One doesn’t have to wait too long before a story about a cyber attack hits the news cycle.
Just last month, South Africa’s Armscor saw its Purchasing and Invoicing part of its website breached – which led to all of its clients being exposed. Before that a number of South African websites who were breached, allegedly by Anonymous as part of the hacktivist group’s OpAfrica mission.
These kind of attacks are destined to become more common as hacking tools become simpler and easier for more people to use. With regards to cyber attacks, South Africa in particular has a rather unique problem in that there aren’t enough qualified people in the country to act as cybersecurity officers.
“There are too few professionals in the cyber security business. Up until 2019, there will still be a shortage of skills in the enterprise space,”said Mark McCallum, chief technology officer for Orange Business Services, during the IDC Security Roadshow in Johannesburg. “I understand that some companies can’t afford to invest in a full blown solution – but they still have to do something.”
McCallum says that the lack of cybersecurity professionals in South Africa is compounded by the fact that those who train in this area don’t always stay in country.
“Retaining the cybercrime skills in South Africa is very difficult, as there needs to be a balance between training, and then putting those skills into practice,” he said. “Also, there needs to be an evolution in one’s career as well.”
Training, MacCallum said, is all well and good, but trainees need practical experience as well – and that is challenging. He added that Orange operates a bit differently, as it has a massive global scheme for staff retention, but even that isn’t enough to stop the departures as “some skills will leave SA”.
Even though the people with the right skills are leaving the country, McCallum said that at least cyber risk awareness is on the rise – which is always a good start.
“Digital transformation is also playing a huge role in businesses today, as many things are not part of an office or corporate environment anymore,” he said. “But sadly cybercrime is a lucrative business, and everybody is exposed to threats.”
According to Trevor Coetzee from Intel South Africa, there are 1.3 million security jobs that are unfilled across the world, with 62% of companies being understaffed.
“The average cost of a breach is around $3.7million, and annually the global cost of cybercrime is $618 billion. To make matters worse, the average time it takes companies to detect a breach is up to 98 days,” Coetzee said.
Adding to what McCallum said, he added that even if companies don’t have a fully trained cybersecurity expert on the payroll, there are still steps companies (and especially smaller businesses) can take to minimise the risk of being hacked or breached.
“People need to get the basics right, and people need to understand where to go and what to do when something goes wrong. Adding to that, companies need to be in sound governance and environment,” he explained.
That is good advice, but he went one step further, by saying that companies need to keep an ear on the ground, and anticipate that they might be hit by new threats that are out in the market, even though they haven’t been hit before.
The stats don’t lie; during the IDC Security Roadshow, Checkpoint pointed out the evolution of malware, and 25 years ago it was mainly just firewall breaches and worms. But over the course of two decades, things have progressively gotten worse.
Malware of some kind is downloaded to a corporate machine every 34 seconds around the world, and there are 125% more social media phishing sites than last year. The evolution of malware has kept its pace with technology, but some companies and security solutions have not.
“Security failures by companies and corporates include inefficient security teams, procuring new technology which they don’t know how to protect, or simply the short-lived efficacy of their chosen protection,” Coetzee said.
He urged companies to take a long and hard look at their solutions, and even though the country has a shortage of cybersecurity experts, it doesn’t mean that they shouldn’t adapt.
“Security needs to adapt to the new technology that is in the world. Companies need to use elastic technology that can be moved to the cloud, which is a sustained advantage, and more strategic. It’s the basics, and you also need to protect and safeguard your vital data,” Coetzee concluded.
[Image – CC by 2.0/Tim Reckmann]