How vulnerable is South Africa to cyber attack?
The problem of cyber security has never been more pressing, as more of the world's systems are connected.
It does not take too much of a stretch to imagine the widespread disruption of a country's infrastructure if these systems become inoperable. The Internet of things, too, offers new threat vectors.
Craig Rosewarne, MD of Wolfpack Information Risk, knows the cyber risk South Africa faces better than most. He has had almost two decades of experience in the cyber security field, and will convene a panel discussion at ITWeb Security Summit 2019, which is on from 27-31 May at the Sandton Convention Centre.
The panel (on 28 May, day one of the conference programme), will feature cyber security and regulatory specialists from the public and private sectors, as well as representatives from the banking and telecoms industries.
So, where does Rosewarne see our national risk level?
"It's pretty shocking," he says, "if we have to be brutally honest.
"From a strategic point of view, our country is very vulnerable. I was hoping things were going to get better over the years with POPI and the Cyber Crimes and Cyber Security Bill, but it hasn't."
In the private sector, he says cyber security is now "bubbling its way to the top" and is listed in the top three, or five, chief concerns of the enterprise.
In government, meanwhile, "we're not seeing that same urgency".
He says he is interested in what cyber security measures the members of his panel are going to be implementing in the next six to 12 months.
"I'm then going to ask their permission for the community to hold them accountable, so that in six months' time we can get together and look at what's been done."
Waiting for the attack
It is often said that, at the minimum, an organisation should have better cyber security than its peers. Rosewarne says this attitude is not particularly helpful, and suggests a move to a more proactive stance.
"At the moment, we're totally reactive. We just sit, and wait."
He says unless it's a high-profile case, such as Liberty in June 2018, many breaches simply get 'swept under the carpet', and not mentioned outside of the company. He would like to see a lot more sharing of information among peers, especially around how criminals gained entry into the organisation's systems.
There are currently no statistics around the number of attacks, and very little in the way of proactive warnings.
The only sector which is getting this right to a certain extent, he says, is banking; mainly through the South African Banking Risk Information Centre. He also says there is some work being done in the insurance and education sectors.
It still, however, remains a vexed area, as many organisations are a "bit sensitive" about sharing this kind of information, fearing it may be used against them.
So, what's the solution? Rosewarne uses the analogy of a neighbourhood's WhatsApp group, and suggests organisations will be better served if they are better informed.
"We should be having a similar mindset in our security community, where we look out for one another, and we help one another, and not keep everything so close to our chests."