With the Protection of Personal Information (POPI) Act 4 of 2013 having come into full effect at the start of July, South Africans are likely to see the full impact of cybercrime for the first time.

This is according to Bertus Visser, Chief Executive of Distribution at PSG Insure, who adds that many companies were still taking a lax approach to cyber security before POPI came into full effect.

“Data breaches have been massively underreported to date, and it is possible many businesses opted to sweep cyber incidents under the carpet until now. Now that disclosure is a legal requirement that will be actively enforced by a regulator, we expect to see a huge spike in reported incidents, however this poses its own set of risks that businesses will have to protect themselves against.”

PSG Insure notes that in the last month alone, Johannesburg’s City Power, Transnet and a number of large South African firms fell victim to major cyber-attacks.

These are just the latest additions in a rising tide of high profile local cyber-attacks over the past two years. However, these well documented attacks are only just scratching the surface, the company asserts.

Visser explains that businesses need complete cyber-risk management strategies that encompass much more than simply taking out cyber insurance. “More businesses will need good cyber insurance policies. However, these policies only cover first- and third-party losses as well as some regulatory exposures. In order to adequately manage the risks that cybercrime poses, businesses will have to consult with their advisers to develop a well-planned all-encompassing strategy.”

He points out that this begins by taking a closer look at the potential damages to a business. “Third party claims and regulatory fines are just part of a company’s total losses. Business interruption and damages to physical assets are insured under different policies. As businesses increasingly move their operations online, the potential secondary losses have increased in severity. Businesses therefore need to review their insured amounts across all of their policies, bearing in mind that a single cyber incident could trigger a number of policies at once.”

Next, cybersecurity training is crucial. “The human element is still the greatest threat to cybersecurity, and it's unlikely insurers will cover incidents of pure negligence. Ensuring that all employees and contractors are educated and informed on the latest cyber security attacks and trends is vital. Many IT service providers offer basic cybersecurity training for staff, and it can even be included as an add-on to cyber policies.”

Lastly, he says that regularly reviewing cyber risk management strategies is crucial. “Cybercrime is evolving at a frightening pace, so it would be prudent for businesses to revisit their risk management procedures at least twice a year.”

With POPI now in full force, Visser says that this may be the catalyst that could finally set businesses on the right path toward becoming truly cyber-resilient. “Business owners should speak to their adviser to ensure they have all the right risk mitigation measures and policies in place to safeguard their business against cybercriminals and any potential liability following an incident,” he concludes.

Ransomware threat

Ransomware remains a major threat in Africa.

According to a quarterly Threat Assessment Report by the Cisco Talos Incident Response (CTIR) team ransomware was identified as the quarter’s most dominant threat.

CTIR research showed that ransomware accounted for almost half of all security incidents, and more than triple that of the next most common threat. Actors targeted a broad range of verticals, including transportation, utilities, health care, government, telecoms, technology, machinery, chemical distribution, manufacturing, education, real estate and agriculture.

However, healthcare was targeted the most out of all verticals for the third quarter in a row, with government being the second most-targeted.

Garsen Naidu, GM, Cisco Sub-Saharan Africa.

“There are many reasons why actors are continuing to target the health care industry, including the COVID-19 pandemic incentivising victims to pay to restore services as quickly as possible. On a positive note, there were several pre-ransomware events in which timely detection via Cisco Secure products, along with quick remediation led to containment of the incident before encryption could occur. With the speed of digitization we are seeing with South African businesses, cybersecurity needs to stay top of mind for business leaders,” Garsen Naidu, General Manager at Sub-Saharan Africa at Cisco.

Ransomware actors used commercial tools like Cobalt Strike, open-source tools and tools native on the victim’s device. Other observed threats included the exploitation of known vulnerabilities, cryptocurrency mining, and account compromise.

Interestingly, there were multiple incidents involving trojanized USB drives, which is an older attack vector not seen in many years.

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. CTIR frequently observes ransomware incidents that could have been prevented if MFA had been enabled on critical services. CTIR urges organizations to implement MFA wherever possible.