As many companies are increasingly digitising their operations and adopting the internet of things platforms, software security experts warn of an increase in cyber crime.
Digital transformation is a significant focus for innovation and investment, triggering the creation of millions of new companies and is one of the drivers of the internet of things, which will see 50-billion devices connected to the internet by 2020, according to information technology giant Cisco.
The internet of things is a network of objects or devices — or "things" — that have embedded technology to enable them to interact with each other. It includes security systems, thermostats, electronic appliances, home lighting, medical devices, cars and traffic lights.
Most cars are installed with tracking devices that, among other things, monitor driving patterns. The information is sent to service providers such as insurance companies.
Sensors, which are becoming a big element of the internet of things, are being installed in many parking areas to alert motorists to free parking spaces, among other useful applications of the system.
Adam Philpott, director of cybersecurity at Cisco for Europe, Middle East, Africa and Russia, says the internet of things, mobility and the cloud increase the scale and range of threats to be faced.
Many devices are not designed with security in mind and can be subverted to cause harm. Threats will increase with the internet of things, he says.
The desire to connect and collaborate any time on any device from anywhere results in even the most security-savvy people sometimes doing things that expose them and all their connections to significant risk.
A survey by Vodafone, which owns 65% of Vodacom, shows that 90% of respondents in SA believe that the internet of things is critical for the future success of organisations in their sectors, while 88% of them are of the opinion that seeing real success and value from the internet of things requires significant financial and time investment. More than 50 small to medium-sized enterprises in SA were interviewed for the survey.
At least 48% of South African companies interviewed plan to launch new connected solutions in the next 12 months.
Cybercrimes range from bank card cloning to denial-of-service attacks, which prevent users from accessing services; and ransomware, which encrypt data and hold it to ransom. Cybercrime has cost companies billions of rand.
Philpott says that most smart-device users do not realise they are essentially deploying a tiny web-enabled server in their home. It means as more electronic devices are connected to the internet, users are deploying many devices that can be subverted to cause harm, unless they take extra caution.
Cisco, which has made significant investments in security platforms, blocks 20-billion threats a day – almost three for every person on the planet and more than the total number of searches on Google.
The company also has a dedicated threat intelligence and security research organisation that analyses and protects against known and emerging threats. It has systems that constantly monitor cyber attacks.
The group is also constantly analysing what is happening on networks to spot anomalies. For example, if a server suddenly becomes four times more active than usual, it could be a cybercriminal stealing data.
Cyber attacks are a numbers game. The attackers can be successful once, while defenders have to be successful multiple times. Companies that have been attacked often keep the breach under wraps to protect their reputations. In one of the most recent attacks, R350m was stolen from Standard Bank by criminals in Japan who made 14,000 ATM withdrawals.
Cisco’s systems allow it to protect all its customers proactively, even if a threat is detected from only one customer. "We are at the nexus of digital evolution," says Will Rockall, Cisco cybersecurity director of customer solutions. While many businesses have implemented measures for cybersecurity solutions, they face a growing problem because as attackers become more sophisticated, they use online distribution channels and other third-party partners to target victims.
Cybercrime has become big business, often undertaken by highly motivated organised criminal gangs. These organisations are looking for a high return on investment and as low a cost of operation as possible.
Estimates of the total cost of cybercrime range from $450bn to more than $2-trillion.
Cisco believes that effective cybersecurity has become a "race against time", says Rockall. It believes speed of threat detection is vital to minimising the damage from cybercriminals.
Discussions about cyberthreats features in 80% of corporate boardroom meetings, says Philpott.
But Cisco warns of a shortage of experts to handle cybercrime attacks.
According to the company, in 2020, there will be 2-million security roles that cannot be filled and the salaries of these employees will be nine times higher than other IT positions.
The challenge faced by companies is that they train people who are then poached by rivals.
"Organisations are dealing with a huge churn of people," says Rockall.
Trevor Coetzee, regional director for SA and sub-Saharan Africa at Intel Security, says businesses are not only competing locally for scarce skills, but also with their global counterparts who headhunt skilled practitioners and entice them with premium salaries.
The gap left by a mass exodus of skills leaves businesses vulnerable to attack.
"Considered broadly, the situation appears quite dire," Coetzee says.
The tactics used by cybercriminals evolve every day and it is difficult to keep up; the education system is not producing industry-ready talent; the government is not investing enough resources into skills development; and a weak economy is forcing businesses to cut training budgets, which puts existing staff under more pressure.
Michelle Tietz, a specialist consultant at Network Recruitment, specialising in audit, risk and compliance, says IT auditors are in demand as organisations move to mitigate the serious risks cybercriminals present.
Many organisations rely on network infrastructures built of components that are old, outdated, and running vulnerable operating systems. In short, they are not cyber-resilientAdam Philpott
Director of cybersecurity at Cisco for Europe, Middle East, Africa and Russia
Given cybercrime’s increasing intensity in all business sectors and SA’s unenvious position as the primary target for cybercrime in Africa, this skill is set to top employers’ must-have lists in years to come.
Coetzee suggests continued investment in training, even though organisations risk losing these workers.
There is a need for diversity, to attract more female and minority talent, he says. "Cybersecurity is still a male-dominated industry, but if we make it more attractive to women and minorities, we’ll also widen the talent pool," he says. Companies should also be smarter with skills, he says, as too many IT resources are bogged down by tasks that could be automated.
The Intel Security study identified intrusion-detection, secure software development and attack-mitigation as among the most in-demand skills, yet IT departments are overwhelmed by many functions that can be consolidated and automated, Coetzee says. "By automating some of the day-to-day tasks, IT resources will be freed up to focus on more advanced threats to the organisation," he says.
Ageing infrastructure poses a risk for companies. Some are no longer protected — service providers are unable to provide software updates for some of their infrastructure.
"Many organisations rely on network infrastructures built of components that are old, outdated, and running vulnerable operating systems," says Philpott. "In short, they are not cyber-resilient."
Tighter data protection and privacy regulations are also key to combating cybercrime.
SA has the Protection of Personal Information Act, which compels company executives to protect company information.