By Andre Swart
Managing Director, Ziyasiza Consulting
Cyber criminals cost the world $7 trillion in 2022, making cybercrime the world’s third largest economy after China and the United States. The first half of 2021 recorded 1.5 billion IoT-targeted attacks globally, while data breaches increased by 15.1% from the previous year.
This onslaught is pervasive and far-reaching as a consequence of heightened global geopolitical tensions, and South Africa will not be spared. Criminals are crafty and well equipped, becoming more sophisticated and relentless, and unfortunately, more successful.
The Interpol “African cyberthreat assessment report” (March 2023) shows that South Africa accounts for 42% of all “detected ransomware attacks” – the highest on the continent. The report says the number of undetected attacks is considered to be even higher. South Africa also accounts for more than half of “business email compromise” attacks in Africa.
The call for increasing focus on building cyber resilience is a priority for business leaders navigating complex risk landscapes.
Cyber resilience is more than cyber security. It’s about the organisation’s ability to continue uninterrupted services and operations, despite cyber events. As the measure of persistence in a changing and unpredictable world, resilience plays an important role in an organisation’s ability to be sustainable and responsible in its environment, social and governance (ESG) priorities.
As a boardroom imperative, there are five priorities that business leaders should be focusing on to build cyber resilience.
- Building boardroom commitment
Cyber resilience is an important intersection for the CEO, CFO, CIO, COO, CISO, CRO and Board. This critical nexus for risk management, business continuity, cyber security, finance and technology requires joint leadership commitment.
Boards are paying closer attention to cyber issues. Gartner predicts that by 2025, 40% of boards will have a dedicated cybersecurity committee, which will impact the way that cyber resilience is reported and monitored.
A common error is to assume that cyber resilience is about technology. Far from it. Successful organisations will view cyber resilience in the context of the entire business value chain. It should address digital risk in supply chains, product manufacture, logistics, strategic alliances and partnerships, customer experiences, mergers and acquisitions, subsidiary organisations, building the capabilities and skills of employees, and the organisation’s public reputation.
- Protect value
Cyber resilience strategies should not be developed as an afterthought or add-on but should be a key consideration of protecting – and creating – value for the organisation.
Cyber resilience must be central to risk management strategies to protect the organisation’s highest risk assets. Business leaders should develop risk-focused, top-down resilience strategies and cyber roadmaps that can be implemented across geographies, jurisdictions, and operating environments.
For example, if an organisation’s highest risk asset is its data, it is critical that it is safeguarded in multiple layers, from technology and infrastructure, to controls and processes, systems, tools, governance, policy compliance, skilled people and organisation culture. Cyber criminals pursue targets that are easier to breach. At the height of the pandemic there were notorious ransomware attacks on patient data at hospitals, which put the lives of patients at risk as hospitals were brought to a standstill. This was a difficult way to learn that patient wellbeing also includes the protection of patient data and should receive the appropriate focus.
- Collaboration and skills
Increasingly, cyber weaknesses can be directly linked to a failure by leadership to embed it into the organisation’s culture and operations. Actions and accountability must support strategies and policies. Investments should not only consider technology infrastructure and security, but also the dependence on human behaviour to achieve success.
The best approach is cross-functional and collaborative, with an emphasis on culture and skills development. This would improve efforts to address IT risk, operational risk, business continuity, data protection and privacy, anti-corruption, anti-fraud, ethics, end-user education and training, and cyber practices and culture.
By building a culture of resilience centred on collaboration, organisations are better equipped to bounce back from trauma caused by social unrest, severe weather or cyberattacks, without missing a beat.
- Technology transformation
Technology transformation is not just about technology. An organisation’s technology transformation can be stymied by misdirected funding of priority digital investments, poor governance and accountability, and lack of impact.
CIOs and CISOs are often faced with managing the risk resulting from reduced investment in digital and expected to do less with more. Technology leaders should be mindful that boards are more interested in how digital investments will create value for the organisation than the technology solution itself. Navigating this important difference will uphold the credibility of technology leaders and lead to technology investments that enable the organisation’s goals.
Complexity increases when organisations take a siloed approach. It also limits our ability to respond effectively – and be resilient – when the entire landscape is unknown.
Successful cyber resilience requires a broad view of the organisation’s digital ecosystem, including infrastructure, networks, platforms, systems, applications, data storage, as well as third-party and end-user access, to mention a few digital touchpoints. Tools such as cloud and artificial intelligence (AI) are creating new ways for a holistic and proactive approach to digital integration and cyber protection. For example, there is an increasing trend towards the use of AI to identify and counter cybersecurity threats, superseding the ability of traditional methods.
The key to building cyber resilience
Business leaders should avoid taking a digital-only view of cyber resilience. Resilience strategies should drive the right investments in areas of greatest vulnerability and a clear roadmap to achieve organisation-wide cyber resilience.
Instead of only focusing on digging deeper fortifications to keep the risks out, business leaders would do well to build their resilience from the inside. The most effective way to achieve this by setting the tone at the top, and supporting employees with skills, tools and a culture that empowers cyber resilience.