By Graham Croock, Head of IT Audit, Risk and Cyber Lab at BDO SA
Incidents of cybercrime are on the increase nationally and globally, prompting the business community to raise its game or risk the financial devastation caused by a cyberattack or data breach. Some of the figures are terrifying. As digitisation for both consumers and enterprises accelerates, the cost of data breaches are expected to increase to $2.1 trillion globally by 2019, increasing by almost four times the estimated cost of breaches in 2015, according to Juniper Research.
And that's just what the experts know. According to the World Economic Forum (WEF), a significant amount of cybercrime goes undetected - be it from hackers using zombie viruses or the murky underworld of industrial espionage where access to documents and data is difficult to spot.
Cybersecurity is not just a technology issue. A recurring theme throughout modern research, is how vital the human factor is in the fight against cybercrime. People are often the weakest link in preventing cyberattacks or a data breach. Be it finding the right skills and talent to build an organisation’s cybersecurity policy, or raising awareness amongst staff about basic measures they can take to strengthen operations.
African businesses, specifically, find themselves at a crossroads, where they must balance digital transformation with a greater focus on security policies and how to protect customer data.
This is not just a big job for businesses, but governments across the Sub-Saharan region carry a heavy burden too - particularly when it comes to data protection. With Africa's digital economy continuing to scale up rapidly, the need is becoming more apparent for regulation and legislation to match. Approaches to the protection of data are changing across Africa, affecting both the digital privacy of citizens and the obligations of those that hold customer information.
Establishing a regulatory framework that both protects citizens and allows for healthy economic development should be the end goal for many African nations. As in the long run, getting cybersecurity and data protection right will benefit all parties - consumers, businesses and governments alike - which is why now is the time for positive action.
Security breaches are commonplace across Africa. An astonishing two thirds of respondents surveyed during 2015 /16 have experienced a security breach in the last 12 months.
Almost 10% of surveyed respondents claim their organisation has suffered more than 10 security breaches, while almost half state they have encountered between one and five security breaches.
According to Gemalto's Breach Level Index, in South Africa alone, data breaches increased 15% in the first half of 2016.
Africa's two largest economies, South Africa and Nigeria, are estimated to be losing $5130m annually to cyber criminals like hackers, fraudsters and those intent on digital sabotage, according to a recent report from security software maker McAfee.
The problem appears to be getting more acute year on year. The severity of cyberattacks in East Africa alone was 37% higher in 2016, compared with the previous year, according to independent risk consultancy Control Risks which works with a variety of clients to assess threat levels.
BDO’s research has proven that, "Cyber criminals are getting noticeably more technologically smart "They are getting better at exploiting the data they manage to steal, and they are stealing it much more proficiently. They used to just go for financial targets, like credit cards. They are now upping the ante and stealing intellectual property for sale on the dark web. They are taking data from various sources to create pots of valuable data for sale."
BDO’s research has proven that, “Bring Your Own Device”, (BYOD) is most definitely a security incident waiting to happen for many businesses. But in Africa, where many employees own multiple devices, the risks are stacked even higher. The demand for BYOD at offices in South Africa has soared as many employees bring two, three or sometimes even four devices with them to work. This can make the task of securing internal networks even harder for organisations. Particularly when employees fail to keep their devices timeously updated.
Mobile data can be expensive in many African countries, and many consumers’ put-off updating apps or their device's operating system in order to conserve valuable data. Older device operating systems - particularly Android 3 and 4 - are less secure, and so consumers are putting themselves and their organisations at risk by not updating.
Businesses need to accept that employees will be bringing in multiple devices and give them the means to use those devices in a secure manner, or be more draconian about it and instruct them not to use personal devices inside the work environment. BDO suggests that businesses, provide a dedicated Wi-Fi network for internal use and raise awareness about device security. Things employees should be watching out for include malicious apps lurking in app stores (less so in the Apple app store, but more so in Google Play) and malicious hotspots. Rogue apps are a particularly strong concern for banks, with a few big names in the business caught out by subtly altered versions of popular banking apps appearing in app stores, which lure customers to part with mobile banking passwords.
We live in a world where you go somewhere and immediately look for the nearest Wi-Fi network. But using a public Wi-Fi network brings with it risk - the network could also be used by compromised devices or the hotspot itself could be malicious.
Wi-Fi fraud is simple and easy to do, so too are the man-in-the-middle attacks against older apps which don't have such good security.
These attacks are made out to be sophisticated but in reality they are not. Look at what happened to TalkTalk in the UK, which lost personal data from over 150,000 customers during a cyberattack. The organisation didn't take basic steps to protect itself and the hacker turned out to be a 15 year old boy who didn't really know what he was doing. It is tremendously embarrassing.
Because there has been no real push to make it mandatory for organisations to report these types of fraud or data breaches, it is hard to quantify the number of attacks. But from what SensePost is hearing, consumers are getting attacked and it is easy for attackers to exploit information and gain access to money.
Security is often the last thing businesses think about. They do not assume criminals are after their information. They are and businesses need to be much smarter with how they handle customer data.
Read more BDO Insights