Self defence With cyberthreats on the rise, companies are taking steps to safeguard themselves against attacks You know that cybercriminals are brazen when they attack even the most online-savvy members of society – gamers. Those digital natives know their way around PCs, consoles and the virtual world, and yet cybersecurity firm Kaspersky detected an increase in cyberattacks against online gamers in South Africa and Kenya in the first half of 2022. The number of those attacked by malicious software (which gathers sensitive data and spreads under the guise of the most popular gaming titles) has increased worldwide by 13% compared to the first half of 2021. Attackers reportedly spread RedLine malware among those playing well-known games such as FIFA, Minecraft and newly released parts of big series, such as Elden Ring, Halo and Resident Evil. ‘RedLine is password-stealing software that extracts sensitive data from the victim’s device, such as passwords, saved bank-card details, cryptocurrency wallets and credentials for VPN services,’ says Kaspersky. ‘We expect to see new types of attacks on gamers in the next year. For example, strikes on e-sports, which are now gaining huge popularity around the world.’ Gamers are just one small sub-group affected by the explosion of cyber-related incidents. As businesses, governments and people are increasingly hyper-connected through the internet, mobile communications and digitalised supply chains, the frequency and sophistication of cyber incidents is also escalating. While cyberthreats also include accidental data breaches, the most serious ones are politically motivated (orchestrated by nation-states or terrorist organisations), or for economic gain (by criminal organisations, industrial spies or business competitors). Organisations that have a mature approach to cybersecurity are reportedly half as likely to become the target of a cyber incident Cybercriminals continue to adapt new technologies, tailoring their attacks using innovative methods and co-operating with each other, according to the WEF. In its Global Cybersecurity Outlook 2022, the forum – together with Accenture – describes how organised crime groups such as the Mafia are undergoing a digital transformation, paying hackers to support criminal activities, including extortion and drug trafficking. ‘Hiring cybercriminals for service is becoming a widely used and open practice,’ according to the report. ‘Additionally, organised crime groups often fold cybercriminals into lawful business operations, further obfuscating visibility between legitimate and criminal actors.’ Perhaps it’s not surprising then that ‘cyber incidents’ feature as the biggest business risk in South Africa, Nigeria and worldwide in the 2022 Allianz Risk Barometer. ‘The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply-chain disruption, natural disasters or the COVID-19 pandemic, all of which have heavily affected firms in the past year,’ notes the Allianz insurance group. ‘Cyber incidents also rank second in Ghana, fourth in Morocco and Namibia, fifth in Kenya. The main driver is the recent surge in ransomware attacks, which are confirmed as the top cyberthreat for the year ahead by survey respondents (57%).’ Ransomware is malware designed to block access to a computer system – encrypting an organisation’s data or servers and rendering them useless until ransom is paid. In June last year, the FBI said it was investigating 100 different strains of ransomware in circulation worldwide. The latest ransomware attacks have evolved into operations that take a long and slow approach to infiltrate a network over time, typically without being detected. ‘Once the niche of spray-and-pay spam, you’re now more likely to find ransomware tacked on to the tail-end of a highly crafted attack sequence we define as RansomOps – ransomware in its most pernicious, pervasive and professional form,’ says Brandon Rochat, sales director at Cybereason Africa. He explains that there are ransomware gangs (such as REvil, Conti and DarkSide), and that these set themselves apart by their technical sophistication, data exfiltration for double extortion and attraction to big-name targets. Large-scale ransomware attacks have targeted Africa’s largest retailer Shoprite, the City of Johannesburg and its electricity utility City Power, South Africa’s Office of the Chief Justice, and Telkom, among many others. In 2021, South Africa’s state-owned ports and rail authority Transnet was also held ransom, which had a serious impact on the container-handling facilities in Cape Town as well as Durban, the busiest port in sub-Saharan Africa. Ransomware is among Africa’s top five cyberthreats, as identified by Interpol. The other top cyberthreats are (and not necessarily in this order) online scams (fake emails or text messages claiming to be from a legitimate source used to trick individuals into revealing personal or financial information); digital extortion (victims are tricked into sharing sexually compromising images that are used for blackmail); business email compromise (criminals hack into email systems to gain information about corporate payment systems, and then deceive company employees into transferring money into their bank account); and botnets (networks of compromised machines are used as a tool to automate large-scale cyberattacks). Interpol points out that Africa has the world’s fastest-growing telephone and internet networks, and makes the widest use of mobile-banking services, which – coupled with a lack of cybersecurity policies and standards – exposes the continent to major cyber risks. This makes it critical to establish a robust cybersecurity framework. ‘Cybercriminals in this modern era are changing tactics to include data exfiltration, targeting personal user information and targeting organisations that attempt to aggregate, combine, compare and analyse data to better service their consumers,’ says Anthony Muiyuro, cyber lead at KPMG East Africa. ‘Therefore, today, a much larger focus is needed on not only mitigating threats but in the way organisations are set up to deal with them.’ His firm’s recently launched Africa Cyber Security Outlook 2022 found that the continent’s cyber strategy is on its way to addressing this and becoming more mature. Seventy-five percent of the large companies surveyed by KPMG reported having strategies that were either regularly refreshed or had been built in alignment with the organisation’s threat profile, with measurable key performance indicators. Furthermore, 61% of companies have implemented a clear data-protection or governance approach, with 80% reporting the establishment of robust frameworks and well-defined strategies to mitigate security and privacy risks. ‘Organisations that report having a mature approach to cybersecurity strategy have been subject to half the number of cyber incidents reported across organisations that have not proactively dealt with cyber strategy,’ according to KPMG. ‘In fact, 46% of those that don’t have a standard approach to data protection, privacy and cybersecurity fell victim to cyberattacks, compared to 28% that have robust security in place.’ Companies should look to appointing a CISO to focus on preventing cyberattacks from taking place in their businesses To improve their cyber resilience, companies must focus on building cyber skills, says Muiyuro. He highlights the need for highly specialised cybersecurity resources with skills for cyber leadership, securing and testing systems. While smaller companies often outsource the management of their cybersecurity (cybersecurity as a service/CSaaS), larger organisations have been appointing their first chief information security officer (CISO) to take charge of their cybersecurity function. ‘Many CISOs currently report to the chief information officer and this may not give sufficient visibility for security change and stronger governance as, ultimately, they become responsible for the overall security strategy,’ says Spiros Fatouros, CEO of insurance broker and risk adviser Marsh Africa. ‘With many organisations moving towards digital transformation together with remote and hybrid working models, it becomes necessary for the CISO to have a seat at the C-suite table. ‘Cybersecurity is a business risk and it’s the CISO’s responsibility to bridge that gap between technical and business risk, as well as to communicate that message to the C-suite and the board. The one challenge of a CISO is to convince business leaders to invest funds in cybersecurity, and this is difficult if the risk is not understood and measured or quantified.’ At the inaugural meeting of CISOs held recently in Sandton, organised by ITWeb and Brainstorm, participants indicated that while cybersecurity had become a board priority, they still faced challenges with getting buy-in throughout all levels of their organisation, as well as issues around funding, shortage of skills and demonstrating return on investment. In addition to phishing and ransomware as top external threats, CISOs also warned of the significant security risk from insider threats. Manoj Puri, CISO at Absa, was quoted as being especially concerned about risks from third-party suppliers and partners (of which Absa has about 10 000). ‘We are all now connected, such that a breach in one firm puts our shared customers’ data at risk,’ he said, calling for better collaboration. ‘We have to understand that a security incident in one of us has a huge impact on all of us.’ IT Web reported his counterpart at MTN, head of group information security Justin Williams, as saying that ‘it pains me every time I see an organisation making headlines because of a cybersecurity event, whether it’s a data breach, a ransomware attack or an extortion attack. This is because somewhere out there, there is another CISO working more hours under extreme stress, while trying to keep the team together, if they have a team at all’. To reduce the risk, Williams advises protecting the entire ecosystem by ensuring that third parties also have robust security systems in place. Crucially, companies need to implement strict cyber hygiene, based on regular habits to keep the IT hardware, software and infrastructure clean of viruses and other threats. This involves cybersecurity training for employees and limiting the use of ‘shadow IT’ (devices and applications used on an office network without the knowledge of the IT department, for example flash drives, WhatsApp messaging and peer-to-peer file-sharing such as Dropbox and Apple AirDrop). Furthermore, a ‘zero trust’ approach may reduce insider threats by ‘trusting no one, verifying everything’. As the cyberthreat landscape is constantly shifting with more and increasingly brazen attacks, organisations in Africa need to understand that it is not so much a question of whether they will be hacked, but more how they will bounce back when it happens. By Silke Colquhoun Images: Gallo/Getty Images