Detected malware has increased nearly fourfold in SA, and all indications are that risk will continue to grow as businesses adapt to the new normal of work.

This emerged during a cyber resilience webinar hosted by Mimecast in partnership with ITWeb this week. The webinar, entitled ‘Staying ahead in an evolving cyber threat landscape’ highlighted a dramatic increase in cyber threats in SA in the past year, with a definite uptick during the early weeks of the COVID-19 pandemic.

Brian Pinnock, Mimecast director of Sales Engineering, noted that Mimecast’s 100 days of Coronavirus threat intelligence report and the Mimecast State of Email Security 2020 report showed SA may be more vulnerable to cyber risk than many other countries. Over the past 12 months, South African companies surveyed indicated that 45% were impacted by ransomware, 46% had an increase in impersonation fraud, 35% experienced data loss and 76% had experienced downtime from an attack.

“Since the beginning of this year, our Threat Intelligence team saw a dramatic increase in detected malspam, malware, impersonation and blocked clicks in SA. There was a massive 385% increase in detected malware – much bigger than anywhere else in the world – a significant increase in the number of blocked clicks too,” Pinnock said.

Pinnock and guest speaker Werner Lunow, CISO at Allan Gray, said these numbers could be expected to rise, as threat actors had also had their operations disrupted by the pandemic, but were now regrouping and becoming increasingly sophisticated in their attacks.

The new normal

Predicting a new normal in which many organisations retain a hybrid office-remote workforce, Pinnock and Lunow said remote workers appeared to have become more vulnerable.

“Workforces unaccustomed to working from home are being introduced to unfamiliar practices and procedures outside of the supervision and constraints ordinarily supported, encouraged or imposed by the workplace environment. Additional factors to consider are the extent of lockdowns regionally and globally at present and the onset of boredom, a desire for up-to-date information and news, and the significantly enhanced potential for misuse by persons other than an employee through the poor physical security of work-related devices,” said Pinnock. 

Users and their families are increasingly at risk of falling victim to malware and social engineering, he said.

“We’ve seen an explosion of impersonations of brands, such as streaming services, and tens of thousands of fake COVID-related domains, and users are falling for this.”

In addition, organisations were not prepared to manage ‘dining table warriors’ at scale, many had eased up on authentication hygiene and endpoint security simply to enable the remote workforce quickly, he said.

“Moving forward, organisations have to reassess their risk, look at threats, assets and the controls used to protect those assets, and they must consider the business impact if these assets were to be compromised.”

Securing remote access

A poll of webinar participants indicated that their primary security focus area in the next 12 to 18 months would be securing remote access and Web (33%), enhancing user authentication (15%), user education and security awareness training (30%), insider threat identification and remediation (10%) and brand exploit protection(2%).

Pinnock and Lunow said that enhanced remote access security and user education were proven methods of improving security, authentication was crucial and should not be overlooked.

“We’re still not seeing multi-factor authentication as pervasive in corporates, but they need to start enabling this,” said Lunow. “Organisations will have to start catering for hybrid workforces, they must look at protecting data alongside securing their own infrastructure, and they must work to improve their incident response.”

Said Pinnock: “Where in the past many organisations only considered security at the perimeter, they must now look internally at insider threats and threats beyond the perimeter, where actors may be using and damaging their brands online."

Mimecast’s recommendations on making remote access more secure include a DNS layer to avoid consumer routers provisioning DNS servers, an MFA layer, improved visibility over endpoints, implementing whitelisting to allow installation of approved applications only, patching critical vulnerabilities, updating incident response process and policies and enhancing user awareness and training programmes.