As clients of blue-chip companies and big name banks, we happily fill out forms and send sensitive information (such as financial details) off into the digital universe – thinking that this data is in safe hands. Sorry to burst your bubble – but it’s not.
Just as we are lulled into a false sense of [data] security, so too are South Africa’s big corporates. The reality is that professional hackers and cyber criminals are targeting large businesses every day – and according to IBM’s Joe Ruthven, Security Sales Leader, MEA – they have some sort of success as frequently as once a month. To make matters worse, several reports have found that targeted cyber attacks are on the increase – which is becoming terribly costly for companies. International IT security specialists Kaspersky Lab reported that SA lost R2.65 billon to cyber crime between January 2011 and August 2012. With numbers such as these being bandied about, you would have though that we (as trusting consumers and clients) would receive detailed reports of these breaches, accompanied by neat bullet points of what said company is going to do about it. Erm, think again. When it comes to cyber attacks, SA companies remain mute.
“[Local] organisations are not disclosing and publicising that they have these breaches,” explains Ruthven.
This is in part because it obviously makes them look bad, and partly because unlike their international counterparts, local companies are not legally bound to disclose such attacks to the public. Ruthven says that especially within our banking, insurance and communications sectors, there has been little implementation of internationally accepted security regulations and procedures – and as a result – they are getting away with their strategy of silence.
According to Ruthven, there is also a perception among cyber criminals and hackers that South African organisations are less diligent than their international counterparts in implementing stringent security measures. Consequently, reports are showing that SA is among the top five countries in the world for targeted attacks. Scary stuff.
The good news is that local business leaders are starting to get “skrikked”, and are proactively looking to significantly improve their defenses. Ruthven says this is most obvious in the financial sector, where businesses have been upping the security ante over the past year. But are they doing enough?
Grant Brown, Endpoint Security Specialist at Symantec, a global IT security firm, explained to Finweek that most local companies still underestimate the threat, and are therefore underprepared: “Robert S Meuller III, Director of the FBI, said at a Cyber Security conference last year that “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Brown continues: “[Preparedness] does depend on the business and whether they are adopting and evolving their security strategies along with the ever changing threat landscape. If, for example, you think antivirus is security and you are still just running antivirus alone on your desktops, laptops and servers, you really are just asking for trouble and more than likely fall into the category of ‘companies that have been hacked and will be hacked again’. The scary part is that you are more than likely blissfully unaware of what is happening from a security perspective in your environment.”
One of the reasons for this is because keeping up with security trends and requirements can be both costly and exhausting – especially as companies are pitted against hackers who often have infinite resources in the form of massive financial and political backing. Business leaders, however, have to resist burying their heads in sand, and make sure that their in-house security specialists are up to speed. The other option (especially for smaller companies) is to outsource your IT security – which may sound counter-intuitive – but is surely better than nothing.