Innovations in technology that make applications, data and networks more accessible and devices more mobile are also creating new challenges for information technology (IT) professionals responsible for cyber-security.
And while organisations in South Africa feel they're doing a good job today in defending themselves from cyber-security threats, they also acknowledge that the risks are increasing.
IT industry association CompTIA recently concluded a survey of nearly 1200 IT and business executives in six countries- including South Africa - who are directly involved in setting or executing information security policies and processes within their organisations. The results were published in CompTIA's Ninth Annual Information Security Trends study.
Cyber-security top priority
The survey found that cyber-security is a top priority for South Africa, more so than for the other countries in the CompTIA study. A full 81% of South African companies said cyber-security is at the top of their IT priority list for 2012. Additionally, three-quarters of organisations said cyber-security will continue to move upward on the priority list.
The main security concerns among South African companies today are malware (96% of organisations surveyed), hacking (94%), data loss (87%), social engineering (87%) and human error among end-users (85%). Nearly nine in ten companies (89%) said understanding the security risks of emerging areas is another high-level concern.
More connectivity, more threats
One of the biggest factors driving cyber-security concerns today is the greater interconnectivity of devices, systems and users. Billions of devices are connecting to the internet daily and each touch-point is a potential source of new security vulnerabilities. With more data being produced and touched by more people, the potential for data loss or leakage grows accordingly.
Specific concerns among South African organisations with regard to the greater mobility of workers and devices include mobile malware, malvertising and employees downloading unauthorised applications. 45% of companies believe that they have struck the right balance when it comes to security and the mobility needs of employees.
Cloud a loss of control
Though a significant proportion of South African companies have not yet adopted cloud computing, among those that use the cloud, a major concern voiced with regard to cloud-security is the loss of control for the company. This is more of a concern in South Africa than in other countries surveyed. The majority of companies using the cloud undertake at least a moderate review of policies with a focus on data backup, data integrity and identity and access management. More than three-fourths of companies are confident about the security capabilities of their cloud providers.
Human element also a concern
South African executives responsible for cyber-security believe that the human element is responsible for most breaches and is more of a factor today when compared to two years ago. The failure of end-users to follow procedures and carelessness are cited as the main reasons for this increase.
On average, South African companies said they experienced five security breaches in the past 12 months, with 63% attributed to human error and 37% to shortcomings in technology. Data loss was reported by 47% of South African companies surveyed. Types of data lost included financial data, corporate intellectual property and employee data.
Education and training
The value of ongoing cyber-security education and training is clear to the large majority of organisations: 61% of companies said their staff needs more training and education. Among IT staff, 38% of South African companies report having less IT security staff (6.1 employees on average) than what is needed (8.4). Additionally, 42% have experienced challenges in hiring security specialists. South African companies also value security certifications for IT staff, with 75% using certifications formally or informally. Security certifications deliver high or moderate return on investment for nearly all South African companies (94%).
About the author:
Todd Thibodeaux is the president and chief executive officer of CompTIA, a non-profit trade association dedicated to advancing growth of the information technology industry through educational programs, market research, networking events, professional certifications and public advocacy. For more information, visit www.comptia.co.za.
Breach! What companies do when it happens.
When confronted with a security incident or breach, organisations took the following actions:
- 68% reviewed and updated the staff security policy.
- 44% reviewed and updated the configuration of systems, servers and firewalls.
- 44% reviewed and updated a process for installing security updates and patches.
- 37% reviewed and updated overall governance framework.
- 35% reviewed and updated staff security training.