Risk managers in South Africa must suffer perpetual headaches these days. There is a crammed list of risk management priorities to constantly monitor: variable water and electricity supply, physical crime, bribery and corruption, climate change, political instability, civil unrest – the list goes on. The recent hack at Transnet is an alarming reminder of how cyber security has elbowed its way near the top of the list; and given our ever-growing reliance on technology, it’s one that’s not going anywhere.
Ransomware attacks are the fastest growing form of cybercrime, where malicious software infiltrates a computer or network and seeks to limit or restrict access to critical data by encrypting files – effectively locking them – until a ransom is paid. One happens every eleven seconds globally – roughly each time you finish reading one of these paragraphs – and the average downtime after an attack is 21 days, although this depends on whether the ransom is paid or not (much maligned in public, but routinely paid in private). As with all forms of attack, these efforts range on a spectrum of sophistication: from blunt brute force to highly complex and carefully orchestrated.
This is not a uniquely South African problem by any means, but it does raise the question: how vulnerable is South Africa to cyber-attacks?
A tale of two securities
Criminal syndicates generally target big fish to secure sizeable ransom payments. In South Africa, this includes large, listed companies and state-owned enterprises (SOEs), like Transnet. The former tend to be professionally managed, with risk committees now routinely addressing cyber security risks, and regularly adopting best of breed mitigations, such as a special focus on managed services, vulnerability assessments, and contingency plans.
SOEs are another matter. Like their pitiful performance track record, the precautionary measures they implement are less than reassuring. In many cases, systems are poorly designed and managed, skills levels and capacity are low, and motivation for management in this space is a constant challenge. They are generally reliant on archaic systems and security practices, and what makes matters worse is that most SOEs are serviced by the same supplier – the State Information Technology Agency (SITA) – marking a potentially dangerous single point of failure. Moreover, SITA has been experiencing a number of very public operational challenges over the years, effectively holding up a sign to attackers saying: “We are vulnerable”.
With greater reliance on digital transactions, the risks associated with a cyber-attack, for both listed companies and SOEs, couldn’t be higher. An attack can result in the loss of data and access to processes integral to businesses operations; stolen intellectual property and trade secrets; reputational damage; and substantial financial losses. But South African businesses need to see the threat along two dimensions: first, the threat to their own data integrity and business functions; and, second, even if they can confidently rely on their own cyber security, they remain vulnerable to the potential logistical disruptions of SOEs being compromised, as the cyber-attack at Transnet painfully revealed.
In this particular attack, Transnet’s Port Terminals Division ended up declaring force majeure at South Africa’s major port terminals, including Durban, Ngqura, Gqeberha and Cape Town. The Durban port alone handles more than half of the nation’s container shipments. Major players, from logistics, to exporters and retailers, came forward highlighting disruptions to their industries lasting several days, which will deliver substantial blows to the already struggling economy.
The Transnet cyber-attack draws attention to the other vulnerable strategic points in our country. One shudders to think of the potential impact of a major attack on Eskom – affecting our already pressured electricity supply; or to our oil and gas pipelines and refineries. The recent attack by Darkside on the Colonial pipelines in the United States, resulted in areas of the US rationing fuel, and some fuel stations running dry. An attack on SARS could cripple our public finances; should telecommunication towers be targeted, it would cut channels connecting colleagues and loved ones; and, anything disrupting air traffic control systems could have horrifying consequences.
Best precautions are often simple
The average cost of a ransomware attack has increased from $5000 in 2018 to $200 000 in 2021, and a recent survey from Varonis suggests 37% of all firms have been victims of a ransomware attack at some point. COVID-19 has only exacerbated this as attackers take advantage of sectors in crisis – according to one measure, malicious emails are up 600% since the start of the pandemic. Threats to cyber security are now a factor of life; we need to learn to live with, but mitigate, the risk.
This best precautions are often surprisingly simple: limiting access rights to only those people absolutely required; implementing observability tools for constant monitoring; backing up data as often as possible; closely monitoring remote access; avoiding single points of failure that can compromise an entire system; and, reviewing the naming of key systems and files to make the job of potential hackers that little bit more difficult – naming a folder “Important files” is just asking for trouble.
Cyber security has been important for decades, but over the last few years it has quickly moved from the wings to centre stage. Businesses, organisations and governments will now have to invest more resources in it, including time. As our world becomes ever more intertwined with technology, the importance of managing this risk is pushing it up the long list of management priorities – ignore it at your peril.
Professor Herman Singh is an adjunct professor at the University of Cape Town Graduate School of Business and the CEO of Future Advisory, an international firm specialising in digital transformation projects in corporates and start-up acceleration.
This article was originally published in The Conversation.