Kathy Gibson reports – Cybersecurity is a very polarising issue – companies are either convinced they will never be attacked or they are completely paranoid.
This is an observation from Akhilesh Tuteja, global cyber security practice co-leader at KPMG, who goes on to say that cybersecurity is a major issue and organisations simply cannot afford to ignore it.
As KPMG launches the Africa Cybersecurity Outlook 2022, Tuteja points out that cybersecurity is becoming extremely verticalised, with targeted attacks that are specific to each industry.
At the same time, the attack surface is increasing exponentially, he says. “It is no longer just the computers we use in the office; it is IoT sensors, even devices that seem as innocuous as digital signage.”
And, for attackers, cyberattacks are no longer a technical issue, but very much a financial and economic issue. “Crimeware for hire is increasing the risks organisations face,” says Teteja.
Cybersecurity vendors are responding to the increased threat with ever-more sophisticated technology – but they are often behind the curve. “We have AI to help us be smarter, but so do the hackers.”
These trends mean that the cybersecurity landscape has changed.
“The traditional approach to cybersecurity is not working,” Teteja points out. “As the attack surface increases, we will never be able tot catch up. We need to find different approaches, to be more efficient and smarter.”
Because attackers are indiscriminate in who they target, cybersecurity has become everyone’s problem, with different disciplines with organisations having to work together with one another and other organisations.
“The time is now to bring all the skills together: technoloygy, business, data, integrity, design thinking and more,” Tetaja says. “We need to create an uncommon combination of skills to address the issue.”
David Ferbrache, global head of cyber futures at KPMG, explains that as the digital economy grows, so does cybercrime and its exploitation.
“Globally, cybercrime has become big business – as much as $1-trillion by some estimates. It is transnational in nature and highly organised.”
This means that global co-operation is vital, and countries need to have the legal frameworks in place, plus the law enforcement capacity and judicial systems to address cybercrime.
“Increasingly this links to public-private partnerships,” Ferbrache says. “The thing with cybercrime is that it is very agile, very entrepreneurial. That requires that we are able to rapidly identify and interrupt the crimes.”
The way we address cybercrime is rapidly changing, he adds. “In the past we used to focus on protective measures. Those are still important, along with patching and vulnerability management, but these need to happen alongside a changing mindset.”
With things like ransomware becoming increasingly commoditised, and happening at scale, attacks are becoming far more disruptive – to the point where organisations could actually go out of business as a result. Rebuild timescales can now run to weeks or months, making recovery from an attack a long, complex and painful process.
“Regulators are asking how organisations can be more responsive, get back on their feet quicker, or have fallback positions,” Ferbrache says. “This resilience theme is a big issue now.”
Cyberattackers today are increasingly targeting supply chain, managed services and cloud services which, if they are compromised, offer a quick route to a lot of victims.”
“This means cybersecurity today really does demand a community approach,” says Ferbrache. “We need to bring communities together, share information on threats and best practice, and tackle supply chain issues together.
“The mindshift needs to move from just protecting the walls around my virtual business to a broader view as to what cybersecurity means – and much of that is protecting my customers and clients, not just my perimeter.”