Cybersecurity is perhaps even more important than locks, vaults and walls in protecting the modern enterprise. So say members of the Institute of Information Technology Practitioners South Africa (IITPSA) Cybersecurity Special Interest Group (SIGCyber).
In a statement marking International Cybersecurity Awareness Month, held annually in October, IITPSA SIGCyber members noted that companies’ intellectual property, data and systems have significant value. This makes it a target for cybercriminals.
To tackle the risk of cybercrime, cybercrime should be a top priority, and more skills development and awareness campaigns are needed, they say.
The Business Case for Protecting the “Crown Jewels”
Bryan Baxter, CRO at Wolfpack Information Risk, said, “The company’s strategic assets are known as their ‘crown jewels’. These are high-value assets that would cause the most business disruption if compromised. Information technology systems and data are an important part of an organization’s crown jewels. These can include trade secrets, intellectual property, company or customer data, as well as operational and financial systems.
“Anything of value attracts the attention of criminals and this is no different in cyberspace. Organized cybercrime is the biggest threat and is a lucrative and growing business. Common threats are ransomware, data breaches, malware and phishing.
Many organizations have the basics of cybersecurity in place, but lack formal frameworks to manage and reduce cyber risk. Some key areas are being overlooked, which means the ‘cyber doors’ are wide open, making them an attractive target,” Baxter says.
The costs of recovering from physical or cyber incidents can be far higher than the cost of preventing such events, he notes. With data breach losses running into the millions, many costs are quantifiable, but the long-term damage to reputation and customer or shareholder trust is more difficult to assess.
“The real threats such as burglaries, vandalism, fires and floods are well understood. Money is spent on fencing, alarms, security guards, fire detection and suppression to protect physical assets. The same due diligence must be applied to protect high-value virtual crown jewels,” Baxter says.
Baxter says all organizations should make cybersecurity a business priority. “A cyber risk assessment should be conducted to assess the main adversary threats to the Crown Jewels. Appropriate controls must be put in place and their effectiveness constantly monitored,” he advises.
“This will ensure customer loyalty and trust by demonstrating that you value their business and data. It will ensure the sustainability of operations, financial stability and protect the interests of shareholders.
Priority to cybersecurity
Professor Lynn Futcher of Nelson Mandela University, School of Computing, Center for Information and Cybersecurity Research, says cybersecurity can no longer be seen as an afterthought, to be dealt with after others higher priorities have been met.
She says, “New and evolving cybersecurity threats demand a change of mindset from everyone. Far too often we hear people pass the buck saying “cybersecurity is not my responsibility, it’s a technical issue”, “hackers don’t target small and medium businesses”, “we have strong passwords and virus protection software to protect against a data breach”, “we comply with industry regulations to keep us safe”, “my personal information is only valuable for me – no one else would want that”.
Professor Futcher warns: “A single cybersecurity incident can have a devastating impact, whether financial, reputational or privacy-related. The increase in cybercrime is a growing concern for organisations, governments and society as a whole, exacerbated by the unprecedented cybersecurity skills gap that exists both globally and in South Africa. This cybersecurity skills gap can only be effectively addressed through the concerted effort of all actors, including individuals, universities, organizations, and governments around the world.
Leading organizations, both locally and internationally, can play a key role in bringing these actors together to address cybersecurity skills and related concerns, she says.
“These organizations include the International Federation for Information Processing (IFIP), the Association for Computing Machinery (ACM), the Information systems Audit and Control Association (ISACA), and the IITPSA, to name a few. some. It is therefore important for us as IT professionals to engage with these organizations and play our part in addressing the many cybersecurity challenges in South Africa.
From the weakest link to the human firewall
Professor Kerry-Lynn Thomson, also from the Nelson Mandela University School of Computing, Information and Cybersecurity Research Center at the Nelson Mandela University School of Computing, says that while people are often referred to as the “weakest link” in the security chain, it could be argued that they should instead be seen as an integral part of defending cybersecurity – a human firewall – through the culture of a culture of cybersecurity.
She notes that in 2015, the South African National Cybersecurity Framework was proposed which stated, “To effectively address cybersecurity, it is prudent that civil society, government and the private sector play their part in ensuring that South Africa has a culture of cybersecurity. . For this, it is essential to develop a culture of cybersecurity, in which the actors understand the risks related to navigation in cyberspace. »
Professor Thomson says: “To create this societal culture of cybersecurity, it is vitally important that individual users of technology are aware of cybersecurity and have the skills to behave safely and protect themselves, as well as than others, when online.
To lay the groundwork for this, cybersecurity awareness programs and campaigns should be promoted for everyone who goes online, regardless of age. However, more than just providing information, these cybersecurity awareness campaigns need to be tailored to be age-appropriate and targeted to particular threats for different age groups. For example, cyberbullying for young children versus identity theft and financial scams for adults.
She adds, “These cybersecurity awareness campaigns should be underpinned by behavioral theories, such as social learning theory and sociocultural theory, as well as sound pedagogical principles with the aim of translating awareness into action. This makes the approach and the way forward for cultivating a culture of societal cybersecurity truly interdisciplinary.
Closing the cybersecurity skills gap through collaboration
Dr. Mafuwafuwane, Practice Manager, Security Solutions & Strategy at Logicalis SA, believes that skills development and training are needed to help combat the growing cybercrime epidemic.
“There is no doubt that cybersecurity is everyone’s responsibility. Technology has transformed almost every facet of our lives. As we continue to embrace the 4IR revolution, we now control our home Internet of Things (IoT) using smartphones or voice. The way we communicate, learn and work relies on complex technologies. Meanwhile, the government continues to adopt the concept of smart city which makes the city beautiful and wirelessly connected.
“But have you ever thought about the security required to ensure that everything from a smart home to a smart city is protected from cyber attackers? The cybersecurity industry desperately needs people from all walks of life to think about a career in tech, but we need to tackle digital skills first to make sure no one is left behind,” says Mafuwafuwane.
“The public still struggles to understand the emerging digital world. It’s hard for someone to play it safe on the internet when they don’t fully understand how everything is connected. Their lack of understanding of the best use of technologies exposes them to cybercriminals,” he says.
Fighting cybercrime requires individual awareness and a growing army of cybersecurity professionals, he says, noting that Microsoft has predicted that by 2025 there will be 3.5 million cybersecurity jobs open in the world. the world, an increase of 350% over eight years.
Mafuwafuwane says, “Through collaboration between the public sector, private sector and academia, we can create a cybersecurity program that consists of in-depth technical material and a business strategy. Courses could be offered in many formats, including practical work. Some of the content could also be created for use by a tech patron, to easily guide normal citizens to be cyber-smart while taking on the 4IR uprising.