Cyber attacks on the rise in SA
The number of South African mobile Internet subscribers is forecast to more than double in size - from 15 million in 2013 to 35.2 million in 2018, says management consulting firm AT Kearney.
With this increasing digitisation - especially in the banking sector - the magnitude and frequency of cyber attacks aimed at breaching security walls has inevitability increased, the consultancy says.
Dr Boris Piwinger, senior manager in AT Kearney's Vienna office and global leader of information security for the consultancy, says the rapidly changing landscape of information security attacks means the price of weak security is also increasing.
South African businesses need to place a much higher priority on their handling of cyber and data breach risks, as the country is fast becoming a leading target for cyber criminals, he says. Piwinger adds that according to some reports, recent statistics reveal SA is the third most attacked country globally.
"Some industries and companies are tempted to relax and justify their slowness with statements such as 'we are secure; nothing has happened to us before' or 'our firm is not important enough to be a target' or 'security costs are greater than the potential damages'," says Piwinger.
"Unfortunately, many executives have learned the hard way that these statements simply aren't true. System-critical infrastructure, in particular, faces the risk of cyber war and cyber terrorism, but every firm is a potential target, and the costs are huge. The worst might not be the direct damage of the attack, but the potential scale of public awareness and ultimately the loss of trust in the entire system."
Piwinger believes the most critical trends are global surveillance, intentional weakening of IT defences, attack-as-a-service, and massive attacks on infrastructure and automation systems. He cites ransom demands as another potential threat, with attackers refusing to stop until they are paid, while continuing to demonstrate they have control.
"Sensitive data is proliferating as the modern enterprise becomes progressively more connected and cyber criminals are increasingly turning to attack Internet infrastructure rather than individual computers or devices," adds Cay-Bernhard Frank, partner at AT Kearney Johannesburg.
"This is particularly relevant as Africa and the Middle East regions are expected to post an almost tenfold increase in cloud computing traffic growth rates between 2013 and 2017."
Cyber attacks not only steal significant data, but also open the door to sabotage by enabling the crippling of physical systems such as wind turbines, gas pipelines, and power plants, says AT Kearney in a statement. Such attacks can have dramatic and far-reaching consequences for manufacturing (where the past focus on safety meant avoiding accidents, not security breaches) and infrastructure such as traffic and utilities, it adds.
"For businesses, the first step to prepare for cyber attacks is to understand that information security risks are business risks, not IT risks," says Frank. "Corporate leadership is the ultimate owner of information security risks - not the IT department or the CIO."
AT Kearney has found leaders in information security consistently address five dimensions to achieve cutting-edge security: strategy, organisation, processes, technology, and culture. A solid information strategy is directly linked to the business strategy and provides the foundation for all information security decisions, says the firm.
"You have to assume you are already the victim of an ongoing, successful attack, every second of the day," says Frank. "It is, therefore, hugely critical that the importance of cyber security is comprehensively communicated and constantly highlighted within the organisation."
The consultancy says the right organisational setup allows the organisation to steer through tough decisions and situations. Well-defined processes ensure risks are properly evaluated and addressed. When it comes to technology, the leaders in information security care most about the one attack they might miss and are efficient in their use of technology, it adds.
"At the end of the day, a strong corporate culture is one that values information security as a business enabler," said Frank.