A rapid rise in data breaches across numerous sectors has highlighted the intensity and ease with which cybercriminals can sabotage and hold for ransom valuable data and quickly bring seemingly secure institutions to their knees. What can organisations do to protect themselves? Hosted by commercial law firm Cliffe Dekker Hofmeyr (CDH), a recent webinar entitled ‘Enemy at the Gates: The practicalities and difficulties of data breaches’ revealed the top cyber threats facing businesses to be business email compromise, hacking and ransomware.
The chief executive officer at Digital Forensics Lab, Cyanre, Danny Myburgh noted that there is also a rise in double extortions taking place in which hackers come in, steal data and then encrypt it with the aim of extorting companies to not only get their data back but then decrypt it as well. It doesn’t stop there, Myburgh said triple extortions are even happening in which hackers not only steal and encrypt data, but also mine it to identify and directly extort other data subjects. “Typically, many of the vulnerabilities we find have been left there by disgruntled employees. This is particularly true for disgruntled former IT administrators who have knowledge of the systems in place. When you exit people, it is important to keep these vulnerabilities in mind,” said Myburgh.
In his presentation, Myburg identified two main modes of attack in which cybercriminals target organisations. The first one is the shotgun approach. “This is where the attackers send out a million emails and if one of your employees is unlucky enough to click on it, unfortunately, they have fallen for the scam,” said Myburgh.
The second most common mode of attack is the most concerning. This is what Myburgh calls the targeted attack. “Hackers focus on one organisation, perform in-depth background research and then specifically target and attack an organisation through accessible vulnerabilities. This is where employees tend to form the weak links, not the infrastructure.”
Unprotected mail accounts with no two-factor authentication, outdated software, poor password control, and a lack of sturdy firewall protocols are just a few of the common vulnerabilities that organisation’s can easily control. While it may be easy to secure your data in theory, the reality is that hackers tend to be two steps ahead.
What happens when a data breach happens to your business? Director and practice head , CDH technology, media and telecommunication practice, Preeta Bhagattjee said the first and most important step is to be calm, cool and collected. “When you are a victim of a data breach there are several important levers that would need to be considered quite quickly.”
While assessing the extent of the breach and the data that has been impacted, Bhagattjee says one would need to juggle many balls against which strategic, time-sensitive and legally informed decisions need to be made. When managing a data breach incident, Bhagattjee highlighted a few critical steps that should be taken. These include:
· Reporting obligations – depending on the type of breach and laws that apply to your business – there may be a number of reporting obligations (including under data privacy and cybercrime laws);
· Managing reputational risk – even though the payment of a ransom is not generally illegal, legal considerations along with reputational risk is to be understood if you are considering paying a ransom demand (i.e. known terrorist organisations);
· Managing system and technology risks – taking steps quickly to mitigate the technology breach or vulnerabilities but at the same time ensuring evidence is preserved for authorities;
· Ensuring business continuity – consider the ramifications if you cannot continue to fulfil your contractual obligations to customers in light of the data breach;
· Possible damages, costs, fines, and penalties –Claims for damages by the victims of the breach (ie If personal information of customers is published or they are defrauded by the cybercriminals), being subject to fines and penalties as well as the cost of systems changes and upgrades can arise due to the breach;
· Need an effective risk mitigation plan – understanding the learning and preparing policies and procedures for the next attack are key.
“You need to understand where data is coming into and leaving your organisation, who manages it, and what rules apply to the gatekeeping of this data. Effective contracting with third-party data processors help address the risk and frame the rules and procedures of avoiding a data breach but also handling a data breach incident if it occurs,” said Bhagattjee.
As CDH has a presence in both South Africa and Kenya, the webinar delved into the ramifications of data breaches specific to each region. In South Africa, this meant an application of POPIA and how this data privacy regulation needs to be factored in. In Kenya, this discussion pertained to the country’s Data Protection Act.