Johannesburg, 13 June 2023 – In the past year, more than half of South Africa’s companies have been impacted by ransomware attacks.
Furthermore, according to a recently released report by cyber security firm Kaspersky, spyware attacks in South Africa grew by 18% between the last quarter of 2022 and the first quarter of this year.
These statistics are more than a little alarming, as instead of the country making headway against such attacks, the opposite is happening.
Cybercriminals do not discriminate either.
While the targeting of banks, payment processors and other financial institutions is commonplace, the public, healthcare, manufacturing, information technology and education sectors have all been in attackers’ crosshairs in recent years.
Cybercrime takes myriad forms, including phishing attacks, malware infections, ransomware, DDoS attacks and insider attacks.
A new threat comes in the form of Business Email Compromise, or BEC, which targets an organisation for the purpose of defrauding it.
Clark Basilwa, IT security consultant at South Africa’s World Wide Industrial and Systems Engineers (WWISE), explains that BEC scams are typically orchestrated through the use of email messages that appear to emanate from known sources making legitimate requests, whereas the source is likely a cybercriminal.
“Organisations with particularly weak computer network safeguards are usually the target of BEC scams, specifically those with minimal controls over online banking systems,” he says.
Another reason for the rising number of cyberattacks on South African firms is the emergence of Advanced Persistent Threats (APTs) that can often stay undetected for months or even years. These complex attacks typically focus on high-value targets such as well-known companies and government departments and aim to steal information over a lengthy period of time.
“There are several factors that can lead to a proliferation of attacks,” says Kgotso Masenya, WWISE’s head of information technology.
“There may be a lack of information and cyber security awareness, or the firm might not have the skills and necessary controls in place to protect against cyberattacks. These include Intrusion Detections Systems, cyber law and requirements-compliant firewalls, endpoint managers, anti-viruses and effective incident, vulnerability management processes, and data loss prevention processes and policies.”
Companies also may not have the skilled personnel to deploy preventative controls to contain cyberattacks and their impact, while system vulnerabilities may be poorly monitored.
Both experts agree that if threats are to be averted, companies need to implement standardised cyber security measures.
ISO/IEC 27001:2022 and ISO/IEC 27032:2012 form part of the International Organisation for Standardisation’s range of globally recognised standards for combatting cybercrime within a company or organisation. These certifications will:
“There are several things you need for a standards-driven process to really bear fruit,” Masenya says.
“The most obvious is effective implementation of the standard in question, but you also need the ability to identify gaps and non-conformities and define corrective actions. You also need to proactively identify areas or opportunities for improvement.”
“Another key point is that standardisation should extend to internal processes to reduce errors, waste, and risks. And aside from effective communication, emphasis should be placed on frequent awareness training around the implemented standards.”
Clark Basilwa follows what he believes is a crucial four-step process in building a cyber-resilient organisation:
By implementing these strategies, businesses will greatly improve their responses to attacks and even be able to continue operations when they occur, the experts say.
Launched in 2009, Centurion-headquartered WWISE employs 35 fulltime consultants who specialise in more than 40 industries, both locally and abroad, training, and implementing ISO standards and programmes for a broad range of small, medium, and large-scale business and organisations. The company has a solid local and international client base, with 590 clients in 16 countries, implementing more than 30 standards and achieving a 100% record when clients are certified. Its training programmes are accredited with SETA and various international bodies, and it offers an e-Learning portal through which 12 000 people in 40 countries have been trained so far.
The 70-year-old International Organization for Standardization (ISO) is an independent, non-governmental international body that develops business management standards to ensure the quality, safety and efficiency of products, services, and systems across a multitude of industries. It aims to uphold consistency and quality in an increasingly globalised marketplace.