The past couple of months should lay to rest any doubt
over whether South African organisations are under sustained attack from
cybercriminals. Over the past three months we’ve seen well-known local
healthcare and financial organisations falling victim to cyberattacks and data
breaches, and in some cases being forced offline.
The local data breaches coincided with high profile
attacks and outages for global brands like Twitter and Garmin. And in
headline-grabbing news, credit bureau Experian reported a massive breach of
data that exposed the personal information of up to 24 million South Africans
and nearly 800 000 businesses.
These incidents have brought to light a battle that
has been waging quietly in the background. Cybercriminals – using increasingly
sophisticated techniques – are targeting South African public and private
sector organisations in orchestrated attacks that could lead to
devastating losses in business productivity, reputational damage and revenue.
In the Mimecast State of Email Security 2020 report,
53% of South African organisations reported increased phishing attacks and 46%
reported increased incidences of impersonation fraud compared to the previous
year. The coronavirus pandemic only served to accelerate the volume of attacks:
a Mimecast Threat Intel report found a 75% increase in impersonation fraud in
South Africa over the first 100 days of the pandemic.
As South African organisations implement systems and
policies to ensure compliance to the Protection of Personal Information Act
(POPIA), which comes into force in July 2021, we are likely to hear about more
data breaches. This is in part because of the legislative requirement to inform
customers and regulators of any breach as soon as reasonably possible. The
regulator appears to have since indicated that 72 hours is a reasonable period.
Advocate Pansy Tlakula, who heads up the Information
Regulator which is tasked with monitoring compliance to the POPI Act, said
recently that the spike in data exposure incidents highlights the
importance of understanding cybercrime and the sophisticated fraud
impersonation techniques used to access company and personal data.
What can we learn from these latest data breaches?
Here are the big takeaways for business and security leaders:
No organisation is immune from a data breach
Big or small, any organisation can fall victim to a
data breach. As the Experian breach has showed, it’s not always computer
whizzes that ‘hack’ company data. A clever fraudster posing as a trusted
partner or supplier can just as easily get away with valuable internal data
that can be used in cyberattacks.
Breaches are also more common than most people
realise: with POPIA now in effect, organisations are duty-bound to disclose
breaches. We can expect to see many more reports of data breaches over the
coming months.
Don’t assume data is harmless
When the data breach at Experian was first revealed to
the public, the company was quick to point out that the data – which consisted
of ID numbers, phone numbers, physical and email addresses – was
harmless.
However, if savvy cybercrooks gain access to this
information, they can use the personal details of impacted consumers and
supplement it with readily available information from social media. They can
then use this to launch sophisticated social engineering attacks that make it
very difficult for consumers to distinguish whether they are dealing with an
authorised representative or a fraudster. It’s now come to light that the
Experian data is in fact on the internet. This means that criminals can
potentially use this information to launch targeted cyberattacks aimed at the
individuals whose personal information was breached.
Luckily banks pre-empted this possibility. They’ve
been communicating with customers to take extra care with their banking
profiles and to be on the lookout for suspicious communication over the coming
weeks, should their data be used in attempts to access bank accounts.
Develop a layered security strategy
While nearly all (94%) cyberattacks leverage email,
organisations can’t afford to only focus on their email perimeter. The threat
landscape has shifted to the point where organisations need to approach
security with three zones in mind:
- at the email perimeter, where security controls can detect and block malicious emails;
- inside the organisation, which includes protecting against internal threats and awareness training; and
- beyond the perimeter, where cybercriminals are finding great success with brand impersonation that can trick unsuspecting customers and partners into offering up important information or into making payments to fraudulent bank accounts.
Organisations should deploy brand exploit protection
to ensure their domains are not being subverted by cybercriminals and to enable
them to take swift action should any brand exploitation be detected.
In the Experian example, brand protection is a
consideration in two situations. Firstly, it was likely a missing security
component for the customer or supplier that the fraudster impersonated to trick
Experian into handing over the data. Secondly, banks and other trusted brands
would be smart to have brand exploit protection in place, to ensure criminals
don’t impersonate them and target their customers with sophisticated attacks.
Focus on empowering your people
Even with the best cyber defences, organisations
remain susceptible to data breaches if they don’t have a strong human firewall.
Studies suggest human error plays a role in 90% of all data breaches. Mimecast
found that users who had been exposed to cyber awareness training were over 5
times less likely to be taken in by certain types of fraud.
One of the most effective cybersecurity strategies is
to conduct regular, memorable and on-going awareness training to ensure
employees can identify and avoid risky online behaviour. In addition,
organisations need to identify high-risk employees or job titles – such as
those in finance – that cybercriminals are likely to target, and ensure they
invest in additional awareness training and security controls for such
employees.
