ANDRÉ SWART: Cybercrime costs are eye-watering, but companies are in denial

Cybercriminals cost the world $7-trillion in 2022, making cybercrime the world’s third-largest economy after China and the US.

The first half of 2021 had 1.5-billion attacks targeting the “internet of things” globally, while data breaches rose 15.1% from the previous year.

This onslaught is pervasive as a consequence of heightened global geopolitical tensions. SA will not be spared. Criminals are crafty and well equipped, becoming more sophisticated, relentless and, unfortunately, more successful, as time goes on.

Interpol’s African Cyberthreat Assessment Report, released in March, shows that SA accounts for 42% of all “detected ransomware attacks”, the highest on the continent. The report says the number of undetected attacks is considered to be even higher. SA also accounts for more than half of “business email compromise” attacks in Africa.

So it is clear that the call for sharper focus on building cyber resilience is a priority business leaders navigating complex risk landscapes can no longer delay. Cyber resilience is more than cybersecurity. It’s about the organisation’s ability to continue uninterrupted services and operations despite cyber events.

As a measure of persistence in a changing and unpredictable world, resilience plays an important role in an organisation’s ability to be sustainable and responsible in its environmental, social & governance priorities. As a boardroom imperative there are a number of priorities business leaders should be focusing on to build cyber resilience.

Cyber resilience is an important intersection for the executive and board of directors. This critical nexus for risk management, business continuity, cybersecurity, finance and technology requires joint leadership commitment. Boards are paying closer attention to cyber issues. Gartner predicts that by 2025, 40% of boards will have a dedicated cybersecurity committee, which will affect the way cyber resilience is reported and monitored.

A common error is to assume cyber resilience is about technology. Far from it. Successful organisations will view cyber resilience in the context of the entire business value chain. It should address digital risk in supply chains, product manufacture, logistics, strategic alliances and partnerships, customer experiences, mergers & acquisitions, subsidiary organisations, building the capabilities and skills of employees, and the organisation’s public reputation.

Cyber-resilience strategies should not be developed as an afterthought or add-on but should be a vital consideration of protecting — and creating — value for the organisation. Cyber resilience must be central to risk management strategies to protect the organisation’s highest risk assets. Business leaders should develop risk-focused, top-down resilience strategies and cyber road maps that can be implemented across geographies, jurisdictions, and operating environments.

For example, if an organisation’s highest risk asset is its data, it is critical that it is safeguarded in multiple layers, from technology and infrastructure to controls and processes, systems, tools, governance, policy compliance, skilled people and organisation culture. Cybercriminals pursue targets that are easiest to breach. At the height of the pandemic there were notorious ransomware attacks on patient data at hospitals, which put the lives of patients at risk as hospitals were brought to a standstill.

Cyber weaknesses can be directly linked to a failure by leadership to embed it into the organisation’s culture and operations. Actions and accountability must support strategies and policies. Investments should not only consider technology infrastructure and security, but also the dependence on human behaviour to achieve success.

The best approach is cross-functional and collaborative, with an emphasis on culture and skills development. This would improve efforts to address IT risk, operational risk, business continuity, data protection and privacy, anti-corruption, anti-fraud, ethics, end-user education and training, and cyber practices and culture.

By building a culture of resilience centred on collaboration, organisations are better equipped to bounce back from trauma caused by social unrest, severe weather or cyberattacks, without missing a beat.

Technology transformation is not just about technology. An organisation’s technology transformation can be stymied by misdirected funding of priority digital investments, poor governance and accountability, and lack of effect.

Executives are often faced with managing the risk resulting from reduced investment in digital, and being expected to do less with more. Technology leaders should be mindful that boards are more interested in how digital investments will create value for the organisation than the technology solution itself. Navigating this important difference will uphold the credibility of technology leaders and lead to technology investments that enable the organisation’s goals.

Complexity increases when organisations take a siloed approach. It also limits our ability to respond effectively — and be resilient — when the entire landscape is unknown.

Successful cyber resilience requires a broad view of the organisation’s digital ecosystem, including infrastructure, networks, platforms, systems, applications, data storage, as well as third-party and end-user access, to mention a few digital touchpoints. Tools such as cloud and artificial intelligence (AI) are creating new ways for a holistic and proactive approach to digital integration and cyber protection. 

The key to building cyber resilience

Business leaders should avoid taking a digital-only view of cyber resilience. Resilience strategies should drive the right investments in areas of greatest vulnerability and a clear road map to achieve organisation-wide cyber resilience.

Instead of only focusing on digging deeper fortifications to keep the risks out, business leaders would do well to build their resilience from the inside. The most effective way to achieve this by setting the tone at the top, and supporting employees with skills, tools and a culture that empowers cyber resilience.

• Swart is MD of Ziyasiza Consulting.