Cyber-attacks are as old as technology itself. But even as organisations implement better ways to safeguard themselves and their data, malware evolves to become more sophisticated. The reality is that breaches will happen. It is how the organisation can mitigate those risks in the always on environment which will become the differentiator.
In the past, companies were mainly concerned about protecting themselves against viruses that would slow down corporate desktops and networks. Computers were typically patched monthly with attacks occurring at a slow pace. Today, the real-time environment of the digital era has seen this change significantly. Companies are under constant pressure with patches needing to be implemented on a virtually continuous basis. User education is more important than ever, with it becoming a constant ‘us versus them’ battle.
According to the PwC South African Crime Survey 2016, 32 percent of local organisations reported having been victims of cybercrime (the same as the global average). Perhaps more critically, only 35 percent of organisations have a cyber incident response plan in place. This is perhaps a result of the fact that only 48 percent of board members request information about the state of cyber-readiness at their company.
More recently, local data centre operator Hetzner was hacked with the organisation advising its clients to change their passwords immediately. With information such as customer contact details, domain names, FTP passwords, and bank account details being exposed, the organisation suffered significant reputational damage.
A matter of compliance
Given the rapid rate of attacks, it is no wonder that organisations are struggling to keep their systems up to date with the required security measures. From a consumer perspective, there is concern about the safety of data (both personal and corporate) and what the risks of it being compromised are.
With the Protection of Personal Information Act (PoPI) coming into law next year, government is driving regulation to ensure that end-users have recourse when this happens and when their data is used for purposes other than what they give explicit permission to. Even though there is a 12-month grace period for organisations to comply with PoPI, the pressure is only going to accelerate as fines and business risk will likely escalate quickly.
PoPI will help ensure that the security of data becomes a strategic priority. It is anticipated that user education (across both corporate and consumer spheres) will be a big contributor to its awareness and effective implementation. Organisations therefore must implement business continuity and disaster recovery plans that complement their cyber security measures for their systems to withstand attacks. Failing that, they must be able to recover quickly when the inevitable occurs. Lost data or a considerable period of downtime are not options in an always-on world.
Spotlight on privacy
Even in Europe, the pending enforcement of the General Data Protection Regulation (GDPR) is putting the focus firmly on end-user privacy and data ownership concerns.
It will no longer be sufficient to depend upon cloud-based services providers to ensure customer privacy, or for existing security implementations to enable data ownership and privacy rights. End users and customers will demand the right to be forgotten, the right to be informed of data breaches, and the right to withdraw consent. These demands will put a focus on data ownership and privacy rights.
So, whether it is in Africa or outside of it, companies need to realise the importance of taking the measures needed to mitigate any risks associated to data breaches and potential security holes.
Follow Claude on Twitter, where he regularly comments on issues affecting corporate IT.