The statistics make for worrying reading. According to the Veeam Data Protection Trends Report 2022, 97% of South African companies experienced an outage due to a cyberattack in the past 12 months. Of those, almost nine in 10 (86%) suffered a ransomware attack.
By Chris Norton, regional director for Africa at Veeam Software
At a time when organisations can access advanced technologies to safeguard their data, the question must turn to how these incidents can still occur. It comes down to the fear, uncertainty, and doubt (FUD) that exploits human emotion and contributes to the significant protection gap in South Africa which 78% of local businesses admitted to having.
FUD is generally a strategic attempt to influence perception by disseminating negative and dubious or false information. First used in the 1970s, FUD can be seen as a tactic that exaggerates the risk of something and makes a business doubtful of its ability to handle those threats by themselves.
IT departments are constantly managing a trade-off between convenience and security. It seems to be about either rushing in to implement cybersecurity or wanting to do it right. Given the prevalence of cyberattacks, it is only understandable for business and technology leaders to want to prioritise investing in digital strategies that deliver competitive advantage while having the necessary cybersecurity measures in place to act as an insurance policy against data breaches.
But in their haste, they must be cautious of not falling into the FUD trap. This is something that is taken advantage of as much by some cybersecurity vendors as it is the attackers themselves. Some solutions providers are too easily pitching the idea of a silver bullet approach when it comes to defending against cyber threats. Furthermore, these vendors are employing FUD tactics to drive urgency during sales cycles that can potentially lead to companies purchasing solutions that do not meet their business and – more pertinently – their strategic security needs.
Putting all the proverbial cybersecurity eggs in one basket is therefore an ill-advised strategy may come as a result of FUD forcing the hands of decision-makers. Criminals are well versed in exploiting weaknesses in enterprise IT systems. The saying that ‘it only takes one hole to sink a ship’ definitely applies to security as well, all it needs is one vulnerable entry-point exposing the business to crippling cyberattacks.
For example, backups and archived data can be targeted by cyber criminals as data which is not ‘live’, and consequently may go overlooked by IT departments. New forms of attack on vital data need secure backup, recovery, and data management solutions to counter them. With a robust Modern Data Protection strategy, businesses can ensure that their backups are not the back door.
Living in fear
Of course, it is understandable that FUD tactics are working.
Decision-makers are under constant pressure to safeguard their systems and data from compromise. Adding impetus to this is the continually evolving legislative environment. Compliance like the General Data Protection Regulation (GDPR) in the European Union and the Protection of Personal Information Act (POPIA) in South Africa, mean businesses face significant financial penalties if they are found not to have made reasonable efforts to keep their sensitive data safe.
Sadly, it has become far too easy for cyber security vendors to capitalise on FUD as a quick-fire tactic to sell products and services. Much of this comes down to exploiting inherent operational weakness when it comes to data resilience and protection.
Within South Africa, cybercriminals are leveraging COVID fallout, the continued load shedding crisis in the country, and other current events to drive social engineering campaigns built on FUD. For instance, pushing employees to click on compromised links by using email subject lines that prey on their current fears at a time when remote working outside the relative safety net and security of the corporate network is commonplace.
When it comes to successful ransomware breaches, FUD is a tactic very effectively used by cybercriminals to threaten executives with the sharing of sensitive company or personal information. These attackers use extensive intimidation tactics to ‘scare’ those who experienced the breach into paying the ransom even though law enforcement agencies and cybersecurity providers advise against doing so. The Veeam Ransomware Trends Report 2022 has found that 86% of South African companies suffered ransomware attacks. Per attack, businesses were unable to recover 31% of their lost data.
The practical reality
But while businesses can outsource data management to cloud service providers, they can never outsource responsibility for their data. So, IT departments must embrace Modern Data Protection and ensure all data is backed up, recoverable, and secure across their entire data management provision. In practice, this strategy should follow the 3-2-1-1-0 rule. This requires an organisation to maintain at least three copies of its data, on two different media, with at least one copy stored at an offsite location, one copy immutable, air-gapped or offline, and all backups being verified containing zero errors.
Beyond this, knowledge is a key weapon in the fight against FUD being used as a scare tactic. Organisations should regularly provide cybersecurity awareness training for their employees to keep them informed of the latest social engineering techniques used by cybercriminals. By being proactive in this regard and making it a part of company policy and due process, the business can ensure that it strengthens what can be referred to as the ‘human firewall’ to complement what they are already doing from cybersecurity and Modern Data Protection technology perspectives.
However, FUD can also be used as a positive tactic by the company itself. It can stage frequent penetration testing scenarios without informing employees as a means to identify the response of workers when it comes to potential crisis situations. Furthermore, these “dummy” tests also assist in helping employees learn how to deal with any type of malicious activity.
Just like anything, FUD is not all that clear cut. The positive component of it is that the tactics are continually putting data security under the spotlight. Yes, it can have devastating consequences if companies go out and buy everything vendors sell to them, but it can also spur cybersecurity initiatives to bolster the data protection real estate of a business.