The Power Report – Megan Power

The Power Report: Cyber risk as much about comms as IT #coronavirusSA

by Megan Power (@Power_Report) I was a bit smug when alerted to Microsoft Teams’ pre-set video backdrops, or custom backgrounds, which could replace mine when using video. I didn’t need that, of course; I had the real deal. That was until a colleague who specialises in cyber risk burst my bubble.

When covid-19 forced us onto video work-calls from home, I wasn’t entirely ready for the personal intrusion. But my home study certainly was. Repainted in a moody teal, complete with full bookshelves lending a distinct “learned air”, it became the envy of a good few colleagues in early lockdown.

Insight for phishing

It turns out I’d be far better off using an impersonal and generic white-walled office image courtesy of Microsoft. If not, and should my virtual meeting be hacked, I was warned, the interests reflected in my choice of books could give the attacker insight into what subject — from architecture to sailing, wildlife to jazz — I’d likely relate and respond to in any phishing type communication.

It was a sobering reminder that, of all the business vulnerabilities covid-19 has exposed, cyber risk is one of the biggest. With so many of us having been moved suddenly into remote work-from-home set-ups, accessing company servers en masse from myriad locations on phones, tablets and laptops, the parameters of organisations’ once tightly controlled security nets have become dangerously loose. It’s not like we were in a good position to begin with, either; South Africa already has the third-highest number of cybercrime victims in the world. Further afield, a new global survey conducted in April and May 2020 by the US-based Association of Certified Fraud Examiners has revealed 81% of respondents have already seen an increase in cyberfraud, with 93% expecting it to increase over the next 12 months.

Ongoing risk management in a constantly changing environment is not something to leave to IT, board members and cyber security experts alone. Central as they are, a critical part of cyber resilience is incident response management — to manage and protect reputation after an attack — and this has to be strategically led by the likes of marketing directors, reputation chiefs, and communication heads. They’re the ones who will face the wrath of angry consumers and have to salvage devastating brand damage if sensitive personal data is compromised.

Team effort

Responsibility for cyber risk management has to be a team effort; certainly on a practical level, creating silos in any organisation isn’t smart. What happens when the head of IT with sole knowledge of passwords and codes gets knocked over by the proverbial bus, and nobody else is able to access the office server? I know of two such incidents in the last three months alone where that bus was covid-19; at least one of those important passwords went to the grave.

I’m also aware of at least two cases of ransomware in SA in recent weeks. In such attacks, file-encrypting malware, known as ransomware, infects computers, after which victims are blackmailed into paying a ransom to get access back. In this recent case, hackers used Zoom to infiltrate a victim’s cellphone, got into their laptop and then accessed their company’s servers. In another case, individual sports trackers belonging to a group of C-suite athletes were hacked in a single attack.

Ironically, sport and fitness tech giant, Garmin, was hit by a global outage in a suspected ransomware attack just a few weeks later. Closer to home in June, a breach at private hospital group, Life Healthcare, forced it to switch to manual processing systems after a hacking attack. This followed an Interpol statement in April warning governments and hospitals that attacks have been escalating during covid-19.

Not much better

Last year wasn’t much better. In October 2019, the City of Johannesburg reported a breach of its network and shut down its website and all e-services, hours after receiving a bitcoin ransom note from a group called the Shadow Kill Hackers. The hack reportedly happened at the same time that several local banks reported internet problems believed to be related to cyberattacks. According to an Accenture report in May 2020, victims last year included a SA energy supplier, a pre-paid electricity provider, and one of the country’s largest internet service providers.

It may not always be malicious; sometimes it’s human error that leads to a breach, or a third-party breach that compromises a company’s customer data or systems. Either way, incident response strategy — thrashed out with communications, legal, cybersecurity and compliance teams — should be in place in anticipation of a breach, complete with internal and external first response drafts and statements, including fact sheets, anticipated stakeholder questions and, if needed, the setting up of a special “dark section” on the website which may be activated if a crisis hits. This keeps an organisation in control of its own narrative and serves as a designated platform for regular public updates. If such preparations highlight gaps in processes and safeguards, all the better. This plan may be handled internally with the right leadership but businesses may also make use of specialists in crisis readiness.

Nowhere to hide

If this all sounds like too much effort, consider that when the Protection of Personal Information Act (POPI) is in full force in a year from now, there’ll be nowhere to hide. Not only will companies have to put measures in place to handle all personal information according to prescribed rules, but they’ll have to ensure such data is properly protected from unauthorised access and loss. Following a breach, organisations will no longer have the luxury of time to get their house in order before word gets out. The act obliges companies to inform the Information Regulator immediately of a breach, as well as consumers whose data may have been impacted. Add to this the European Union’s already in-force data privacy legislation, the General Data Protection Regulation (GDPR), which affects all SA companies offering goods or services within the EU or to EU residents and citizens.

If GDPR and POPI aren’t enough to jolt complacent organisations into action, the more-immediate and escalating covid-19 cyber threats certainly should. Especially as businesses across SA scramble to fast-track crucial digitisation in the wake of an indefinite lockdown.