The past couple of months should lay to rest any doubt over whether South African organisations are under sustained attack from cybercriminals. Over the past three months we’ve seen well-known local healthcare and financial organisations falling victim to cyberattacks and data breaches, and in some cases being forced offline.
The local data breaches coincided with high profile attacks and outages for global brands like Twitter and Garmin. And in headline-grabbing news, credit bureau Experian reported a massive breach of data that exposed the personal information of up to 24 million South Africans and nearly 800 000 businesses.
These incidents have brought to light a battle that has been waging quietly in the background. Cybercriminals – using increasingly sophisticated techniques – are targeting South African public and private sector organisations in orchestrated attacks that could lead to devastating losses in business productivity, reputational damage and revenue.
In the Mimecast State of Email Security 2020 report, 53% of South African organisations reported increased phishing attacks and 46% reported increased incidences of impersonation fraud compared to the previous year. The coronavirus pandemic only served to accelerate the volume of attacks: a Mimecast Threat Intel report found a 75% increase in impersonation fraud in South Africa over the first 100 days of the pandemic.
As South African organisations implement systems and policies to ensure compliance to the Protection of Personal Information Act (POPIA), which comes into force in July 2021, we are likely to hear about more data breaches. This is in part because of the legislative requirement to inform customers and regulators of any breach as soon as reasonably possible. The regulator appears to have since indicated that 72 hours is a reasonable period.
Advocate Pansy Tlakula, who heads up the Information Regulator which is tasked with monitoring compliance to the POPI Act, said recently that the spike in data exposure incidents highlights the importance of understanding cybercrime and the sophisticated fraud impersonation techniques used to access company and personal data.
What can we learn from these latest data breaches? Here are the big takeaways for business and security leaders:
No organisation is immune from a data breach
Big or small, any organisation can fall victim to a data breach. As the Experian breach has showed, it’s not always computer whizzes that ‘hack’ company data. A clever fraudster posing as a trusted partner or supplier can just as easily get away with valuable internal data that can be used in cyberattacks.
Breaches are also more common than most people realise: with POPIA now in effect, organisations are duty-bound to disclose breaches. We can expect to see many more reports of data breaches over the coming months.
Don’t assume data is harmless
When the data breach at Experian was first revealed to the public, the company was quick to point out that the data – which consisted of ID numbers, phone numbers, physical and email addresses – was harmless.
However, if savvy cybercrooks gain access to this information, they can use the personal details of impacted consumers and supplement it with readily available information from social media. They can then use this to launch sophisticated social engineering attacks that make it very difficult for consumers to distinguish whether they are dealing with an authorised representative or a fraudster. It’s now come to light that the Experian data is in fact on the internet. This means that criminals can potentially use this information to launch targeted cyberattacks aimed at the individuals whose personal information was breached.
Luckily banks pre-empted this possibility. They’ve been communicating with customers to take extra care with their banking profiles and to be on the lookout for suspicious communication over the coming weeks, should their data be used in attempts to access bank accounts.
Develop a layered security strategy
While nearly all (94%) cyberattacks leverage email, organisations can’t afford to only focus on their email perimeter. The threat landscape has shifted to the point where organisations need to approach security with three zones in mind:
- at the email perimeter, where security controls can detect and block malicious emails;
- inside the organisation, which includes protecting against internal threats and awareness training; and
- beyond the perimeter, where cybercriminals are finding great success with brand impersonation that can trick unsuspecting customers and partners into offering up important information or into making payments to fraudulent bank accounts.
Organisations should deploy brand exploit protection to ensure their domains are not being subverted by cybercriminals and to enable them to take swift action should any brand exploitation be detected.
In the Experian example, brand protection is a consideration in two situations. Firstly, it was likely a missing security component for the customer or supplier that the fraudster impersonated to trick Experian into handing over the data. Secondly, banks and other trusted brands would be smart to have brand exploit protection in place, to ensure criminals don’t impersonate them and target their customers with sophisticated attacks.
Focus on empowering your people
Even with the best cyber defences, organisations remain susceptible to data breaches if they don’t have a strong human firewall. Studies suggest human error plays a role in 90% of all data breaches. Mimecast found that users who had been exposed to cyber awareness training were over 5 times less likely to be taken in by certain types of fraud.
One of the most effective cybersecurity strategies is to conduct regular, memorable and on-going awareness training to ensure employees can identify and avoid risky online behaviour. In addition, organisations need to identify high-risk employees or job titles – such as those in finance – that cybercriminals are likely to target, and ensure they invest in additional awareness training and security controls for such employees.