Africa’s data security readiness at low levels
Despite a high level of IT security awareness and robust corporate IT governance policies in Africa, the level of data security preparedness is still very low.
This is according to the 2019 “State of Information Security Preparedness in Africa: Data Protection Survey”, compiled by information risk solutions provider, Arcon Techsolutions.
More than 100 industry IT professionals, CIOs and CISOs from Kenya, Nigeria, SA and Ghana were surveyed to establish the state of Africa’s IT and data security preparedness.
The survey highlights that African organisations remain increasingly vulnerable to data breaches. As a result, organisations will have to reinforce their privileged access to secure confidential and sensitive corporate data.
In SA, for example, there has been a rise in attacks on critical public infrastructure and public service providers.
Just last month, City Power, the City of Johannesburg’s electricity utility, was hit by a ransomware attack that encrypted its databases, applications and network.
Last year, insurance firm Liberty suffered a major data breach, after an external party gained unauthorised access to its IT infrastructure and demanded payment.
In May 2018, South Africans suffered a massive data leak which resulted in close to a million personal records being exposed. This was after another mega leak in October 2017 that saw personal information of over 30 million South Africans compromised.
The majority of the survey participants believe the root cause for the steep rise in data breaches on the continent is mainly due to a compromised user or privileged account, with 79% of the survey participants agreeing to that fact.
Unfortunately, the awareness alone is not enough to build up a secure IT environment, notes the survey.
“Implementing best privileged account management practices like access based on only need-to-know and principle-of-least-privilege, along with frequent randomisation of privileged credentials, can make the IT security posture more robust.”
According to the survey, 74% of the participants accepted that privileged access management (PAM) is a major area of concern for information security.
Paresh Makwana, cyber security expert and business development consultant at Arcon Techsolutions, says organisations’ IT attack surface expands when adequate attention is not given to secure the access control mechanism.
“Typically, administrative accounts are targeted by malicious insiders or compromised third-party users and sometimes organised cyber criminals. They are always on the lookout to steal or misuse information by making an unauthorised access to target systems.
“Privileged access management practice helps an organisation to establish a rule- and role-based centralised access control policy over users. Therefore, any malicious attempt to breach sensitive information is prevented and the IT administrator receives alert messages about the suspicious activities.”
The survey adds: “To overcome these enormous IT pain-points and secure enterprise databases and critical business applications from malicious activities, enterprises need to adopt best privilege account management practices.
“Privileged access management offers the security team with a foundation to build a robust mechanism to manage, monitor and control privileged identities as every access to target systems is authorised, authenticated and documented.”
Responding to the question whether their companies follow digital or cyber governance policies, most of the participants (88.3%) acknowledged they have information security and governance policies within their organisations.
However, according to the survey, hardly any of those policies emphasise the security of privileged accounts that are the gateways to crucial and confidential data. “Most of the organisations confessed they have not invested in privileged access management solutions to date, which is a matter of genuine concern.”
Three percent of the respondents revealed they don’t know whether their companies follow information security and governance policies, while 7.8% indicated they are unaware.
In regards to the issue of data theft as a key topic within boardroom discussions, 50.6% of the survey respondents indicated ‘no’ to that question, with 44.2% saying ‘yes’. The remainder (5.3%) were ‘not sure’.
The survey states: “In spite of rampant data breach incidents hurting organisations, surprisingly, around 50.6% of respondents believe data theft is not a recurrent subject of boardroom discussions.
“IT security personnel should make this matter more pronounced to the management and board so that everyone is on the same page regarding steps taken to mitigate data security threats.”
Answering the question to what they fear the most, 33.7% highlighted phishing or malware remains the top of the list of their security threats.
The survey also observes that three-quarters of security professionals surveyed fear third-party IT users, insiders and targeted attacks.
“It is important to note the IT attack surface widens due to unmonitored privileged accounts. Malicious third-party IT users, disgruntled corporate insiders and organised cyber criminals snoop privileged credentials to target confidential information.”
The survey participants (48%) felt the IT risk and security management team would like to invest in PAM, followed by database activity monitoring (41.55%) and identity access management (36.36%).
In addition, 33.76% voiced their opinion for security compliance management and mobile device management, according to the survey.
“Governance, risk and compliance is also seen as a matter of concern because almost 25.97% respondents held that opinion; and finally, 11.68% respondents felt both identity access management and PAM technologies will be critical IT security investment areas.”