Cybercrime might not get the same attention as contact crimes, but it's nonetheless devastating. During 2018, the US Federal Bureau of Investigation (FBI) received over 350 000 complaints relating to cybercrime, with losses exceeding $2.3 billion. But that turned out to be small numbers: in 2022, the FBI received over 800 000 complaints, tallying to losses of over $10 billion. South Africans were not spared, losing around R2,2 billion to online criminals last year. Many of these victims are small and medium businesses, some of which do not recover from the criminal attack.
How can organisations protect themselves against cybercrime? According to Guy Golan, CEO and Co-Founder of Performanta: "It requires several things, such as threat monitoring, awareness training, and good security practices like patching and configuration management. Out of all those actions, an incident response plan is one of the most important. Unfortunately, it's also very often overlooked or neglected."
South African companies cannot afford to skip that step. Cybercrime activity in the region has grown year-on-year, both as an activity and a threat. The 2022 Data Vulnerability Thermometer ranks SA as fifth globally for cybercrime victim density, and Interpol's 2022 Africa Cyberthreat Assessment report predicts that the country could soon be Africa's biggest cybercrime hub.
Incident plans: security ICU
Yet many local organisations still skirt crucial security measures. Specifically, they overlook the necessity of incident response plans.
Incident response, or IR, is a specialised part of security. One can compare it to a hospital's intensive care unit: IR kicks in when the organisation detects a breach of its systems. Like medical specialists rushing to save patients, stabilise them and get them out of danger, IR stops criminals from doing more damage.
An incident response plan is the lynchpin of this response. It defines actions based on business priorities, establishes key response team members and stakeholders, and determines reporting requirements for legislators, shareholders, and the media. It literally tells companies who to call when trouble hits: it's the emergency contact on a fridge or saved on a phone.
"IR can be compared to ICU," says Golan. "Every second counts. Experts need to work out what's wrong and take immediate action. The infection, disease or bleeding must be controlled and reduced. You can easily use terms such as 'triage' or 'golden hour' in this regard because they fit.
Now imagine if you didn't have access to an emergency contact or if you can't reach a hospital fast enough? This is exactly what happens when there isn't a ready and tested IR plan, and an IR team to execute it."
When they don't reach ICU, patients can die. It is dramatic to suggest cybercrime can kill a business, though that is a reality for smaller organisations. Larger enterprises can take the blow, but at significant costs. A security breach can cost an average of US$4.45 million (R83 million), according to IBM and the Ponemon Institute. Lost productivity and data, reputation damage, and lingering criminals are all factors that deepen a breach's cost.
"Cybercriminals are experts at hiding themselves and changing an environment to suit their plans. They are less worried about being caught than being ejected. So, they dig in, and it takes considerable resources and skills to get them out. An IR plan is what determines how effectively a company can fight back and purge the bad guys,” says Golan.
Plan from the top
The onus of pre-establishing IR is on the CEO, the executive team, and the board. Like a doctor asking patients questions to establish their medical context, an IR plan must reflect an organisation's priorities, requirements, and risks. Security teams cannot answer those questions, nor can the technology department. These are squarely strategic business considerations.
But business leaders are not security experts. Collaboration between business and technical stakeholders delivers an effective IR strategy. The business should champion the plan, empowering both others in the company and security partners to create it. The choice of security partner is essential: IR skills are specialised and best enlisted through a security partner's network.
"Creating an IR plan can be intense, which is why many organisations avoid it or do it in half-measures," says Golan. "They might even believe that they won't be attacked because they are too small or have some security systems in place. But when you get a cybersecurity breach, then you want that plan to be ready to go."
South Africa is unlikely to dispel its growing cybercrime reputation any time soon. But local organisations can prepare and avoid the worst when they fit cybersecurity to their specific needs and risks. An IR plan is a crucial part of that preparation and will ensure your business has a plan for the worst.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.