s IT team create solutions and approaches specifically tailored to business risks and needs.
As a company shapes their security blueprint, the three Ps of People, Policy and Process, should arguably take precedence over technology. The reason for this is that most information security breaches are human failures—caused by complacency, ignorance, laziness, occasionally malice—rather than technology failures. Policy and process help to keep a company’s people on the virtuous path.
Human errors are the cause of most security incidents—simple things like using a weak password, accidentally emailing information to the wrong person, or failing to patch machines with the latest updates. Security policies address this by codifying the rules people need to follow, such as the strength of their passwords or whether they need to connect via secure VPN when working remotely.
Security policies also guide users regarding what they should not do, for example, use unauthorised services and apps; install unsanctioned browser extensions; or share their passwords with someone over the phone or via email. Some policies such as password complexity and length can be enforced via security policies in software, but others depend heavily on end user buy-in and compliance.
With a larger cohort working remotely, policy and end-user training are more important than ever. They strengthen the human firewall by ensuring that each team member understands what’s required of them. This isn’t a simple matter of drafting and socialising a policy once—continuous training will prevent complacency from setting in and keep everyone up to speed with the latest threats.
Forward-thinking IT departments will make security as easy and invisible to the end-user as possible. Security processes that are too cumbersome can hamper productivity and may cause users to opt for shadow IT instead of using authorised company resources. Successful cybersecurity will thus balance the security imperative against the end-user’s productivity and experience.
SMB CEOs traditionally viewed cybersecurity in the same light as insurance or armed response—a grudge purchase that they couldn’t avoid. It’s worth remembering that a flexible but strong cybersecurity posture enables a business to become more resilient, deploy new ways of working, and interact with partners and customers via digital channels. Thought of in that light, cybersecurity isn’t just about mitigating business risk—it is also about expanding business opportunities through digital transformation.
In the work-from-anywhere world, organisations need a cybersecurity model that can protect people, devices, applications, and data wherever they are located. The approach that many enterprises are embracing is called Zero Trust. Rather than supposing everything behind the firewall is safe, Zero Trust always verifies each request as though it originated from an uncontrolled network. According to Microsoft5, the guiding principles of Zero Trust are as follows:
To be effective, a Zero Trust approach needs to extend across the entire IT infrastructure and serve as an integrated security philosophy and end-to-end strategy. Rather than focusing on an attack surface, Zero Trust focuses on the “protect surface,” which includes everything the organisation must protect from unauthorised access.6
The Zero Trust model also breaks corporate infrastructure and other resources into small nodes, which can be as granular as one device or application. Each of these small perimeters will have its own security policies and access permissions, allowing flexibility in managing access and enabling companies to block threats from spreading within the network.
As Kaspersky admits, the transition to Zero Trust may be complex and lengthy for some enterprises. If employees use both office equipment and personal devices for work, all equipment needs to be inventoried, then policies need to be configured. This can be a time-consuming process. And older hardware and software may not be suited for Zero Trust.Zero Trust will thus be a journey spanning years for most companies, but now is still a good time to get started.
Frontier technologies like AI, robotics, quantum computing, the ever-evolving adoption of the Internet of Things, cloud computing, blockchain and remote working/distance learning models represent the future of our digital world. The potential cyber risks and vulnerabilities of these new technologies should be on the minds of every leader when considering technology adoption and implementation.
Nearly half (48%) of the World Economic Forum’s Cyber Outlook survey respondents say that automation and machine learning will introduce the biggest transformation in cybersecurity in the short term future. Indeed, leading cyber expert Bruce Schneier, Lecturer in Public Policy, John F. Kennedy School of Government, Harvard University, USA, agrees that techniques from artificial intelligence will permeate all aspects of cybersecurity, both in attack and defence. According to him, these techniques will almost certainly upend the traditional imbalance between attack and defence. The problem is that we do not know how, and we do not know when…
While we cannot fully prepare for various potential scenarios on how technology is and will influence and change our lives or become a potential avenue to be exploited, the challenges pointed to here are something we need to at least think about. The less we are surprised by these developments, the better off we will be as a society.
From the World Economic Forum Global Cybersecurity Outlook 20227
References
[1] Cyberattacks: South Africa, You’ve Been Hacked, Daily Maverick, November 6, 2021.
[2] Cybersecurity is the Top Business Risk in 2022, VentureBurn, February 3, 2022.
[3] Ninety-seven Percent of SA IT Professionals Say Their Environments Don’t Prioritise Cybersecurity, ITWeb, December 14, 2021.
[4] Extortion Payments Hit New Records As Ransomware Crisis Intensifies, Palo Alto Networks, August 9, 2021.
[5] Zero Trust Guidance Center, Microsoft, February 9, 2022.
[6] Never Trust, Always Verify: The Zero Trust Security Model, Kaspersky, July 30, 2020.
[7] Global Cybersecurity Outlook 2022, World Economic Forum and Accenture, January 2022.