fbpx

What's Happening?

Cybersecurity: Building awareness and resilience in an ever more complex technology landscape

ARTICLE BY

SHARE THIS POST

Earlier in 2023, I was speaking at a conference on Linktank’s specialist topic of finding, selecting, and implementing the right technology for advisory practices. Mid-way through, a member of the audience asked me for advice around solutions to assist in the mitigation of cybersecurity risks.  I did not have an answer for him.  Until that point, we had not put a special focus on this aspect of the technology stack – we simply assumed it was something that fell firmly into the realm of the software providers and IT support, those with the more technical know-how. Subsequent conversations with advisors and vendors, however, have put the item firmly on our agenda.

My explorations into the topic of cybersecurity highlighted just how vulnerable not only financial institutions are, but how every advice practice, every South African business and indeed all our clients, fall victim to these attacks on a regular basis.  I’m aware that there are a multitude of articles, by specialists who have a far better grasp on the subject than I do, but given the urgency of this topic, I’ve decided to add my voice. At the very least to highlight the requirement for all of us to build awareness and resilience in this space and to understand a bit more about what it all means.  Going forward it is critical to ensure that we ensure that any decisions about selecting and implementing technology prioritize a clear cybersecurity strategy as well.

The period over Covid 19 Lockdowns hastened the move to client engagements online and more of the implementation and financial planning activities also shifted into the Cloud. Many of us find this new way of working more efficient and more cost effective but it also comes with a whole new set of risks which every business, especially those in financial services, now must navigate.  The FSCA has drafted Standards which practices need to comply with, but I wasn’t sure how many actually have yet?  Turns out, not many.

In an article on ITWeb, in July 2023, Tracy Burrows for Rubrik wrote that “African financial services organizations have around 15 months to comply with the new Joint Standard: Cybersecurity and Cyber Resilience by the Financial Sector Conduct Authority (FSCA) and the South African Reserve Bank (SARB) Prudential Authority” but at time of writing a poll of participants revealed that only 2% are 100% prepared to implement the Joint Standard and an audit.  22% said they had completed a gap analysis and were swiftly moving to prepare for it.  28% were investigating the policy with a view to preparing and a further 28% had not yet investigated the policy. 18% responded ‘What are the Joint Standards?’ Moreover, when it comes to complying with the terms of any cybersecurity insurance, financial advisors have expressed how complex it is to understand the requirements, let alone comply with them.

There is clearly a critical need for better understanding and more awareness building for advisors, while vendors and support services actively work to ensure that we build technology solutions which keep our businesses, employees and our clients safe.  Saying this, however, making IT support teams entirely responsible for managing cybersecurity risk, or relying purely on software providers to ensure the safety of your data, is foolhardy.  Cybercriminals’ tactics evolve all the time, and our IT teams and software vendors can do all they can to keep up, but it is ultimately down to each user of technology to build their knowledge around the types of threats out there and stay vigilant.

Why the urgency and what are the types of risk?

South Africa is ranked amongst the highest cyber-attack regions in the World. According to INTERPOL’s African Cyberthreat Assessment Report 2022, a total of 230 million cyber threats were detected in South Africa, out of which 219 million, or 95.21%, were e-mail-based attacks. What’s worse is that the nation is already suffering from an alarming 100% increase in mobile banking application fraud and is experiencing on average 577 malware attacks every hour.”

And what are the loopholes in South Africa’s cyber security system that bad actors are taking advantage of? Basically,

  1. Poor investment in cyber security systems
  2. Lack of awareness across users of technology
  3. Poor law enforcement to act on cyberattack cases.

Where do we start to build awareness?

We, the users are our own first line of defense.  Make sure you and your team are aware of the most prevalent threats and how they work.  Most of the threats come via email with a variety of forms and outcomes:

  • Ransomware – business email compromise (BEC) and ransomware.
  • Phishing attacks – these are experience across email, Whatsapp, SMS platform, even QR codes are now used to get access to your information network.
  • Social engineering/Impersonation.

But there are other threats like:

  • Insider threats – posed by discontented employees or even ex-employees/colleagues.
  • Device mismanagement.
  • Weak passwords.
  • 3rd party risk – your technology infrastructure and email domain may be secure but we cannot assume the same for 3rd parties, especially clients using public email addresses.

The good news is that there are a growing number of service solutions who offer comprehensive course material advisors can utilize to build awareness.  Most of them will even ‘test’ staff members on their cybersecurity prowess.  Companies like Mimecast and Synaptic SA are just two which we have recently engaged with, but we intend to find more.

Where do we start – to build resilience?

As we gain a better understanding of how to mitigate risks, financial planning practices will start to hear more and more about:

  • Implementing robust security measures, next generation anti-virus solutions,
  • including firewalls,
  • antivirus software,
  • encryption,
  • secure data storage,
  • regular data backups,
  • multi-factor authentication, strong access controls, and incident response plans.

 

Building resilience means that a business has the processes and backups in place to “bounce back” if they have fallen into a cyberattack trap.  Sounds technical right? So, ensure that the team that is supporting you from an IT perspective is talking to you about these issues, ensuring necessary checks are in place and that your team and clients understand why the processes are required.

In summary, don’t let this be another case of “kicking the can down the road” because the consequences could put you out of business. Ask questions and find the right team to educate, advise and support you.

Sources:

Financial services must move to comply with new standards for cyber resilience, by Tracy Burrows for Rubrik.  18 July 2023 https://www.itweb.co.za/content/LPp6V7rBnoK7DKQz

What makes SA a target for cyber crime, what actions can be taken?
By Eleanor Barlow, Content Manager at SecurityHQ https://www.itweb.co.za/content/Pero37Z34ydMQb6m