CIO Zone

Outdated security software puts SA firms at risk

Read time 4min 40sec
Lorna Hardie, regional director for Sub-Saharan Africa at VMware.
Lorna Hardie, regional director for Sub-Saharan Africa at VMware.

While more than a third (35%) of local business leaders say they are expecting a cyber attack on their business at any moment, an overwhelming majority are still dealing with outdated security software.

This is one of the findings of a newly-released report titled: “The State of Enterprise Security in South Africa 2019,” conducted by World Wide Worx, in partnership with Trend Micro and VMware.

The report surveyed IT decision-makers at 220 enterprises across all industries in SA about the priority of cyber security as part of a business strategy, the vulnerability of businesses and security compliance.

The survey found that although 99% of respondents say they are confident about protecting their company from cyber attacks, the picture changes when asked if they have the skills to adequately do so.

Aside from the 35% expecting an imminent attack, a further 31% of businesses expected an attack within the next year, with fewer than one in five IT decision-makers in local enterprises thinking they are completely safe from attacks for the next two years.

Speaking at the launch of the report in Johannesburg today, Arthur Goldstuck, MD of World Wide Worx, explained that while local business leaders believe they are adequately prepared for cyber incidents, in reality, they are dealing with much vulnerability across their security systems.

“The expectation of a cyber attack anytime gives an idea that business leaders believe they are adequately prepared; however, in reality, 92.3% of companies are dealing with outdated security software.

“Almost half (45%) agree they don't have the skills to protect the company. This disconnect suggests overconfidence in their ability to protect the business,” adds Goldstuck.

Lack of accountability

The survey further shows a lack of understanding between who is expected to be aware of data breaches and whose responsibility it is to be aware of data breaches.

Over a third of IT decision-makers (36%) stated the IT department should be the most aware of the actions to take after a data breach, while over half (54%) said their CIO should be the most aware of how to navigate the organisation after a data breach.

“We were astonished when we found that CIOs don’t lead the organisation’s response to a data breach,” notes Lorna Hardie, regional director for Sub-Saharan Africa at VMware.

“This finding shows that organisations still have a long way to go in terms of connecting a CIO’s strategy to that of the IT department.”

The report says IT decision-makers are willing to accept responsibility, with half of them (51%) saying they would blame their own departments in the event of a breach.

“This finding shows IT decision-makers are cognisant of how important security is to their role, as half of IT decision-makers would accept accountability for a data or security breach in their organisations,” says Indi Siriniwasa, VP for Sub-Saharan Africa at Trend Micro.

In for a shock

Just over half (57%) of businesses say they have the right technologies to detect evidence of a malicious breach within a few minutes.

However, in reality, most businesses may be in for a big shock, as almost half (43%) won’t know they’ve been compromised until a few hours or much longer after a security breach, the study says.

Ransomware and other file-destroying malware may corrupt almost every file on a user’s computer within a few hours, which means any response would be too late, the report says.

“There is a huge need for senior financial decision-makers to learn that an ounce of data breach prevention is worth a pound of lost data and productivity,” says Hardie.

“Interestingly, the research highlights that there will be breaches – that is a fact. But it is how business mitigates these risks going forward with a modern approach to security where we aren’t chasing each breach, but instead shift to a model where we build intrinsic security into everything – the application, the network, essentially everything that connects and carries data,” notes Hardie.

In terms of additional vulnerability factors, senior management not understanding the risks indicates a massive need for education and a need for a new approach to security, where it is an intrinsic part of the systems deployed by business, she adds.

The study also found other vulnerabilities include a cyber attack directly from employees (77%); a cyber attack directly from ex-employees (74%); using public cloud in general (71%); lack of budget (71%); threats that move faster than defences (66%); employees using devices (61%); penetration through external partners such as suppliers (61%); and penetration through non-standard employee devices (56%).

“The report reveals a stark trend in how South African IT decision-makers protect their corporate networks to give a clear sense where South African companies need to remain strong and areas of IT security where they need to work on,” notes Siriniwasa.

“At this stage, strong information and data security are non-negotiable, but ensuring this requires a cultural shift towards security awareness and collaboration across all parts of the business. Not only does business need to invest in security solutions that are pervasive and intrinsic, but they also have to invest in the right skills and people to drive best practice forward,” he concludes.

*Image sourced from “The State of Enterprise Security in South Africa 2019” report.
*Image sourced from “The State of Enterprise Security in South Africa 2019” report.
See also