More and more South African companies are falling victim to cybersecurity attacks, prompting them to increase their investment in security tools.

This is among the findings from Aon South Africa’s 2023 Cyber Risk Survey for South Africa, which provides insights on current trends in cyber risk governance practices being deployed by local companies in various market segments.

Key findings include:

* 22% of respondents suffered a cyber incident in the past five years.

* 67% of participants deploy a cyber risk management tool.

* Only 50% of respondents have a board-level cyber champion.

* 72% of participants purchase cyber insurance.

The study shows that companies are more likely to “beef up” their cybersecurity following a cyber incident.

“We question whether companies that have suffered a cyber-attack would have better cyber risk management practices in place, than those who did not suffer an attack,” says Zamani Ngidi, cyber solutions senior client manager and co-author of Aon’s 2023 Cyber Risk Survey.

“The findings in the survey show that of the 22% of respondents that have suffered a cyber-attack, all subsequently have the full stack of cyber-related covers and tools in place as opposed to their counterparts, with less than 50% uptake on mitigation controls.”

The survey also found that only 43% of South African companies with revenue of less than R100-million deploy a cyber risk management tool, as opposed to 80% of companies with revenue of over R100-million.

“It points to two possible scenarios, where smaller companies are finding the cost of proactive risk management too high, or it could point to a perception that the risk is only reserved for companies with a higher revenue bracket,” Zamani explains.


Digital sovereign risk on the up

A significant 30% of multinational organisations will experience revenue loss, brand damage or legal action due to unmanaged digital sovereign risk by 2025, according to Gartner.

Brian Prentice, vice-president analyst at Gartner, comments: “For the last 30 years, multinationals have been managing business operations against the backdrop of assessing risk from the economic and political environments of the countries they operate in. They now need to expand sovereign risk to include digital to avoid any potential fallout as it increasingly fragments along national and regional lines.”

According to Gartner, digital sovereignty is the ability of a government to realize policy without impediments imposed by the digital regulations of foreign governments directly on their citizens and domiciled business, including those exercised through digital giants under regulatory control.

“As more countries pursue sovereign digital strategies, what emerges is a complex array of trans-jurisdictional regulatory obligations, tariff restrictions, import/export bans, country specific technology protocols and local content requirements,” says Prentice. “Given digital’s critical role in business operations, executives must understand digital sovereign risk and its impact on business conditions.”


The African experience

Against this backdrop, it’s no surprise that Africa is experiencing its own challenges when it comes to  cyber resilience and data protection.

Kate Mollett, regional director: South Africa and SADC at Commvault, explains that cybercrime that takes place in Africa could have wide-ranging effects around the world, which is why companies and governments in Africa are actively trying to increase their cyber resilience.

“But it is difficult to be one step ahead of the bad actors,” she says. “And cyber resilience is always only as strong as the weakest link.”

The continent has huge potential for technology solutions, Mollett adds. With a young population and the fastest-growing connectivity penetration in the world, technology is the go-to for solutions to the myriad challenges in Africa.

“Our young people look at connectivity, technology, and information to solve their challenges and have embraced solutions like online banking.”

There are already half a billion Internet users in Africa, but there is still huge opportunity for growth, Mollett says.

“On the flip side, this is a challenge, because 90% of all businesses on the continent do not have the protocols in place for security and data management,” she adds. “So we are quite vulnerable.”

Accenture has identified South Africa as having the third-highest number of cybercrime victims in the world, having experienced a 100% increase in mobile banking threats.

“So we need to safeguard and protect data to ensure organisations have a robust cyber resilience strategy.”

Ransomware attacks cost, on average, $300 000 each and it takes companies 21 days to recover – and 62% of all businesses in Africa have had a ransomware attack against critical infrastructure.

“This will continue,” Mollett says.

While ransomware is currently the fourth-most common form of cyberattack, she believes this will start to move up the stack, overtaking online scams, digital extortion, and business email compromise which are currently leading the charge. The fifth most-popular attacks are from botnets.

“How do you defend against these threats?” Mollett asks. “You need to have an active defence strategy.”

Indeed, by the time you are dealing with a cyberattack it is probably too late.

This is the chilling message from Nizar Elfarra, regional sales engineering leader at Commvault, who points out that cyberthreats could have been in your network for months before you even know they are there.

“And the period they are there is getting longer as they become more intelligent,” he says. “This is why you need active data protection.”

Today, most companies’ data resides on-premise, in private and public clouds, and on user devices. “So the perimeter is huge. And typical data protection solutions are not geared for this,” Elfarra says. “So you need to rethink your data protection strategy and be proactive in your defence.”

Today, attacks are faster and broader than ever. They sit on devices for longer than before and execute attacks below the radar, exfiltrating and encrypting data. Then they break operational continuity to prevent recovery.

Nowadays, the average breakout time has been accelerated to 84 minutes.

Worryingly, 93% of attacks now target backup repositories, Elfarra explains.

“So you need to rethink your data protection strategy and go for solutions that are next-generation.”

Companies are confronting a new wave of cyberthreats: there has been a 29% increase in dwell time, from seven to nine days; 71% of attacks are malware-free, so they fly under the radar; and more attacks than ever are using double or even triple extortion.

Traditional security secures the perimeter or focus on the last line of defence, Elfarra says. But a lot of today’s attacks are taking place between these protection methods.

“There is a need for detection and early warning,” Elfarra says. “So we are shifting data protection left.”

Bad actors today could gain access to the environment up to six months before an attack is launched, he explains. They move through the environment seeking weak points and looking for critical systems or data. When they execute the attack it can take place quickly before the bad actor exits.

Most companies protect against data loss by performing daily backups, doing anomaly detection, and then remediating if an attack happens.

Commvault advocates moving the data protection further down the line to provide active defence to detect risks before an attack occurs.


Defending against a sophisticated adversary

The risk is very real, says Dmitry Galov, head of the Kaspersky Global Research and Analysis Team.

Cybercriminals are well-organised, well-resourced and ruthless when it comes to extracting the maximum value from their victims, he says.

“This industry is getting more industrialised, and it’s very rich, with decentralised – and very specialised – ecosystems. Make no mistake, this is an industry: the staff get salaries, vacations and sick leave.”

In the past, most cyberattacks were against US, European and Asian targets. But emerging regions like Africa and the Middle East are now firmly in the cybercriminals sights.

Indeed, Africa has already seen an 10% to 15% increase in cybercrime this year, with the sectors most at risk being government, financial, telecommunications and industrial control systems (ICS).

ICS attacks are the most frequent, with a massive 25% of Africa’s industrial plants already targeted – many of them in South Africa. “Twenty-three percent of plants here have been attacked by something,” Galov says.

With most attacks taking the form of ransomware or advanced persistent threats (APTs), these attacks are not only more frequent but often more destructive than ever.

“There is a lot of destructive stuff that is being used in these operations. For instance, many attackers have moved from encrypting data to wiping it.”

Galov recommends that organisations don’t focus only on dealing with attacks once they occur, but on preventing them from happening in the first place.

General cyber awareness and good cyber hygiene are important, he says.

Kaspersky also advocates that IT and ICS systems be made secure by design to mitigate against attacks taking place.