More than half of South African corporates have admitted that they don’t have a plan in place to tackle data security breaches, while a similar number believe their firms are vulnerable to a cyber attack and a third are expecting one within three months. That’s according to an independent study commissioned by VMWare South Africa and published last night which found that addressing IT security issues within South Africa’s largest corporations is not a serious business priority for many of them.
The study surveyed 103 executives from South Africa’s biggest corporations as part of a greater international study made up of over 1100 executives world wide. The companies polled all have over 500 employees each and generate between $500m and $500bn in revenue.
World Wide Worx‘s Arthur Goldstuck, who presented the South African portion of the research, said that the single most significant finding was that 49% of the surveyed SA IT decision makers believe their organisation is vulnerable to a cyber attack.
Fail to plan, plan to fail
The study also found that 52% of respondents said that there is either no plan within their overall business strategy for addressing a security breach, or that if there is one, only a small number of people within their organisations are aware of what it is.
This is despite the fact that 17% of the South African IT decision makers surveyed said they expect online attacks to happen to their companies within the next 90 days.
The survey highlighted a significant disconnect between IT and C-level executives, which leaves the impression of those executives being rather in the dark when it comes to IT security in 2016. It’s an impression emphasised by the fact that only 5% of surveyed C-level execs agree with IT leaders that IT security should be the number one corporate priority. 16% of respondents went so far as to say they don’t believe their company’s board or C-level execs give enough time and attention to cyber security issues.
“With the vast amount of data available on information security threats, there is no excuse for ignorance or inactivity,” Goldstuck said. “Yet, that’s what we still see in a small but significant number of corporations. At the very least, any sizeable company should have a set of security measures, protocols and responses that is as much part of the company’s DNA as is its marketing strategy or legal compliance policy.”
Not the case
But that is clearly not the case in South Africa. Even our biggest companies aren’t keeping up with IT security trends; the report showed that some are even reducing spending on what should be considered essential security components like threat monitoring, penetration testing and encryption.
The need for heightened security is compounded by the increasingly complex business technology landscape.
“Today’s most successful organisations can move and respond at speed as well as safeguard their brand and customer trust,” said VMWare’s Matthew Kibby. “With applications and user data on more devices in more locations than ever before, these companies have moved beyond the traditional IT security approaches which are increasingly less able to protect the digital businesses of today.”
Companies that don’t have measures in place to deal with data breaches could also find themselves in trouble under new legislation like the Protection of Personal Information Act (POPI), which is yet to come into force, and the proposed Cybercrimes and Cybersecurity Bill currently under consideration.
A bit of a re-think
The “beyond” that Kibby referred to is essentially a newer way of approaching any big organisation’s IT security. It’s a “re-think” of security for the modern age – by taking what he called a “software-defined approach to IT that embeds security into the applications and network”.
VMWare used the report to plug its offerings like NSX, a software-based network virtualisation tool that gives IT fine control over every aspect of the corporate networks under their control from a central location. Doing that would address several of the issues raised in the research report, most notably providing the needed security while simultaneously not costing the earth to implement as it does not require any new hardware investment.
[Main image – CC 2.0 BY ND Danny Oosterveer]