Between 15 and 21 March 2020, nearly 310 000 digital devices in South Africa were hacked. According to global cybersecurity and anti-virus provider Kaspersky, this sharp increase from the weekly average of between 20 000 to 30 000 attacks coincided with the nationwide increase in remote working ahead of the country’s national emergency lockdown, which was implemented to contain the spread of the coronavirus.
The COVID-19 pandemic presented new challenges that caught many companies off guard, says Lukas van der Merwe, specialist sales executive for the security division at T-Systems South Africa, a subsidiary of international telecoms company Deutsche Telekom. ‘The majority of South African companies were not prepared. While some may have deployed the required architectures to support remote working, it was aimed [at a] small percentage of employees and had to be scaled at very short notice. The COVID-19-related lockdown introduced a complete new set of variables that in many cases changed the cost-benefit analyses of remote versus office working, and organisations had to adapt to survive.’
This, he argues, is why the adoption of the best cloud technologies and digital transformation strategies might not trump a company’s perceptions of the resulting performance and financial benefit, as ‘each organisation is on their own digital journey, which is informed by their strategic objectives and restricted by the affordability of such initiatives’. In such instances, one might rather first examine how companies manage their overall behaviour around cybersecurity instead of implementing expensive technical measures. For example, executives polled in the Accenture 2018 State of Cyber Resilience report noted that the publication of confidential information by employees, whether by accident or intentionally, had the ‘greatest impact second to hacker attacks in successfully breaching their organisations’.
It boils down to company culture. Charl Ueckermann, group CEO at AVeS Cyber International, believes that there is a great need for education, training and awareness on the subject. ‘Culture is developed from strongly held value systems that are strategically supported. When safety forms part of your business values, your business continuity, the integrity of your data and sustainability of your business becomes a culture. These values must be driven from the top and reinforced by both structure and strategy to ultimately shape employee perceptions and behaviour. The key is [to] change behaviour by performing a continuous programme of cyber-risk awareness in order to reduce the associated risk.’
Similarly, a survey conducted by cybersecurity software company Trend Micro supports the idea that behaviour and perception around cybersecurity and the involved risks play a major role in ensuring that organisations contain and prevent cyberattacks. The report found that 66% of surveyed remote workers in Nigeria, Kenya and South Africa indicated that though they were aware of their organisation’s cybersecurity policies once the lockdown began, 17% confessed to using a non-work-related application on a corporate device; while 34% of remote workers said they used their work laptop for personal browsing, and only 38% fully restricted the sites they visited. The number of malware attacks recorded across the three countries had reached 28 million by August 2020, possibly as a result of these types of behaviours. At the same time, Kaspersky recorded 102 million detections of potentially unwanted programmes.
Van der Merwe suggests that the reason for the increase in cyberattacks is because the average employee does not fully comprehend the implications of their actions – even if they are made aware of cybersecurity risks. He adds that employees might find restrictive security measures enforced by their employers as an irritant or hindrance. ‘Too often we identify poor practice at the most basic level when assessing behaviour of employees against the company’s policies even when awareness initiatives are in place.’
Ueckermann argues that the challenge in addressing some employees’ lax behaviour lies in the fact that the concept of cybersecurity in the workplace is difficult to grasp. ‘People struggle to believe in what they cannot smell, taste or feel. Similarly, the average user of technology cannot hear, see, smell, touch or taste cyberthreats. They feel removed and untouched by them. That is, until they are impacted by a cyber incident, data breach, fraud or identity theft.’ In the meantime, he says, employees can easily correct certain behaviours, such as differentiating between their personal and business emails. ‘The line becomes too blurred between social and business if business mail addresses are used for private or social activities.’
To address this issue, Van der Merwe says that companies need to find a balance between positive reinforcement and consequence management. ‘An example would be to include compliance with cybersecurity policy in the employee’s performance evaluation, which directly affects promotion and remuneration. Cybersecurity-related transgressions should also be treated the same as other transgressions of company policy with the possibility of being dismissed following disciplinary process. This would raise the importance of cybersecurity to the required level.’ Other approaches to creating a more cognisant and responsible company culture may include awareness programmes, straightforward disciplinary action and the notion of incentivised behavioural change, the latter being a favoured topic during the 2020 Africa Cybersecurity conference. This process involves creating awareness and then incentivising employees’ good behaviour around cybersecurity instead of just punishing their bad behaviour.
Ueckermann agrees that people cannot be forced to take ownership of their actions around cybersecurity via outright punishment, and emphasises that management plays an integral role in ensuring that a culture of prevention is created in the workplace. ‘Executive management is in the business of managing risk on a daily basis; employees manage their work responsibilities on [a] daily basis and are not as aware of what their unique role is in protecting the organisation against cyber risks,’ he says. ‘It is thus important for executive-level staff to take the lead in creating a cyber-risk culture. If a company’s leadership does not buy into the importance of a cybersecure culture, it is unlikely that employees will.’
Ueckermann adds that the best approach is to communicate, educate and motivate – both from a leadership and performance-management perspective. ‘Only once [these steps] are followed can you empower or delegate responsibility to every member of the team.’ The Accenture 2018 State of Cyber Resilience survey supports the need for awareness and cyber-skills training, noting that only 16% of surveyed chief information security officers reported that employees in their respective organisations were held accountable for cybersecurity. ‘Providing ongoing training and skill reinforcement – for instance, with phishing tests – is essential, alongside training and education,’ the report states.
‘Employees need the tools and incentives to help them to define and address risks. New work arrangements – greater use of contractors and remote work – make the need for employee training more urgent. Even so, training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets.’ Among the examples of ongoing employee training and development programmes are those offered by KnowBe4’s Popcorn Training, a South African cybersecurity-awareness training service. One of its training tools is a phishing simulator that can be customised to each organisation’s environment. State-owned Telkom South Africa has already started implementing these programmes for its own employees.
Van der Merwe advises that awareness programmes should evolve beyond simply enforcing policy and best practice to include a holistic view of how these measures underpin the resilience and longevity of the organisation in a digital world. ‘Cybersecurity awareness is not an event but rather a process of continued persistent education. A lot is being done to create awareness and educate employees, but I believe until each individual understands the downstream implications of their actions, this will remain a key risk for organisations.’ Ueckermann agrees. ‘Performing a workshop is a great start. The question is, did user behaviour change? The key is [to] change behaviour by performing a continuous programme of cyber-risk awareness in order to reduce the associated risk.’