In the World Economic Forum’s (WEF’s) Global Risks Report 2019, “technological instability” was a highlighted risk – with “massive data fraud and theft” ranked the number-four global risk (over a ten-year horizon) and cyber-attacks coming in at number five.
Within the annual report’s Global Risks Landscape quadrant, cyber-risks were positioned alongside environmental risks in the high-impact, high-likelihood quadrant.
In other words, there is good reason to be very concerned.While some onlookers may be sceptical, this is far from mere academic hysteria.
Looking at the magnitude of cyber-attacks and data breaches that occurred in 2018, the global cyber threat has become a very ugly reality.
Indeed, the WEF report pointed to examples such as the Indian government’s ID database, Aadhaar, which suffered multiple breaches that potentially compromised the records of all 1.1bn registered citizens.
Outside of that, personal data breaches affected around 150m users of the MyFitnessPal application and around 50m Facebook users.
2018 also marked the year in which the cyber threat moved beyond software and into the insidious realm of hardware: the Meltdown and Spectre threats involved weaknesses in computer hardware that potentially affected every Intel processor produced in the last ten years.
In SA, experts are warning that the threat has never been this severe – with businesses of every size across sectors at risk of being compromised by increasingly savvy cyber criminals.
According to the South African Banking Risk Information Centre (SABRIC), SA currently has the third-highest number of cybercrime victims worldwide – with the country losing an estimated R2.2bn a year to cyber-attacks.
From January to August 2018, SABRIC reported that cyber and digital banking crimes resulted in over R183m in losses, with mobile banking losses increasing by 100%.
Online banking scams resulted in the biggest loss (R89.3m) during that period, the organisation stated.
These statistics might just be the tip of the proverbial iceberg. Most local experts very quickly point out that the majority of cyber-attacks on small, medium and micro-sized enterprises (SMMEs) go unreported.
As a result, there is no reliable way of measuring how much damage, whether financial, reputational or otherwise, is really being done.
“Cybercrime is still massively underreported in South Africa,” says Aaron Thornton, MD of Dial a Nerd, a local IT consultancy.
“Other countries have hotlines and initiatives to try keep track of hits.
We don’t have that, and no one is reporting breaches to the police.”According to Thornton, this can be attributed to a fundamental lack of trust in local authorities.
Companies and business leaders are afraid that if they do report cybercrimes to authorities, they will not remain anonymous.
The reputational risk thus outweighs everything, because, the thinking goes, if customers were to find out about a breach, the business would face ruin.
“As an IT consultancy to SMMEs, our customers are approaching us for help out of sheer desperation,” Thornton adds.
“We’re not an IT security company, but SMMEs see almost no other avenue for assistance, because they cannot afford the services of the major IT security companies and they won’t go to the police. Local SMMEs are being inundated with cyber threats and scams, almost daily, but there is no support or accountability for businesses of this size in South Africa.”
Social engineering and ‘sextortion’ At the SMME level, the threats come largely in the form of phishing, whereby criminals attempt to trick unsuspecting individuals into clicking on a malicious URL or email attachment to steal their login details – which they can then use to gain unauthorised access to the victims’ financial accounts or internal company networks.
“Businesses with fewer than 500 employees are substantially more affected by a range of cyber-attack techniques, including email malware, ransomware and simple phishing than their larger counterparts,” notes Graham Croock, director of BDO IT Advisory Services at BDO South Africa.
Increasingly, today’s phishing attacks involve some form of social engineering, whereby hackers glean personal information from social media accounts such as LinkedIn and Facebook to lend some ‘credibility’ to the attack.
Simply by scanning your social media accounts, hackers will obtain details such as your birthday, your friends’ names, your company and your location.
In 2018, local SMMEs faced an uptick in what has been dubbed ‘sextortion’ attacks and scams – where hackers claim to have browsing history, videos or images of a sexual nature and threaten to expose victims online.
To avoid the potential humiliation, individuals are tricked into paying hefty fines or revealing sensitive financial information.
‘Cyber hurricanes’ on the riseFor larger businesses and blue-chips, the presence of sophisticated internal IT security teams and high-end technology means that they are less vulnerable to phishing scams, sextortion and ransomware.
However, as Croock points out, they remain highly vulnerable.
“Cyber incidents through events such as WannaCry and Petya ransomware attacks brought significant financial losses to many larger businesses – and SA businesses were not left unscathed,” he says.
In October 2018, more than 30m South Africans’ personal information was exposed online in what is considered to be the country’s biggest data breach.
The potential for so-called ‘cyber hurricane’ events to occur, where hackers disrupt larger numbers of companies by targeting common infrastructure dependencies, will continue to grow in 2019.
Leaders ‘in denial…’What does it all mean for businesses – and where to from here?
The first step is acknowledgement of the risks. Until business leaders take this step, they will underinvest in the right tools and solutions. “SA boards are in denial and not allocating sufficient funding and budget to awareness and cyber security,” says BDO’s Croock.
Business leaders are not preparing for more advanced and complex attacks by sophisticated criminal syndicates and they do not take time to understand threat monitoring and intelligence.
In addition, businesses are under-insuring for cyber insurance cover and are confusing cybercrime with normal business interruption.
Rudi Dicks, director of The Cyber Academy, echoes this sentiment, highlighting two major mistakes business leaders are making.
The first error is having a mentality of ‘this won’t happen to me’, and that criminals are only focused on banks, he says.
“We don’t think this way about physical security, so it doesn’t make sense when it is much safer for a criminal to be on the other side of the world, safely behind a computer, rather than to put his life at risk by robbing with a firearm. The other mistake is over-investment in technology without giving any thought to education and procedure.”
Education is paramountWithout doubt, employee education is the most critical part of any IT security equation.
“It is commonly understood that staff are, and will always, be the weakest link in the cyber security chain,” says Dicks.
“Why would a criminal try to defeat strong security technology protecting a company when they can mislead a user into giving them full access to the network through the authorised user’s machine?
Staff awareness training is critical in a solid security posture and allows users to identify many potential attacks.”
Beyond that, companies can ill afford not to recruit expert help and assistance.
“For businesses, it is critical to get an independent assessment of the cyber risks facing the company, and then tackle the high-impact and high-probability ones first,” notes Craig Rosewarne, MD of Wolfpack Information Risk.
Looking ahead, businesses are also coming under increasing pressure from government to protect and properly manage customer data.
Notably, the Protection of Personal Information Act 4 of 2013 (PoPI) is forcing companies to rethink their data management frameworks and strategies.