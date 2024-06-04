Mauro Marsala, Technical Consultant, Data Sciences Group.

Joseph Sullivan was an ambitious technology executive who rose to lead security at the massive ride-hailing service Uber. Yet his name has gone down in history for a very different reason.

In 2023, Sullivan became the first business executive jailed for covering up a cyber attack at his company. The details behind this case are layered and convoluted, and Sullivan was possibly even a fall guy. Nonetheless, a US Federal Court made an example of his attempts to hide the breach and failure to report it to authorities.

Yet he is not an outlier. Underreporting of cyber attacks is a big problem. While there are few statistics to reveal this trend, experts generally agree that most companies do not report when cyber criminals have successfully attacked them. Available research reflects this view: the FBI's 2018 Crime Complaint Center statistics estimated that only 15% of victims report attacks against them. One can also infer the gap from other statistics: even though ransomware attacks have increased by 95% in 2023, only a few thousand companies have reported such attacks.

South Africa is part of this trend. The Global Cyber Crime Density Index ranks SA fifth in terms of attacks, resulting in underreporting that undermines accurate statistics and sharing valuable information that could curtail future attacks.

Why do companies not report such attacks? The most common reason is that they are embarrassed, says Mauro Marsala, Technical Consultant at Data Sciences Group: "Once our data has been breached or compromised, we are often embarrassed and, therefore, secretive in sharing that a crime took place, let alone how it happened, what was lost and the financial impact suffered."

Embarrassment weakens security

Companies also avoid reporting cyber attacks for other reasons, such as reputational damage or the fear of fines. Many jurisdictions, including South Africa, can harshly penalise an organisation if it fails to put sufficient security measures in place before an attack. Employees sometimes hide the attacks or are instructed by management to keep the information inside the organisation.

When polled anonymously, a substantial amount of those employees express guilt about not reporting. This makes sense, as underreporting tends to strengthen criminals, says Marsala: "When we have had physical property stolen or damaged, we are comfortable sharing the modus operandi used by the criminal. We share the security measures we had in place, how they were breached and which ones were ineffective. We are usually quite comfortable disclosing when a crime took place due to our lack of awareness or negligence. We will even share losses we experienced, including financial, and their impact on our well-being. This information-sharing is often incredibly beneficial as it highlights methods criminals employ and the weak points in our security systems and strategies."

The same dynamic applies to cyber crime, and so does the damage of underreporting. In fact, given cyber crime's faster and more innovative nature, not sharing information is far worse. Yet many companies decide to stay quiet, often for one underlying reason: they weren't prepared and hadn't made the right security investment choices.

Ensuring better security

Becoming the target of cyber criminals is almost inevitable. But there is a habit of mythologising those criminals as super-smart social rejects in hoodies, fighting the system with a counter-culture attitude. The truth is much more banal.

"Cyber criminals are like any other criminal. They are opportunistic and want high rewards for low risk. Attacks that are very planned and highly targeted are rarer than we think. Most simply look for soft targets where there are gaps in security, such as unpatched systems or staff not trained with basic security awareness. A very common way to become a target is to under-invest in the right security. For example, many companies neglect to add data protection infrastructure, which, ironically, protects organisations during times of breach and data loss," says Marsala.

He cautions companies not to simply evaluate and buy security systems that seem to plug holes. Instead, they should work with a good security provider using proven vendor products that align with a good security strategy, the latter focusing on an organisation's different cyber risks. Doing so will hinder attackers, shrink attack surfaces and reduce downtime and embarrassment if an attack is successful.

Companies can also apply proven security habits:

Never store credentials and infrastructure information on a spreadsheet or Word document.

Limit access to data management infrastructure – not everyone needs to be an administrator or super-user.

Limit network and application-level access to only required ports, processes and systems.

Ensure infrastructure is regularly patched and updated at the operating system and application levels.

Implement multifactor authentication for all users.

Segregate duties requiring authorisation/approval to modify or delete backup data.

Store a copy of backup data with an Airgap solution in place.

Enable data immutability, removing the ability to modify or delete data.

Secure data protection applications per vendor best practices.

Secure the data protection application database and replicate an inaccessible copy to an offsite location.

Assess recovery processes and plans often, ideally monthly.

When companies embrace security best practices, they achieve two things: they reduce their cyber and punitive risks, and they can face breach attempts with much more confidence. Armed with this attitude and working with trusted security partners, they establish channels to share valuable security information.

"By perpetuating the stigma attached to data breaches and cyber attacks, organisations inadvertently continue to play into the hands of threat actors, as their modus operandi remains clandestine," says Marsala. "Instead, let us encourage open and frank discussions on this topic and begin to share information on the strategies that threat actors used and strategies employed to thwart the attacks. By doing so, organisations will be better equipped to protect themselves and limit the target size of a cyber attack."