Information security: How does SA measure up?
There is a general lack of security awareness globally among businesses' operational staff that is leading to information security risk. Top level management does not understand the risks associated with a breach, and is unable to see the business benefits that come from mitigating the risks.
This lack of knowledge can be exploited, and it poses a reputational risk for international organisations operating in SA, says consultant Keitumetsi Tsotetsi. Tsotetsi will be presenting on "What is happening globally with regards to infosec vs the maturity of infosec in SA (and third world countries)," at the ITWeb Security Summit 2016 from 27 to 29 May at Vodacom World in Midrand.
She says the challenge is to implement security measures as fast as technology evolves. "Icasa reports that 83% of the respondents from their survey say cyber attacks are among the top three threats facing organisations today, and only 38% say they are prepared to protect themselves against an attack."
According to her, there is a general perception that globally, a reactive approach to information security is taken because many established organisations implement information security strategies only after they have been exposed to an attack or threat.
However, a number of First World countries do have security compliance measures and guidelines that must be adhered to. "Cyber security measures, policies and regulations that have been established are mature, with IS0 27001 being the most adopted risk based framework globally, with 43% of organisations implementing this framework."
SA is heading in this direction with the implementation of the National Cyber Security Framework, explains Tsotetsi. However, addressing cyber security as an urgent issue is taking too long as the initiative was started in 2012, with a white paper scheduled for release in March 2016. The policy is looking at promoting cyber security culture and demanding compliance to minimum security standards.
"SA has the third-highest number of cyber crime victims, after Russia and China. The number of detected security breaches in the country also increased by 25% in 2015 alone."
She says First World countries are moving towards taking a more proactive approach in addressing cyber security issues, but SA is still compliance-driven in terms of information security, and focus is not put on it as a priority, with security measures usually being implemented as an audit recommendation.
Many international organisations operate in SA, and the country is viewed by cyber criminals as a gateway to attacking them. "SMEs are not all completely on the information security train yet, but established organisations such as financial institutions and companies that deal with customer information are getting more proactive."
Overall, Tsotetsi says SA is making progress towards growing the information security landscape, however, the landscape is largely represented by North America (56%), Europe (20%), Asia (13%) and the rest of the world, including Africa (10%). The 10% indicates that data gathered regarding information security in Africa and SA is not well represented.
She adds that the increased Internet usage in developing countries has increased the security risk too. "More than 63% of people in Africa have cellular phones and more than 16% have access to the Internet. Tanzania is well developed in terms of IS as opposed to Kenya, Congo and SA. These three countries experience challenges in terms of prosecuting cyber crimes because no legal frameworks have been put in place to deal with crimes of this nature. Although Tanzania does not have a cyber security policy, a Cyber Crime Act 2015 Bill has been tabled recently."
Although the demand for information security has increased, the cost is still high in developing countries, shee adds. There is a minimal information security landscape for business, and as a result, the cost of the service is still expensive, but IT security is still needed in the area because attacks are not only happening at an organisational level, but at a national level too, concludes Tsotetsi.