How vulnerable is South Africa to cyberattacks?
Risk managers in South Africa must suffer perpetual headaches these days. There is a crammed list of risk management priorities to constantly monitor. These include variable water and electricity supply, physical crime, bribery and corruption, climate change, political instability, civil unrest – the list goes on. The recent hack at the state-owned rail and ports company Transnet is an alarming reminder of how cybersecurity and cyberattacks has elbowed its way near the top of the list.
Details are understandably sketchy. But the threat was serious enough to take the firm offline for over a week and for Transnet to invoke the force majeure clause on its contracts.
Ransomware attacks are the fastest growing form of cybercrime in the world. They happen through the infiltration by malicious software of a computer or network. The aim is to limit or restrict access to critical data by encrypting files – effectively locking them – until a ransom is paid.
There is one ransomware attack every 11 seconds globally. That’s roughly each time you finish reading one of these paragraphs. The average downtime after each attack is 21 days. This depends on whether the ransom is paid or not. Ransoms are much maligned in public, but routinely paid in private.
As with all forms of attack, these efforts range on a spectrum of sophistication: from blunt brute force to highly complex and carefully orchestrated.
This is not a uniquely South African problem. However, it does raise the question: how vulnerable is South Africa to cyberattacks?
The alarming rise in ransomware attacks means that many state-owned enterprises and private sector firms are only one click away from disaster. The Transnet cyberattack should sound a warning bell to enterprises that have been slow to beef up their cybersecurity systems.
A tale of two securities
Criminal syndicates generally target big fish to secure sizeable ransom payments. In South Africa, this includes large, listed companies and state-owned enterprises, like Transnet. Listed companies tend to be professionally managed, with risk committees routinely addressing cyber-security risks. These committees regularly adopt best of breed mitigation measures such as a special focus on managed services, vulnerability assessments, and contingency plans.
State-owned enterprises are another matter. Like their pitiful performance track record, the precautionary measures they implement are less than reassuring as evidenced by the number of breaches and the reliability of systems such as the systems used for vehicle registrations
In many cases, the technology systems of state-owned enterprises are poorly designed and managed. Skills levels and capacity are also low, and motivation for management in this space is a constant challenge. They are generally reliant on archaic systems and security practices.
What makes matters worse is that most state-owned enterprises are serviced by the State Information Technology Agency , making it a potentially dangerous single point of failure. Moreover, the agency has been experiencing a number of very public operational challenges over the years, effectively holding up a sign to attackers saying: “We are vulnerable”.
Cyberattacks are an evergrowing risk
Both listed companies and state-owned enterprises face an evergrowing risk from cyber attacks because of their increasing reliance on digital transactions. An attack can result:
- in the loss of data and access to processes integral to businesses operations;
- stolen intellectual property and trade secrets;
- reputational damage; and
- substantial financial losses.
For South African businesses, the threat is two-fold. First, there is the direct threat of cyberattack which will affect their own data integrity and business functions. Second, there is the indirect threat arising from the disruption of logistics chains.
That’s exactly what happened with the Transnet cyberattack. Businesses found themselves not being able to move their goods in and out of the country.
Transnet’s Port Terminals Division ended up declaring force majeure at South Africa’s major port terminals, including Durban on the east coast, on the south east coast Ngqura, Gqeberha and in the south Cape Town. The Durban port alone handles more than half of the nation’s container shipments.
Major players, from logistics, to exporters and retailers, came forward highlighting disruptions to their industries lasting several days. This delivered a substantial blow to an already struggling economy.
The Transnet cyberattack draws attention to the other vulnerable strategic points in the country. One shudders to think of the potential impact of a major attack on the power utility Eskom affecting an already pressured electricity supply, or to the country’s oil and gas pipelines and refineries.
The recent attack by Darkside on the Colonial pipelines in the US resulted in fuel rationing and some fuel stations running dry.
An attack on the South African Revenue Service could cripple public finances. And should telecommunication towers be targeted, channels connecting colleagues and loved ones would be cut.
Anything disrupting air traffic control systems could have horrifying consequences.
Best precautions are often simple
A recent survey from the cybersecurity company Varonis suggested that 37% of all firms have been victims of a ransomware attack at some point.
COVID-19 has exacerbated this as attackers take advantage of sectors in crisis – according to one measure, malicious emails are up by 600% since the start of the pandemic.
Threats to cybersecurity are now a factor of life; we need to learn to live with, but mitigate, the risk.
This best precautions are often surprisingly simple:
- limiting access rights to only those people absolutely required;
- implementing observability tools for constant monitoring;
- backing up data as often as possible;
- closely monitoring remote access;
- avoiding single points of failure that can compromise an entire system; and,
- reviewing the naming of key systems and files to make the job of potential hackers that little bit more difficult – naming a folder “Important files” or “Customer master-file “is just asking for trouble.
Cybersecurity has been important for decades, but over the last few years it has quickly moved to centrestage. Businesses, organisations and governments will have to invest more resources in it, including time.
As our world becomes ever more intertwined with technology, the importance of managing the risk of cyberattacks is pushing it up the long list of management priorities. Ignore it at your peril.