South African enterprises can’t ignore the risk of cyber attacks
The rising threat of cyber attacks puts SOEs and private firms a click away from disaster. They must heed the risk
Risk managers in SA must suffer perpetual headaches these days. There is a crammed list of risk management priorities to constantly monitor. These include variable water and electricity supply, physical crime, bribery and corruption, climate change, political instability, civil unrest — the list goes on.
The recent hack at the state-owned rail and ports company Transnet is an alarming reminder of how cyber security has elbowed its way to near the top of the list. Details are understandably sketchy. But the threat was serious enough to take the firm offline for more than a week and for Transnet to invoke the force majeure clause on its contracts.
Ransomware attacks are the fastest growing form of cybercrime in the world. They happen through the infiltration by malicious software of a computer or network. The aim is to limit or restrict access to critical data by encrypting files — effectively locking them — until a ransom is paid.
There is one ransomware attack every 11 seconds globally. That’s roughly each time you finish reading one of these paragraphs. The average downtime after each attack is 21 days. This depends on whether the ransom is paid or not. Ransoms are much maligned in public, but routinely paid in private.
As with all forms of attack, these efforts range on a spectrum of sophistication, from blunt brute force to highly complex and carefully orchestrated.
This is not a uniquely South African problem. However, it does raise the question: how vulnerable is SA to cyber attacks?
The alarming rise in ransomware attacks means many state-owned enterprises (SOEs) and private-sector firms are only one click away from disaster. The Transnet cyber attack should sound a warning bell to enterprises that have been slow to beef up their cyber-security systems.
A tale of two securities
Criminal syndicates generally target big fish to secure sizeable ransom payments. In SA, this includes large, listed companies and SOEs, such as Transnet. Listed companies tend to be professionally managed, with risk committees routinely addressing cyber-security risks. These committees regularly adopt best-of-breed mitigation measures, such as a special focus on managed services, vulnerability assessments and contingency plans.
SOEs are another matter. Like their pitiful performance track record, the precautionary measures they implement are less than reassuring, as evidenced by the number of breaches and the reliability of systems, such as those used for vehicle registrations.
In many cases, the technology systems of SOEs are poorly designed and managed. Skills levels and capacity are also low and motivation for management in this space is a constant challenge. They are generally reliant on archaic systems and security practices.
What makes matters worse is that most are serviced by the State Information Technology Agency , making it a potentially dangerous single point of failure. Moreover, the agency has been experiencing a number of very public operational challenges over the years, effectively holding up a sign to attackers saying: “We are vulnerable.”
An ever-growing risk
Listed companies and SOEs face an ever-growing risk from cyber attacks because of their increasing reliance on digital transactions. An attack can result:
In the loss of data and access to processes integral to businesses operations;
Stolen intellectual property and trade secrets;
Reputational damage; and
Substantial financial losses.
For South African businesses the threat is two-fold. First, there is the direct threat of cyber attack which will affect their own data integrity and business functions. Second, there is the indirect threat arising from the disruption of logistics chains.
That’s exactly what happened with the Transnet cyber attack. Businesses found themselves not being able to move their goods in and out of the country.
Transnet’s Port Terminals Division ended up declaring force majeure at SA’s major port terminals, including Durban, Ngqura, Gqeberha and Cape Town. The Durban port alone handles more than half of the nation’s container shipments.
Major players, from logistics to exporters and retailers, came forward highlighting disruptions to their industries lasting several days. This delivered a substantial blow to an already struggling economy.
The Transnet cyber attack draws attention to the other vulnerable strategic points in the country. One shudders to think of the potential impact of a major attack on Eskom affecting an already pressured electricity supply or to the country’s oil and gas pipelines and refineries.
The recent attack by Darkside on the Colonial pipelines in the US resulted in fuel rationing and some fuel stations running dry.
Cyber-security has been important for decades, but over the past few years it has quickly moved to centre stage. Businesses, organisations and governments will have to invest more resources in it, including time.
An attack on the SA Revenue Service (Sars) could cripple public finances. And should telecommunication towers be targeted, channels connecting colleagues and loved ones would be cut.
Anything disrupting air-traffic control systems could have horrifying consequences.
Best precautions are often simple
A recent survey from the cybersecurity company Varonis suggested 37% of all firms have been victims of a ransomware attack at some point.
Covid-19 has worsened this as attackers take advantage of sectors in crisis — according to one measure, malicious emails are up by 600% since the start of the pandemic.
Threats to cyber security are now a factor of life; we need to learn to live with, but mitigate, the risk.
This best precautions are often surprisingly simple:
Limiting access rights to only those people absolutely required;
Implementing observability tools for constant monitoring;
Backing up data as often as possible;
Closely monitoring remote access;
Avoiding single points of failure that can compromise an entire system; and,
Reviewing the naming of key systems and files to make the job of potential hackers that little bit more difficult — naming a folder “Important files” or “Customer master-file” is just asking for trouble.
Cyber security has been important for decades, but over the past few years it has quickly moved to centre stage. Businesses, organisations and governments will have to invest more resources in it, including time.
As our world becomes ever more intertwined with technology, the importance of managing this risk is pushing it up the long list of management priorities. Ignore it at your peril.
Herman Singh is adjunct professor at the Graduate School of Business, University of Cape Town.
This article was first published by The Conversation.
Would you like to comment on this article or view other readers' comments? Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.