Cyber Security in Africa: The top-down approach
Africa’s thriving economies have an undeniable link to the success of technology on the continent. Though, with these advancements comes the threat of hacking, cybercrimes and malware. Cyber security is a growing concern for African organisations, as technology evolves, so will the nature and prevalence of cyber threats. Much like taxes and death, cyber security has become a part of our day-to-day lives and it is something that can have a negative impact on both individuals and organisations.
With companies attempting to find more effective ways to connect with their consumers, the concern of cyber security is posing a huge risk and, because of close ties, has potential to compromise customer loyalty and trust.
A threat to customer retention
A survey conducted for the 2015 KPMG Global CEO Outlook revealed that out of over 1200 chief executives from some of the world’s biggest companies, 86 percent were concerned about the loyalty of their customers. With security breaches having the ability to weaken customer confidence whilst concurrently damaging the brand’s reputation, organisations are under increasing pressure to build robust security into their products.
Consumers are starting to make direct decisions on whether or not to continue using or consider using a specific product or service based on the organisation’s cyber security resilience. If an organisation has had a recent breach or is known to have a weak cyber security posture, consumers are consequently less likely to either continue using the product/service or are unlikely to opt-in at all. This is owed to the fact that consumers are becoming more aware of the impact of a cyber-breach and have become increasingly cautious as to who they give their personal and/or financial information to.
Traditionally, cyber security is not viewed as a strategic issue, and though businesses predominantly use digital as their route to the customer, they are not always engaging with cyber experts. Many organisations have not interrogated the ways in which criminals could potentially exploit their systems and do not appreciate the level of technology present in their products.
From boardroom to basement
Historically, cyber security has been considered an Information Technology (IT) issue and is perceived to only affect IT-related services. More recently, organisations are becoming adapt to the fact that to adequately tackle cyber security, the entire business has a role to play, from boardroom to basement. Over and above IT, cyber security can touch on Human Factors, Legal and Compliance, Leadership and Governance, Information Risk Management and Business Continuity. 2 When it comes to cyber security, I see employees as the weakest link due to phishing and social engineering attacks. Cyber criminals are less inclined to take the more difficult, technically challenging approach to compromise an organisation when it could potentially be as easy as an email or phone call to an employee.
Social engineering through techniques such as phishing emails is a key and common element to all major cybercrime campaigns, which underlines the importance of organisations needing on-going security awareness campaigns and training for their staff to help in minimising the success rate of these “human-based” attacks. The most innovative companies have identified cyber security as a customer experience and revenue opportunity, with it not simply seen as an IT issue but strongly encouraged across the entire organisation. With the role of the Chief Information Officer (CIO) becoming increasingly important, its effectiveness has been questioned due to the fact that many CIOs are not part of the C-suite inner circle and are not respected as business partners. This consequently leads to the entire organisation conceding their security responsibility to the IT department, instead of integrating it into their behaviour and processes.
Whether it is the CIO or the CISO (Chief Information Security Officer), the importance lies not necessarily with the title within the organisation, but rather the influence on the executive and board members. The concerns surrounding cyber security are more than just an IT issue and need the buy-in of the C-suite in order to effectively address existing concerns.
As a way to combat the threat of cyber security, suggestions have been made for organisations to share information about their own security threats with their competitors, or alternatively, create collaborative networks where they offer rewards to white-hat hackers, for example.
In my view collaborative efforts are, undoubtedly, going to be the most effective way of addressing cyber security in the near future. The concept, however, is still in an “incubation” phase as we have not yet seen an effective, central, trusted, implementation of cyber security collaboration on a big scale, albeit, there has been some research and discussion around what this should look like and how it should be managed. White-hat hackers, or “ethical hackers”, are only one piece of the puzzle, although a very important piece as they will assess the organisation’s posture, resilience and susceptibility to cyber-attacks by performing authorised attacks against the organisation.
The ultimate aim of this exercise is to assess for risks and make recommendations as to how an organisation can better withstand these types of attacks. Organisations must bear-in-mind though that these types of assessments are performed in a point-in-time and are therefore subject to the same challenges. The cyber security landscape, threat actors and attack surfaces are constantly changing, therefore the organisation would need to ensure these assessments are performed regularly. The complex part is that organisations are not inclined to share their risks, vulnerabilities, and breaches with just anyone as this is highly sensitive information.
Also, who would be independently trusted enough to collaborate this information? Even worse, what happens when the “Central Cyber Collaborative Hub” gets breached or compromised? The proactive option would be for organisations to constantly test for weak spots within their own systems, understand the threat landscape and getting to know their enemy through security 3 intelligence. This level of preparation makes the difference between organisations that recover quickly from an incident and those that suffer a lasting impact.
Work your plan
Organisations should ensure that they have a robust plan in place to adequately detect and respond to cyber-attacks. The plan needs to take into account that the entire business has a role to play, including, but not limited to, the IT team, the legal team, public relations and human resources. Secondly, this plan would need to be reviewed, tested and adapted regularly, as the cyber security landscape, threat actors and attack surfaces are constantly changing. Despite increased media coverage of high-profile breaches, many top executives on the continent still believe their organisation has no valuable data and will not be targeted, without the understanding that just being connected to the internet makes any organisation interesting to cyber criminals.