New research: budget pinch undermining organisations' ability to protect against cyber threats
Underfunding of critical cyber defences is leaving South African organisations exposed to increasingly damaging cyber attacks. In fact, new research has found that 97% of South African organisations say they have been negatively impacted by a lack of budget for their cyber resilience efforts.
The latest Mimecast State of Email Security 2022 report, which tracks responses from 1 400 IT and cyber security professionals in 12 countries, found that South African organisations allocate on average 12% of their IT budgets to cyber resilience – below the global average of 14%.
While this may not seem like a big difference, what is interesting is that more than half of SA respondents (53%) have less than 10% of their budget allocated to cyber resilience, compared to only a third (34%) saying the same globally.
On average, South African security professionals say they need a 21% budget allocation to enable them to ward off incoming cyber attacks and other threats – especially at a time when nearly all cyber attack types are growing in volume and sophistication.
SA firms face escalating cyber attacks
"Ninety-four percent of South African companies have been targeted by an e-mail-related phishing attack in the past year, with nearly two-thirds citing an increase in such attacks," says Brian Pinnock, cyber security expert at Mimecast. "The cost of ransomware attacks are also piling up, with three in five organisations (60%) citing damage from a ransomware attack – up from less than half (47%) in 2020. And of companies paying the ransom, the average ransomware payment breached R3.2 million (Mimecast State of Ransomware Readiness report), despite nearly half (43%) of such payments resulting in companies being unable to recover their data."
The impact of successful cyber attacks on South African organisations can be severe, affecting productivity, taking critical systems offline, damaging trust with customers and leading to loss of reputation. To protect against attack, 89% of companies either have a cyber resilience strategy or are actively planning to put one in place.
Lack of cyber resilience hurting companies
"[But] the goalposts for true cyber resilience have moved just as the volume and sophistication of attacks have changed," explains Pinnock. "Only a third of organisations we surveyed stated they currently have an effective cyber resilience strategy in place, down from 41% in 2021. This points to growing recognition that corporate cyber resilience is often not keeping pace with the tools and techniques used by threat actors."
The costs of a lack of cyber resilience preparedness are mounting: nearly half (49%) of organisations experienced business disruption due to a lack of preparedness, 48% experienced data loss and 42% saw an impact to employee productivity.
Cyber security conversation must enter boardroom
"There is an important conversation to be had in the boardrooms of corporate South Africa," says Pinnock. "Without adequate budget allocation, our public and private sectors will continue to be vulnerable to attack, at great cost to organisations and their customers."
Pinnock points to the extensive downtime suffered by South African victims of cyber attack over the past year as a motivating factor for assigning additional budget towards cyber defences. "Companies that fell victim to a ransomware attack suffered an average of nearly 11 days of downtime, with one in 10 reporting downtime of more than three weeks. In our current economic environment, that amount of downtime can be crippling to organisations."
Cyber resilience strategies are also meant to provide continuity in the event of service outages. "Our research found that nearly two-thirds (64%) of Microsoft 365 users have experienced an outage in the past year, while nearly all (93%) feel that additional safeguards are needed to protect their Microsoft 365 applications.
Positive impact expected from government mandates
New government mandates for cyber resilience – such as those contained in legislation including POPIA and the Cybercrimes Act – are expected to have a significant impact on organisations' cyber resilience. Of all the countries surveyed, South African respondents expect the greatest change. Forty-six percent of organisations believe they will see an overall improvement in the level of cyber security in their business because of government mandates, while 36% expect a decrease in risk of cyber attacks impacting their business.
“Safeguarding South African organisations against the rising tide of cyber attacks requires greater commitment to cyber resilience from the board and executive levels all the way through the organisation,” says Pinnock. “Allocating adequate budgets, implementing effective technologies and controls, and instilling a culture of cyber awareness throughout the organisation, all build towards greater cyber resilience and can help companies prevent and recover faster from cyber attacks. It’s also not enough to tick off boxes by implementing various cyber security solutions without a robust strategy in place. The tools need to work together and show value in minimising risk for the business. In light of the continued global instability and increasingly disruptive business environment, organisations will need to urgently address shortcomings in their cyber resilience efforts – or risk suffering devastating consequences.”
Brian Pinnock will be discussing how businesses can build a defensible cyber security strategy at this year’s ITWeb Security Summit. IT decision-makers can learn how to ensure the implementation of security solutions is not just a tick-box exercise but rather a defensible strategy that shows meaningful impact and lowers risk for the organisation.
Mimecast is the Urban Café sponsor of the annual ITWeb Security Summit 2022 to be held at Sandton Convention Centre in Sandton, Johannesburg on 31 May and 1 June 2022 and a Silver sponsor at Century City Conference Centre, Cape Town on 6 June 2022. Now in its 17th year, the summit will again bring together leading international and local industry experts, analysts and end-users to unpack the latest threats. Register today.