Cyberattacks on South African companies are on the rise. Local insurers and incident response teams are reporting the highest level of incidents they have ever seen, and as these attacks become more frequent and sophisticated, local businesses can expect to suffer harmful data breaches.
This is according to Mimecast’s seventh annual state of e-mail security report, which reveals that 68% of local organisations have experienced an increase in e-mail threats, with 44% saying it was a significant increase, higher than all other countries and against a global average of 29%.
“Using e-mail remains the primary communication method for businesses, mainly due to its ease of use. However, with this also come security pitfalls,” says Ryan van de Coolwijk, product head: cyber at iTOO Special Risks.
“Business e-mail compromise is now the most common cause of insurance claims we are currently seeing, as some hackers are seemingly pivoting away from ransomware given the successes they are having with email-based attacks and how quickly and easily they can monetise this data.”
However, despite many cybercriminals shifting to e-mail based attacks, Van de Coolwijk warns that ransomware threats are far from dead, and in fact have seen a recent resurgence, both locally and internationally. The report states that 52% of South African companies were harmed by a ransomware attack in the past 12 months.
The research also reveals that collaboration tools remain a potential vulnerability, with 93% of companies agreeing that collaboration tools are essential to the well-ordered functioning of their companies. However, 70% say collaboration tools are posing significant new security risks. Additionally, 61% expect to be harmed in 2023 by a collaboration-tool-based attack.
“There has been a huge surge in the use of collaboration tools over the past three years, as many companies are still operating with hybrid workforces that rely on collaboration tools to maintain, contact and conduct virtual meetings. Unfortunately, this wide adoption and use of collaboration tools that has made them an easy target for hackers,” says Van de Coolwijk.
In terms of cyber awareness, the Mimecast report says that eight out of 10 respondents believe their company is at risk due to inadvertent data leaks by careless or negligent employees, with a quarter saying the risk was extremely high. Furthermore, 52% identified insufficient employee awareness of cyber threats as their organisation’s biggest security challenge in 2023.
South African companies also expressed concern about employees making serious security mistakes in the following activities: misuse of personal email (81%), using cloud storage and other shadow IT (78%), poor password hygiene (77%) and using collaboration tools (69%). Encouragingly, 28% train their staff on an ongoing basis.
Not always a hack
“It is important for organisations to remain cognisant of the fact that data leaks can happen due to incorrect actions by employees, such as providing information to the wrong person. It does not always have to be a hack,” he says.
“It is therefore strongly advised that companies make use of additional security measures, such as two-factor authentication, longer passwords and pass phrases that are less vulnerable to exploitation.”
However, having adequate security measures in place also comes down to money. Among its other findings, the report shows that 72% of companies say they need to spend an average of 13.5% more on cybersecurity – the highest percentage globally.
“I expect this figure to increase with time, and prove to be a big challenge due to the economic pressures that businesses find themselves under in South Africa. We are faced with rising inflation that is having an impact on the economy, as well as load shedding and higher interest rates. Thus, to find an additional 13.5% for the cyber budget is a big ask for many,” says Van de Coolwijk.
In terms of cyber defences and readiness, he notes that many local companies are doing a lot to protect their environments, but some still remain badly exposed, as they have not adopted principles and processes to ensure that they are adequately protected.
The Mimecast report shows that 97% either have a system to monitor and protect against e-mail borne threats or are actively planning to roll one out, while 94% think they need stronger protections than those that come with their Microsoft 365 and Google Workspace applications.
Adhere to fundamentals
“We need to be cognisant that trying to find additional budget is really difficult, but adhering to some of the fundamentals of security does not have to cost a fortune. For example, companies can roll out two-factor authentication where possible; if they lack budget, they can adopt pass phrases and more complicated credentials instead of simple passwords that are easily compromised,” he says.
“Patching also remains important and organisations should apply security patches as close to when they are released as possible. These patches are released to address known security exploits that are vulnerable to hackers; the longer you have the exploit available and running in your environment, the more opportunities hackers have, so cut down the window of opportunity.”
Furthermore, the report shows that South African companies are divided on the value of cyber insurance policies, with 56% seeing them as worthwhile additions and 39% not seeing cyber insurance as part of a comprehensive safety net.
“The fact that more businesses are becoming aware that they have exploits they must defend against is a positive. But while companies are constantly looking for mechanisms to secure against attacks, it is an ongoing battle. Just as they tick some boxes, hackers simply move the goal posts,” says Van de Coolwijk.
“A cyber insurance policy has big value as a safety net, as it helps to protect against things you haven’t foreseen, especially in a landscape that is always changing and forcing you to catch up all the time, while having to apply more resources to implement controls to defend against threats.”
- This promoted content was paid for by the party concerned