If you're moving your business online to harness the power of digital technology, then you need to understand both the potential and the peril of cyberspace.
BUI CISSP Neil du Plessis and First Digital KZN Managing Executive Gabriel Malherbe discuss why a security strategy is critical for any enterprise with web-facing assets.
In 2019, South Africa had the third-highest number of cybercrime victims in the world. Attacks from the darkest corners of the web cost our economy more than R2.2bn. From government portals to municipal networks and databases, the public sector was a regular target. In the private sector too, cyberattackers zeroed in on e-commerce platforms, internet service providers, and financial institutions.
There’s a similar trend in 2020. Since the beginning of the year, hackers have taken aim at local enterprises including chemical supplier Omnia, hospital group Life Healthcare, and vehicle-recovery firm Tracker. Internationally, headline-making incidents involving car manufacturer Honda, GPS technology company Garmin, and energy group Enel have also highlighted the consequences of digital villainy, and put corporate cybersecurity practices in focus across the globe.
“When it comes to defending against cyberattacks, modern enterprises must consider the growing complexity of their operational environments and the web-enabled commercial landscape at large,” explains Neil du Plessis, our CISSP and cloud security architect. Connectivity can be a powerful business driver, but it can also be a double-edged sword: the greater the number of integrated platforms, systems, and applications, the broader the attack surface. “You no longer have the luxury of drawing a perimeter around your organisation,” states Du Plessis.
Gabriel Malherbe, the KZN managing executive at our sister company First Digital, agrees. “In a hyperconnected world, your cybersecurity measures cannot stop at the front gate. Those days are long gone. Today, a business environment is not just a physical space: it extends beyond walls and fences, across devices, across networks, and across borders. The challenge now – especially for those moving ahead with digital transformation – is holistic protection,” says Malherbe.
Risk versus reward
South Africa is one of the fastest-growing countries globally for IT expenditure, and local enterprises are spending significant funds on software and services delivered via the internet. They’re also moving core systems online. “Modernisation is a big motivator,” says Malherbe. “There’s a growing interest in disruptive technologies, and how they can be leveraged to help people accomplish more. The ‘more’ factor may change from company to company, but I think the stimulus is the same in many cases, and that’s the desire to prepare for an increasingly digital future,” he explains.
Being online can open the door for businesses to become more agile, more productive, more efficient, more responsive, and more cost-effective – but there are risks to consider in pursuit of such rewards, cautions Du Plessis. “Whether an online presence is part of your overall business development strategy, or a planned transition to serve your customers where they are, or even a productivity requirement to enable remote work right now, cybersecurity should be a primary concern. Unfortunately, this is not always the case, and some of the biggest security incidents in recent history are now cautionary tales about the perils of poor cyber hygiene,” he says.
Du Plessis highlights the 2018 ViewFines data leak as an example. “The PII records of almost a million South African motorists were leaked publicly, and sensitive personal information – including full names, ID numbers, and plaintext passwords – was compromised. The root cause was a web server vulnerability that could have been addressed beforehand through mitigation techniques like vulnerability scanning, penetration testing, server hardening, and patch management,” he explains.
Malicious actors continue to employ a wide range of scams to try to gain access to valuable data and corporate assets. Phishing, smishing, and vishing are common methods of attack, but malware is becoming a popular choice as cyber villains look beyond everyday IT infrastructure to more complex OT ecosystems in sectors as diverse as retail and industrial manufacturing.
“The EKANS ransomware used against Honda earlier this year is a case in point,” Du Plessis says, referencing the sophisticated malware that targeted the auto-maker’s industrial control systems and affected production lines in Europe, Japan, and the United States. “It’s absolutely critical for modern enterprises to establish cybersecurity practices that include all web-enabled processes, not only traditional IT,” he advises.
Security should be built in from the ground up and across the board, concurs Malherbe. “There’s a duality to the internet that you need to remember: it connects you to the world and it connects the world to you. Every web-facing resource, from your homepage to your e-commerce store, is exposed to a degree of risk. When you understand that, then you can take action to protect your assets while you reap the rewards of doing business on the web,” he says.
Functionality and security
“Cost, convenience, and customisation potential are all factors pushing local businesses to explore some kind of online presence,” continues Malherbe, adding that First Digital has seen a dramatic increase in the number of clients asking for e-commerce solutions in recent months. The trend, he argues, can be attributed to the prevailing market conditions as well as the changing behaviour of tech-savvy consumers.
“Even before the movement restrictions imposed during the COVID-19 lockdown, brick-and-mortar stores and shopping malls had started to feel the ripple effect of our stagnant economy: dwindling foot traffic, conservative spending, and tougher competition for every available rand. On top of that, there’s growing consumer demand for personalised, intuitive retail experiences. More and more, we’re seeing brands turn to e-commerce to drive sales and boost shopper engagement,” he says.
Business-to-consumer enterprises aren’t the only ones taking advantage of web-enabled technology. In the business-to-business space, bespoke trading platforms and vendor portals are being deployed to enable broader collaboration, integration, and co-operation. Greater functionality, however, demands greater security measures, reiterates Du Plessis. “Several high-profile cyberattacks have been linked to human error, or the misconfiguration of IT resources, or inadequate security controls. In B2C and B2B companies, cybersecurity strategy needs to be prioritised to help safeguard data, applications, infrastructure, and users,” he says.
BUI and First Digital have partnered on several projects to deliver secure solutions to local organisations. “I think customers understand the value of such engagements, especially given our complementary disciplines,” says Malherbe, citing a recent piece of work for Korbicom that drew on both teams’ expertise. “First Digital was brought in to provide Azure support, and BUI came on board later to perform penetration testing. The result was an intensive review of Korbicom’s web application, from architecture through to security,” explains Malherbe.
Korbicom’s application architect, Shaun Rust, was pleased with the results. “As a niche software development company, Korbicom creates custom solutions for clients in the legal sector, the insurance industry, and the financial services industry. Understandably, security and compliance are particular concerns. Our consultations with First Digital and BUI revolved around the functionality and security of a newly developed application, and their advice and assistance was very much appreciated.”
South African companies have to be prepared for sustained and increasingly sophisticated cyberattacks designed to compromise web-facing assets. “If you collect customer data through your website, or payment details through your e-commerce store, then you’re a potential target because sensitive information like that is valuable to somebody, somewhere,” cautions Du Plessis. “It doesn’t matter how big or small you are: data is a commodity. And I think we’ve all seen enough headlines to know that it is being bought and sold worldwide. The protection of your online business environment has never been more important than it is today,” he says.
Malherbe feels the same way. “If you don’t put adequate defences in place, then your enterprise is exposed, vulnerable, and at risk. You cannot afford to be in that position when the threat landscape changes by the minute. You have to make cybersecurity a priority – from day one, and every day after that,” he concludes.
A version of this article was published by First Digital, a fellow First Technology Group company specialising in application development, business process management, enterprise content management, integration, and managed services. Connect with First Digital on LinkedIn, Facebook, Twitter, and YouTube, or visit www.firsttech.digital to learn more.
Did you know that the BUI Cyber Security Operations Centre opened in 2019?
Our state-of-the-art cybersecurity facility is backed by world-class Microsoft security technology, including Azure Sentinel – Microsoft’s cloud-native security information and event management software.
The BUI Cyber Security Operations Centre is the first of its kind in Africa. It is staffed 24 hours a day, seven days a week, by certified security specialists who can help you to safeguard your critical business assets.