Thokozile Mahlangu, CEO IISA
If there was ever any doubt that COVID-19 and the rapid transition to remote working proved to be a fertile breeding ground for cybercriminals, and ultimately lead to an exponential surge in cybercrime incidents, the figures speak for themselves.
In March this year, cybersecurity firm Surfshark released a report that revealed that South Africa ranked sixth in the world in terms of cybercrime density, rising from 11.8 cybercrime victims per one million internet users in 2016 to 14.1 victims per one million in 2019 and 50.8 per one million users in 2020.
It was also found that in 2019, the number of data breaches in South Africa increased by a startling 490% from 2018. It is suspected that this spike might also have led to the growth in cybercrime in 2020, with breached data used in phishing attacks, government impersonation scams and/or identity theft.
The massive pandemic-driven transition to working from home led to an unprecedented uptake of cloud-based collaborative solutions, and a huge increase in the number of resources that were suddenly being accessed through corporate virtual private networks.
The abrupt nature of this shift resulted in many organisations adopting cloud computing solutions and services without the requisite cybersecurity measures. This increased their attack surfaces and exposed them to threats as workers logged in through unsecured networks and personal devices.
Obvious gaps
According to the 2021 Data Risk Report by Varonis, the risk increases exponentially when companies have obvious gaps like passwords that never expire and folders containing sensitive data open to every employee.
On average, a financial services employee has access to nearly 11 million files the day they walk in the door, while for large organisations the number is double: 20 million files open to all employees. This is quite an alarming statistic for organisations.
In essence, easy access to volumes of sensitive data means that an increasing number of organisations are exposed to a wide range of cyber risks, including data theft, ransomware and corporate espionage. In many cases, companies may not even be aware of the risk or the degree of their exposure.
Considering the fast-evolving cyberthreat landscape, in both frequency and sophistication, there is perhaps no better time for companies to start focusing on their cyber risk and how to mitigate it. A good place to start would be to develop a sound understanding of cyber risk and knowing how and where your business may be vulnerable.
What is cyber risk? Cyber risk commonly refers to any risk of financial loss, disruption, or damage to the reputation of an organisation, resulting from the failure of its IT systems. It is a misconception that only large enterprises are at risk. The fact is, all types and sizes of organisations are at risk.
Essential component
In a report titled Safeguarding against cyberattack in an increasingly digital world, research consultancy McKinsey states that cybersecurity should be central to every strategic decision and an essential component of every IT product within an organisation. Cybersecurity initiatives should be prioritised based on business-risk scenarios.
It also recommends that a company should build an IT architecture and operating model that best supports its growth, digitisation and business model. In reviewing cloud architecture, it is important to first understand what data is being put in the cloud now and to minimise the presence of sensitive information in the cloud.
In short, organisations need to adopt a cybersecurity-first culture to make cybersecurity a critical component of the organisation’s values and ethics. Employees must understand and prioritise cybersecurity just as they value brand reputation, customer satisfaction and sales.
With cyber risk growing as cybercrime evolves, it is becoming increasingly important for organisations to adopt a system of precautionary cybersecurity measures. However, while risk management is critical, it is also not a guarantee against cyberattacks. These days, security experts caution that it is not a matter of if, but when, an organisation suffers an attack.
Thus, consider adding cyber risk insurance to an insurance policy, which can provide expert services to help handle the fallout of a privacy breach, along with coverage to help organisations recover in case a cyberattack brings their operations to a grinding halt.