Although a third (35%) of South African IT decision makers in business are on high alert and expect cyber attacks, there are issues when it comes to response and accountability – and the country is not as cyber security ready as IT teams would have the market believe.
This is according to new market research by World Wide Worx, commissioned by Trend Micro and VMWare, titled The State of Enterprise Security in South Africa 2019.
The research is based on the findings of a survey of 200 IT decision makers (30% CIOs and 45% IT managers) within South African enterprises.
Arthur Goldstuck, MD of World Wide Worx, said, "The most dramatic finding here is that 92% of organisations say that they are vulnerable due to outdated security and systems. If you ask about high vulnerability ... that comes in at about 77% as a result of outdated security systems."
The second biggest takeaway from the research is that 89.1% of IT decision makers cite senior management ignorance about risks and available solutions to address these risks as a major vulnerability.
According to the research 35% of decision makers expect a cyber-attack within the next few days, and 56.7% of organisations believe they will know a cyber attack has taken place "within minutes", while 33.6% say "within hours".
"That is frightening ... more than a third of enterprises are waiting for an attack, imminently, and that is why South African are watching their backs at the moment, because they know something is coming for them," said Goldstuck.
Of the 33% of businesses that will know within hours, Goldstuck added: "These days if you only know within hours that you've been attacked, you've probably lost all your data. You've got a massive crisis on your hands and you've probably have a business continuity issue on your hands as well."
Outdated security systems and software is rendering almost half of South African enterprises vulnerable to business continuity issues and potential data loss.
Research reflected massive over-confidence in the IT department. Across the board, there is tremendous over-confidence in the readiness of the people in the organisation, and yet there is really low confidence in terms of the system protecting the organisation.
Goldstuck said: "Ninety-nine percent of IT decision makers have confidence that the IT team can protect the company from cyber attacks. So they are very ready to tell you that their systems are outdated...'but it's ok, we can still protect the organisation'. And what we see here is really they're protecting their own backs, they don't really want to admit that they can't work with what they have. If nine out of ten have outdated systems, clearly they're vulnerable, clearly they can't fully protect the organisation, but they've convinced themselves they can."
Respondents were asked who would be the most aware of actions to take after a data breach, and 35.8% mentioned the IT department, while 27.5% said this fell within the domain of the CIO and CISO.
54.2% of respondents said that the CIO and CISO should be most aware, while 21.5% mentioned senior leadership and only 3.7% said the IT department should be most aware.
The focus on cyber security readiness should be seen in the context of business priorities highlighted by respondents. The top two priorities mentioned are to find new customers and grow revenue.
"You've got to think of cyber security in the context of the priority to acquire customers and grow revenue. So where cyber security is falling down, it's falling down primarily on undermining the company's efforts in those first two regards," said Goldstuck.
No stand-out area
When it comes to funding and cyber security strategies, today there is no longer a stand-out area of budgeting priority and cyber security.
"That is largely a factor of some of the kind of breaches we've seen over the last three years. Previously the breaches were all fairly standard, they tended to be around phising, around denial of service attacks and the like, but now the attacks are coming from everywhere and you cannot focus on only one area of security, you've got to cover everything. Encryption remains by far the most important thing," Goldstuck added.
ITWeb reports that according to the IBM 2019 Cost of a Data Study, the average cost of a data breach in South Africa has increased by over 12% from last year.
"IBM says based on four years of historical data, R43.3 million is the average total cost of data breach, which represents an increase of 12.16% from the previous year," reads an excerpt from the ITWeb article
Lorna Hardie, Regional Director Sub-Saharan Africa at VMWare, said, "We were astonished when we found that CIOs don't lead the organisation's response to a data breach. This finding shows that organisations still have a long way to go in terms of connecting a CIOs strategy to that of the IT department. What was incredibly insightful for me was really first and foremost one of the biggest contributors coming out of the fact that outdated software and infrastructure is potentially one of the biggest issues in terms of opening up to vulnerability today."