Cyber-crime will become an increasingly common threat to South African companies and individuals, according to Grant Thornton. In the future, one alternative to offset potentially catastrophic consequences, although against conventional wisdom and hype, might be to avoid specific online-based activities altogether.
Grant Thornton director of IT advisory services, Michiel Jonker says 2013’s remote hacking of a dam’s operating system in the USA (only announced in 2016) by an Iranian terror group laid bare the potentially devastating consequences of having critical networks integrated online. The hacker gained unauthorised access to the dam’s office data systems, but luckily didn’t have the ability to control it because the sluice gate happened to be disconnected for maintenance.
“I know that I am going against the grain here, but my opinion is informed not only by my IT background, but also through my understanding of the systemic complexity we are dealing with. The notion of a fully connected world where all systems (and people) are connected and every system can be accessed online is extremely dangerous,” he says. “Think about dams; or nuclear power stations – hackers have proven that they can breach the highest levels of security. These critical infrastructure facilities, among others, are sitting ducks for teams of hackers, bent on wreaking havoc.”
Jonker believes that the rapid introduction of automation and the increase in global populations coming online will lead to the proliferation of organised crime and terror syndicates that want to exploit government and corporate systems for illicit gains.
These rapid advancements pose systemic risks to society and will most certainly lead to an exponential increase in complexity and cyber-criminal activity on the web. Add to this scenario increasing political, socio-economic and job polarisation (i.e. systemic unemployment) across the world, and you find a recipe for an extremely volatile, uncertain, complex and ambiguous (VUCA) world.
The findings from the latest Grant Thornton International Business Report (IBR) entitled “The Global Impact of Cyber Crime”, a quarterly survey of 2 500 business leaders in 37 economies worldwide, states that the cyber threat is no longer limited to code-breaking teenagers operating from their bedrooms. The total cost of cyberattacks to business over the past 12 months is estimated at $280-billion, a 6% increase compared to the previous 12 months (cost of cyber figure is calculated using IBR figures and World Bank GDP data, plus estimates of global business revenues).
The survey states that 30% of cyberattacks in Africa are committed to conduct monetary theft while globally most attacks are aimed at causing infrastructure damage. Other motives include the theft of critical business information; extortion and intellectual property theft.
Jonker says that, while the current best practice whereby experts systematically attempt to penetrate a computer system or network on behalf of its owners to find security vulnerabilities is important, it is not enough.
“It is simply not possible to make a network impregnable. Just like a home security system that includes 24-hour armed response and motion sensors make it difficult for criminals, break-ins and house robberies do still occur. There is no such thing as 100% security.
“While conventional wisdom tells us that prevention is far better than dealing with the effects of a cyberattack, it is now very clear that we might not have a choice but to rely more on detection and correction and, in ultimate cases, it might even be better to not allow certain high risk networks to be online at all,” says Jonker. “Hacking syndicates work for criminal cartels; terror groups and state agents who make available significant resources to achieve their outcomes.”
According to the IBR data financial loss isn’t the biggest consideration. Reputational loss, the amount of management time it consumes, the resulting loss of customers and the costs of putting best-practice defences in place are rated as more important than direct loss of turnover.
Jonker says it is not only corporations at risk and individuals will have to apply the same level of care. Hackers bet on the fact that every person likes to have their entire life on one device. As an example he said that instead of using one device for all online activity, it is safer to confine internet banking to a dedicated and standalone device (with up-to-date security features), used exclusively for that purpose.
“This means that the standalone device is not used for any other purpose like internet browsing, emails, games or any other programs at all.”
He said it is clear from the IBR data that enterprises and individuals should be obsessively concerned about safety. Yet the data indicates that 52% of businesses responded they had no cyber insurance and an additional 13% were not aware of cyber insurance in the first place.
“There appears to be a general complacency about the seriousness of IT threats. While prevention is necessary, we have to embrace the new paradigm that successful attacks will occur and so we must be realistic in the face of increasing threat – our ability to prevent security incidents in the future might diminish due to systemic complexity we are dealing with. If we cannot live with the fact that we will have to rely more on detective and corrective controls in the future, the only other alternative might be to avoid the risk – which is a valid risk response according to good corporate governance principles ,” says Jonker.
“We have to accept a future in which we should carefully consider what we interface with what, where we have a bit more balance. An anti-systemic response is an approach of disengagement from a system’s rules which you cannot beat – for example, guerrilla warfare compared to a conventional army’s tactics. We need to focus on strategies where we at least consider the adoption of anti-systemic responses to cyberspace in order to avoid very specific but highly critical cyber risks altogether.
“Avoidance might be the only alternative in a world where over confidence in preventive controls (sometimes to the extent of arrogance) – where we believe we can handle the forthcoming ‘tsunami’ – will certainly be our downfall. But in a world dominated by a need for efficiencies, by means of automation and integration, the approach of ‘avoidance’ may be condemned which in turn could lead to systemic chaos where ‘prevention-only’ approaches will fail,” Jonker concludes.