Recent headline grabbing attacks like those at Sony Pictures may seem a faraway problem for many African companies. But Technology, Media & Telecommunications leader for Africa at Deloitte, Mark Casey, says cyber criminals are getting smarter and know no boundaries.
Companies in Africa therefore need to raise their preparedness, as the increasing use of smart technology across the continent is increasing the risk of attacks.
A survey by Deloitte and Efma this year has one emphatic result - cyberattacks are considered as an international issue by 99% of the major companies around the world. Both intermediate (IT and operation managers) and high-level (CEO) have seen the number of cyberattacks increase this year (according to 31% of respondents). And the majority of the respondents believe that the exposure of their companies to cyberattacks is medium level (45%), or high (35%).
While a skills shortage is not helping get to grips with the problem in Africa, Mr Casey says complacency is not helping either.
“Most South Africans are under a bit of an illusion about this wave of interconnectedness and the risks that this brings – these risks are with us right here and right now,” he says.
This is not out of ignorance or that it is unimportant. “The mechanisms to attack companies are increasing at an exponential rate and companies need to be much better at anticipating and detecting these attacks,” says Mr Casey.
The Cisco 2014 Annual Security Report says the Middle East and Africa region is posting strong adoption of smart devices, which are set to grow from 133 million in 2013 to 598 million in 2018. All the while, total global threat alerts are increasing at rates of about 14% year on year.
And Aon says it is estimated that over 70% of South African businesses are significantly unprepared for cyber liability risks.
While the recent high-profile attacks on big name companies by foreigners has prompted increased cyber security initiatives to protect consumers in some countries, the costs for companies is on the rise, including via the reputational damage they suffer.
Insurer Lloyds has, according to Fortune, estimated that cyberattacks cost businesses $400 billion a year, including the damage itself and the subsequent disruption to the business. The Lloyd’s Risk Index 2013 had heralded cyber risk as the third biggest threat for global businesses – behind high taxation and loss of customers, but ahead of 47 other major risks that range from droughts to riots and civil commotion.
While some of the respondents (approximately 20%) in the Deloitte survey did not provide information regarding the budgeting of cyber security, those who did provide this information stated that no more than 10% of the IT budget is committed to cyber security.
Mr Casey says the solution won’t necessarily be found by waiting for regulators to catch up. The South African government has been criticized for dragging its feet on implementing legislation that improves co-ordination by government on cyber security and encourages co-operation between the government, private sector and civil society.
The Depository Trust & Clearing Corporation (DTCC), the premier post-trade market infrastructure for the global financial services industry, recently announced that almost half of the respondents (46%) in its most recent Systemic Risk Barometer Study cited cyber security as their top concern and 80% of respondents rated it as a top 5 risk overall.
“What is becoming abundantly clear is that preparedness to spot and close down these attacks is paramount and companies need to make this ability their front line of defence,” says Mr Casey.
In most international as well as local cases, the issue that has caused organisations significant reputational damage is not detecting that a breach or incident has occurred and then once detected, not following regulatory requirements with necessary haste. A detailed incident management plan must exist for organisations in which it details the steps that need to be taken internally to contain the threat, as well as management of the organisations clients with the reporting required for regulators.
South Africa has been involved in developing cyber security legislation with the European Union over the last year where we are aligning ourselves with the European directives in this regard. Thus organisations will certainly need to start paying attention to the manner in which they need to mitigate the cyber security risks facing their organisations.
“Organisations need to develop threat awareness throughout their processes and develop the capacity to detect patterns of behaviour which may anticipate, or even predict, the compromise of critical assets. It’s also a great test of leadership in the fields of market communication and decisiveness,” concludes Mr Casey.