The state of SA’s IT security, according to ITWeb/VMware CISO survey
How are South African corporates dealing with the increasing challenges of cyber security? It’s an important question, and every year, ITWeb looks to answer it through its Information Security Survey, which is sponsored by VMware.
This year’s survey is being published in full in June, but attendees at an executive breakfast during the recent ITWeb Security Summit were treated to a sneak peak of its contents.
The good news is that organisations increasingly see the benefits of sharing information around security. There were almost twice as many respondents this year as there were in 2018, said ITWeb editorial director Ranka Jovanovic, and most them were chief information security officers (CISOs). The largest number of respondents came from big corporates too, with more than 10 000 employees, and a third came from those involved in financial services, perhaps reflecting the seriousness with which the sector takes cyber security threats.
Speaking at the event, VMware Africa’s lead technologist Ian Jansen van Rensburg reiterated the importance of security in retaining consumer trust. While many organisations – in the survey and anecdotally – report that it’s hard to free up budget for security, he said, the truth is that the damage from a major breach could irrevocably damage confidence in a brand.
Many of the firms that responded had suffered an attack of some sort in the past year. Overwhelmingly, these were related to phishing and malware. Some 57% said they had suffered a phishing attack, while 39% had suffered a malware attack.
Jansen van Rensburg said he was pleased to see that nearly two thirds of companies had invested in external specialists who conducted penetration testing exercises, and that was probably reflected in the fact that only 6% of companies had suffered a network breach.
When asked what they considered to be the biggest security threat, 29% of organisations responded that it was insider attacks – which topped the list. Only 9% thought malware was their biggest problem. Still, said Jansen van Rensburg, their priorities are probably in the right place.
“We feel secure about outside threats, but what about internal ones?” he asked. “That’s why we say software defined network segmentation inside the datacentre and your IT network is so important.”
When it came to discussion of what’s holding back investment in security, the message was clear. Almost three quarters of respondents said that the costs involved delayed investment, and 45% said that it was difficult to justify the ROI.
“Companies understand the options available, but it’s hard to find budget,” sympathised Jansen van Rensburg. “But the brand damage that can occur as a result of a major incident can be catastrophic. How do you put a price on that?”
Branch security was an issue for many organisations, given their size, and almost half said that SD-WAN had figured in their planning. This is a trend that Jansen van Rensburg thinks will grow.
“We see this becoming more and more relevant in the industry today,” he said. “More companies have a cloud first strategy, and they want to move their entire infrastructure into the cloud. The challenge then becomes how are you going to manage networking and security in that environment?”
Companies are good at securing their own networks, he said, but they don’t tend to have the same experience and skill when it comes to securing public cloud.
One of the biggest changes since 2018, according to the report, is what’s driving security spending. Last year, it was the need to protect customer information (24% of firms said this was the main priority). This year, that was overtaken by compliance (22%), showing the effect of GDPR and PoPI on the industry. Customer protection is still second (19%), and obviously related.
Wrapping up, Jovanovic offered participants the opportunity to feed back their thoughts on the survey, and recommend changes in the questions for next year.
To access the key findings report in PDF format follow this link.