What recent data breaches reveal about cyber security in SA
The past three months have seen well-known local healthcare and financial organisations falling victim to attacks and data breaches, or being forced offline.
Local data breaches coincided with high profile attacks and outages experienced by global brands such as Twitter and Garmin, and credit bureau Experian reporting a massive breach that exposed the personal information of up to 24 million South Africans and nearly 800 000 businesses.
“These incidents have brought to light a battle that has been waging quietly in the background," says Brian Pinnock, a cyber security expert at Mimecast. "Cyber criminals –using increasingly sophisticated techniques – are targeting South African public and private sector organisations in orchestrated attacks that could lead to devastating losses in business productivity, reputational damage and revenue.”
Mimecast’s State of Email Security 2020 report revealed that 53% of local organisations reported increased phishing attacks and 46% reported increased incidences of impersonation fraud compared to the previous year, no doubt exacerbated by the COVID-19 pandemic.
So what can we learn from these latest data breaches?
Firstly, he says, that no organisation is immune from a data breach.
“Big or small, any organisation can fall victim to a data breach. As the Experian breach has showed, it’s not always computer whizzes that ‘hack’ company data. A clever fraudster posing as a trusted partner or supplier can just as easily get away with valuable internal data that can be used in cyberattacks."
In addition, Pinnock says breaches are more common than most realise. “With POPIA now in effect, organisations are duty-bound to disclose breaches. We can expect to see many more reports of data breaches over the coming months.”
We can expect to see many more reports of data breaches over the coming months.Brian Pinnock, Mimecast
Next, he says don’t assume data is harmless. When the data breach at Experian was first revealed to the public, the company was quick to point out that the data - which consisted of ID numbers, phone numbers, physical and e-mail addresses - was harmless. However, if clever attackers get their hands on this information, they can use the personal details of impacted consumers and supplement it with readily available information from social media to carry out sophisticated social engineering attacks.
“It’s now come to light that the Experian data is in fact on the Internet. This means that criminals can potentially use this information to launch targeted cyber attacks aimed at the individuals whose personal information was breached,” he explains.
In order to protect themselves from attacks, Pinnock advises companies to develop a layered security strategy.
“The threat landscape has shifted to the point where organisations need to approach security with three zones in mind. Firstly, at the e-mail perimeter, where security controls can detect and block malicious emails. Next, inside the organisation, which includes protecting against internal threats and awareness training. Finally, beyond the perimeter, where cyber criminals are finding great success with brand impersonation that can trick unsuspecting customers and partners into offering up important information or into making payments to fraudulent bank accounts.”
In addition, he advises organisations to deploy brand exploit protection to ensure their domains are not being subverted by bad actors and to enable them to take swift action should any brand exploitation be detected.
“In the Experian example, brand protection is a consideration in two situations. Firstly, it was likely a missing security component in a customer or supplier environment that the fraudster exploited to trick Experian into handing over the data. Secondly, banks and other trusted brands would be smart to have brand exploit protection in place, to ensure criminals don’t impersonate them and target their customers with sophisticated attacks.”
Pinnock also advises to focus on empowering people, because no matter how good a company’s defences are, humans are the weakest link, and without a ‘strong human firewall’, they remain susceptible to data breaches.
“Studies suggest human error plays a role in 90% of all data breaches. Mimecast found that users who had been exposed to cyber awareness training were over five times less likely to be taken in by certain types of fraud,” he says.
In conclusion, Pinnock says one of the most effective security strategies is conducting regular and on-going awareness training to ensure staff can identify and avoid risky online behaviour. “Organisations also need to identify high-risk employees or job titles, such as those in finance, that attackers are likely to target, and ensure they invest in additional awareness training and security controls for such employees.”