Almost half of South African organisations found it necessary to completely overhaul the skills and qualifications of their cybersecurity teams following major cybersecurity incidents, along with significant improvements in processes and technology, in 2023.

This was one of the detailed findings in the Mind of the CISO 2023 Report, by cybersecurity multinational Trellix’s Advanced Research Centre. The report surveyed 500 security executives from 13 countries around the world, including South Africa.

South African respondents represented organisations with staff sizes ranging from 1000 to 10 000 employees, mainly in healthcare, energy, manufacturing, financial services, and the public sector.

“The persistence of threat actors from around the world, and Africa’s rapid economic growth and industrialisation is placing incredible pressure on large organisations and their cybersecurity teams,” says Carlo Bolzonello, country lead for Trellix South Africa. “South Africa, as a leading technological, political, and economic nation, is especially targeted.

“Organisations of all sizes need to start adopting a more comprehensive approach to cybersecurity, driven by smart tools, shared data, and close collaboration with internal and external stakeholders.”

According to Interpol’s 2023 African Cyberthreat Assessment Report, South Africa was the most targeted nation, comprising 42% of all detected ransomware attacks and over half of business email compromise (BEC) attacks on the continent.

Causes of attacks

Most reported cybersecurity incidents involved phishing (40%), ransomware (36%), business email compromise (32%), credential stealing (28%) and distributed denial of service (DDoS) attacks. Respondents shared that 28% of attacks were state-sponsored (hacking syndicates backed by hostile nations) while 24% of threat actors were insiders.

The leading cause of major cybersecurity incidents was password misuse (56%), followed by insider threats (44%), supply chain breaches (40%), non-detection by existing technology (40%), missed vulnerabilities (36%) and various forms of malware.

The fallout of an attack

These incidents mainly led to a loss of customers in 56% of cases, significant stress to security operations teams (48%) and business downtime (44%).

In 28% of incidents, companies suffered reputational damage, damages due to third parties, regulatory penalties and higher insurance premiums (only 60% of respondents were fully covered by their cybersecurity insurance).

In cases of ransomware, 78% of South African companies paid a ransom of between $5-million and $10-million (roughly R93,75-million to R187,28-million).

Following major incidents, 44% of South African organisations had to completely overhaul the skills and qualifications of cybersecurity teams (compared to 34% globally), and 36% made significant improvements (35% globally).

In line with the total global pool, 32% overhauled their processes, while 40% overhauled technology (35% globally).

After a breach, 48% implemented new frameworks and standards, and 52% increased their budgets for additional technologies and tools, which they said significantly enhanced resilience following an incident.

Support for security teams

While 48% of cybersecurity operators received significantly more support from their boards following incidents, 52% received only a little bit more support, citing a lack of skills and security operations centre (SOC) analysts, threat hunters or incident responders as major setbacks.

A vast majority (76%) of respondents stated that technology vendors were vital in not only providing the best tools, but also a deep understanding of the threat landscape and intelligence (76%). They also expect detailed debriefs of incidents, as well as steps for remediation or avoidance of similar incidents in the future (72%) from vendors.

Only 20% of organisations switched vendors, while 12% stated plans to switch. Around 68% decided to stick with their existing vendor, saying the cost and effort of transitioning were too great (71%).

The following solutions were used before incidents, then deployed after:

* Extended Detection and Response (XDR) – 52% used this before, and 36% adopted it post-incident;

* Endpoint Detection and Response (EDR) – 64% prior, 24% post-incident;

* Security Information and Event Management (SIEM) – 44% prior, 36% post-incident;

* Network detection and response (NDR) – 40% prior, 44% post-incident;

* Managed detection and response (MDR) – 44% prior, 48% post-incident;

* Data loss protection (DLP) – 28% prior, 48% post-incident;

* Threat Intelligence Platform (TIP) – 44% prior, 40% post-incident;

* Security Orchestration and Automation Platform (SOAR) – 48% prior, 32% post-incident; and

* Email security – 60% prior, 24% post-incident.

“In more than half of all cases, a switch to XDR solutions led to faster and more efficient threat detection, and many professionals admitted that that major incidents could have been prevented,” says Bolzonello. “However, most of the time technology was simply not configured correctly and, detection policies were not enabled.

“This is why it is so important that, as threat actors collaborate with each other, large organisations need to adopt a holistic security strategy that involves close consultation with technology vendors, foreign partner nations and global law enforcement to rapidly and effectively erode the power of threat groups.”