By Kathy Gibson – A massive one-third of South African IT decision-makers expect to experience an imminent cyber-attack.
In addition, emerging technologies are starting to make an impact on the security landscape, says Arthur Goldstuck, MD of World Wide Worx.
“The State of Enterprise Security in South Africa 2019, research conducted by World Wide Worx and commissioned by Trend Micro and VMware, found that these 35% of IT leaders that expect an attack within just a few days, 31% expect to be breached within a year.
Just 18% of organisations expect an attack within two years and 16,1% expect it within one to two years.
“The ones who expect an attack within the next few days are probably right on the money,” Goldstuck says. “The complacent CIOs are those that will most likely fall victim to attacks.”
Fortunately, more companies will know about an attack within minutes (56,7%) or hours (33,6%).
“However, if you only know about an attack within hours, that is too late and you will probably have lost all your data – and be in danger of going out of business,” Goldstuck warns.
Any response time longer than a couple of minutes opens organisations up to massive business continuity issues, he adds.
Protecting against cyber-attacks is being balanced in most organisations against companies’ major priorities of acquiring new customers and growing existing customer revenue.
Security funding today is prioritised almost equally. “There is no longer a standout area where funding is going,” Goldstuck says. “Today attacks are coming form everywhere, so companies cannot focus on one area.”
Having said that, encryption gets the most focus, followed by mobile security data backup and firewalls.
Another key element that has a massive impact on cyber-security is the big shift to public cloud providers, Goldstuck adds.
A significant 40,5% of organisations say they are somewhat advanced in the move to public cloud, with 31,4% already very advanced. Just 13,2% of companies are not thinking about it; 4,5% have only just begun; and 7,7% are not very advanced.
This brings up the question of endpoint security, and 97% of organisations have a strategy for keeping data safe when moving across application and end points; 86% are working on trusted digital interactions with customers. However, digital transformation and the expanding number of endpoints has led to security breaches for 56% of companies.
Organisations may think they are secure, but there are many ways to breach them, Goldstuck says.
The research shows that the IT department is the most aware of what actions to take after a data breach, cited by 35,8% of CIOs.
The CIO and CISO are expected to be most aware by 27,5% of respondents, the senior leadership team by 22%, the board by 11,4%, the CEO by 2,3% and the CFO by just 0,9%.
However, this points to a bigger load on the IT department than is really fair, Goldstuck says. “It should be an executive decision what to do after a data breach, but it is being left in the hands of the IT department.”
Respondents still think the IT department should be held accountable for a breach.
A massive 99% of companies believe the IT team can protect the company from cyber-attacks – but this points to massive over-confidence Goldstuck says.
A similar number (98%) believe the security team effectively communicates to the board or C-suite on cyber security issues; and 95% believe the organisation’s board or C-suite provides the right amount of time and attention to cyber-security issues.
“There is tremendous over-confidence in the readiness of the people in the organisation – but there is low confidence in the systems protecting the organisations.”
Security implementations are most advanced when it comes to endpoint security (72,7%), trailed by 55,5% for endpoint security for virtual machines in data centres, then 51,8% for threat responses, 51,4% of the direction of -behavior anomalies, 50,5% for malware detection, 49,5% for machine learning/artificial intelligence in security systems, 48,6% for threat investigation capability, and 42,7% for endpoint security for servers in data centres.
“Apart from endpoint security there is a relatively low awareness of the threats,” Goldstuck says. However, there is a move to becoming more advanced across all the elements of security.
What makes organisations vulnerable varies from outdated security systems and software at 92,3%, followed by senior management not understanding at 89,1%.
Other vulnerabilities are: cyber-attacks by activists at 78,2%; cyber attacks by employees at 76,8%, a cyber-attack from ex-employees at 74,1%, and employees who are untrained in cyber security at 73,6%.
Misunderstood, complex or outdated controls are responsible for 73,2% of vulnerabilities, lack of budget contributed to 71,4% and using the public cloud in general is named at 71,4%.
Threats moving faster than defence is cited by 65,9% of repondents, followed by employees losing devices at 60,9%.
Employees make their companies quite vulnerable, with 76,4% of organisations aware of employees have been hacked on their own devices. Attempted hacks on employees own devices were cited by 45,5% of respondents,
A respectable 44,1% are aware of employees own devices being hacked because they have a mobile device management tool in place that alerted them, and 34,5% were aware that employees own devices had an attempted hack because they had a tool. However, 37,7% don’t have the ability to track employee devices.
Emerging technologies are creating new vulnerabilities that companies are not necessarily equipped to deal with, Goldstuck adds.
Cloud computing makes 48,6% of organisations highly vulnerable, and 89,1% of then vulnerable overall.
The Internet of Things (IoT) is cited by 46,4% of respondents as making them highly vulnerable and 86,6% as vulnerable overall.
Artificial intelligence and machine learning make 45% or organisations highly vulnerable and 79,5% vulnerable overall.
Robotic process automation is cited by just 35% as making them highly vulnerable and 74,1% as vulnerable overall.
Virtual reality and augmented reality are believed by 33,6% to make them highly vulnerable and by 79,5% to make them vulnerable overall.
“What is interesting is that the top technologies are all at a similar level – they are all fairly high; three quarters or more of organisations see them as a vulnerability,” says Goldstuck.
The flip side of the coin, Goldstuck adds, is the extent to which these technologies can be used to protect an organisation, particularly AI/ML and cloud computing. Blockchain, Internet of Things and virtual reality/augmented reality also score high as potential beneficial technologies.
The fact that outdated technology is making organisations vulnerable stands out, says Lorna Hardie, regional director of VMware Sub-Saharan Africa.
She is also concerned about the lack of ownership of the problem, she adds, along with the need for education and skills development.
“It’s not just the actual skills required to manage complex environments, but also education among senior managers.”
The Fourth Industrial Revolution is leading to more complexity across the whole business environment, Hardie adds, and this leads to significant vulnerabilities across systems, people and processes.
“At the end of the day, these guys are going to get in: they are constantly evolving. And maybe we need to rethink how we are handling cyber-security.”
VMware is advocating a move to intrinsic security that is built into the virtual machine, from the edge to the application.
“The emerging digital world is exposing organisations to new security risks,” Hardie adds.
Francois Els, sales leader: South Africa, SADC and Middle East at Trend Micro, agrees that education is critical.
“The threats change every day,” he points out. “We often find that breaches happen because education hasn’t taken place.”
Trend Micro is identifying 350 000 new unique threats every day, Els says. A massive 99,99% of exploits are based on known vulnerabilities, and cyber-criminals use normal computing objects to blend into the organisation’s environment.
They are also getting more sophisticated, and starting to use artificial intelligence to predict the movements of executives or other targets.
Indi Siriniwasa, vice-president of Trend Micro Sub-Saharan Africa