The second pandemic

It’s hard to know exactly how many breaches there are in any given year. Some companies won’t report it, or at least not publicly, and not all breaches involve the leaking of customer information. Some are not a result of criminal activity, such as a staff member inadvertently exposing some information. This will also be classified as a ‘security incident’. Larger, listed, firms, however, do tend to make it public, the thinking probably being that it’s better to be in control of communication than to have it leaked to the press. The PoPI Act is going to be coming into force on July 1 next year. It’s a Thursday. After this, companies found to be negligent in their dealing with personal information will be censured, possibly financially, as can be seen in many cases in Europe this year. Companies will not only have to pay to scramble to get to business, but there could be a sizeable fine in the post when they get round to answering the mail.

A number of local banks fended off DDos attacks in October 2019, and City Power was hit by ransomware in July of that year. In September, it was the turn of Garmin to suffer a data breach. Life Healthcare reported a data breach in June 2020, and credit bureau Experian leaked the details of tens of millions of South Africans in August. In that same month, Momentum Metropolitan said it had been hacked, as did Lombard Insurance, and the following month saw construction firm Stefannuti Stocks suffer a ransomware attack.

Many of these firms have mature security stacks and experienced security leaders, and yet still became victims. This is the great conundrum: if we’re aware of the omnipresent danger, why aren’t we better prepared?

The rise in ransomware-as-a-service is perhaps one reason why there have been more breaches this year. Here, others mount the attack, and collect the money, while the malware author can get on with what they do best, like writing more malware. They are, in turn, paid a fee for the use of the product.

Following a breach, the first thing you should never say is, ‘We take security extremely seriously’, which has become something of a standing joke among security professionals.

A better question, posed behind closed doors to the board and your security team, is: “Are we taking security seriously?”

To a large degree, your organisation will be judged by its response. Fortunately, there is plenty of literature to prepare you for this unfortunate reality, and there’s a field of study that’s grown up around effective, and poor, communication after a cyber event.

It’s self-evident that many criminals are in the business of monetising the data that they steal from you. With the rise in ransomware, data is more at risk, and it’s no longer wise to just rely on disaster recovery or business continuity backups. In some cases, these will also be deleted or corrupted, meaning it can be a very long road to get back to business, if that’s even possible.

Security teams need to understand what is the most important data in the business, and then focus on protecting it. It also needs to be clean data, lest it reinfect the network when it’s brought back online. In this case, some kind of air-gap solution might be worth investigating. Much has been said about people being the weakest link in the security chain. After all, they’re the ones answering all the emails. It still appears that security teams have a long way to go in the way in which they manage people. First, outside of those industries in which security is paramount, such as financial services, many boards rely on the CIO for guidance around security, and for one reason or another – often around resources – many companies remain vulnerable. As for the staff, the security team is not doing well at all, to judge by one research report. Typically, there’s little communication between the security teams and the general staff, such as warning them of a phishing attempt that’s doing the rounds. And if a staff member comes across a suspicious mail, what do they do, and whom do they call? Many, I’m willing to bet, just keep quiet.

As we draw the veil over this year, it might bear reflecting on what we’ve learned about distributed workforces and security. Here’s a prediction: it’s going to get worse. In 2021, there will be blood.