Earlier in 2023, I was speaking at a conference on Linktank’s specialist topic of finding, selecting and implementing the right technology for advisory practices. Midway through, a member of the audience asked me for advice on solutions to assist in the mitigation of cybersecurity risks. I did not have an answer for him. Until that point, we had not put a special focus on this aspect of the technology stack – we simply assumed it was something that fell firmly into the realm of the software providers and IT support, those with the more technical know-how. Subsequent conversations with advisors and vendors, however, have put the item firmly on our agenda.
My explorations into the topic of cybersecurity highlighted just how vulnerable not only financial institutions are, but how every advice practice, every South African business and indeed all our clients, fall victim to these attacks regularly.
I’m aware that there are a multitude of articles by specialists who have a far better grasp of the subject than I do but given the urgency of this topic, I have decided to add my voice. At the very least, to highlight the requirement for all of us to build awareness and resilience in this space and to understand a bit more about what it all means. Going forward it is critical to ensure that any decisions about selecting and implementing technology prioritise a clear cybersecurity strategy as well.
South Africa is ranked among the highest cyber-attack regions in the world
The period over the Covid-19 lockdowns hastened the move to client engagements online and more of the implementation and financial planning activities also shifted into the cloud. Many of us find this new way of working more efficient and cost-effective but it also comes with a whole new set of risks which every business, especially those in financial services, now must navigate. The FSCA has drafted standards which practices need to comply with, but I wasn’t sure how many actually have yet. Turns out, not many.
In an article on ITWeb1 in July 2023, Tracy Burrows for Rubrik wrote that “African financial services organisations have around 15 months to comply with the new Joint Standard: Cybersecurity and Cyber Resilience by the Financial Sector Conduct Authority (FSCA) and the South African Reserve Bank (SARB) Prudential Authority” but at the time of writing a poll of participants revealed that only 2% are 100% prepared to implement the Joint Standard and an audit.
A total of 22% said they had completed a gap analysis and were swiftly moving to prepare for it. Another 28% were investigating the policy intending to prepare and a further 28% had not yet investigated the policy. A staggering 18% responded, “What are the Joint Standards?” Moreover, when it comes to complying with the terms of any cybersecurity insurance, financial advisors have expressed how complex it is to understand the requirements, let alone comply with them.
There is a critical need for better understanding and more awareness building for advisors, while vendors and support services actively work to ensure that we build technology solutions which keep our businesses, employees and clients safe. Saying this, however, making IT support teams entirely responsible for managing cybersecurity risk or relying purely on software providers to ensure the safety of your data is foolhardy. Cybercriminals’ tactics evolve all the time, and our IT teams and software vendors can do all they can to keep up, but it is ultimately down to each user of technology to build their knowledge around the types of threats out there and stay vigilant.
Why the urgency and what are the types of risk?
South Africa is ranked among the highest cyberattack regions in the world.2 According to Interpol’s African Cyberthreat Assessment Report 2022, a total of 230 million cyber threats were detected in South Africa, out of which 219 million, or 95.21%, were email-based attacks. What’s worse is that the nation is already suffering from an alarming 100% increase in mobile banking application fraud and is experiencing an average of 577 malware attacks every hour. And what are the loopholes in South Africa’s cybersecurity system that bad actors are taking advantage of? Basically:
- Poor investment in cyber-security systems
- Lack of awareness across users of technology
- Poor Law Enforcement to act on cyberattack cases
Where do we start to build awareness?
We, the users, are the first line of defence. Ensure you and your team know the most prevalent threats and how they work. Most of the threats come via email with a variety of forms and outcomes:
- Ransomware – business email compromise and ransomware
- Phishing attacks – these are experienced across email, WhatsApp, SMS platforms and even QR codes are now used to get access to your
- information network
- Social engineering/impersonation
But there are other threats like:
- Insider threats – posed by discontented employees or ex-employees/colleagues
- Device mismanagement
- Weak passwords
- Third-party risk – your technology infrastructure and email domain may be secure, but we cannot assume the same for third parties, especially clients using public email addresses
The good news is the growing number of service solutions that offer comprehensive course material advisors can use to build awareness. Most of them will “test” staff members on their cybersecurity prowess. Companies like Mimecast and Synaptic SA are just two which we have recently engaged with, but we intend to find more.
Where do we start to build resilience?
As we gain a better understanding of how to mitigate risks, financial planning practices will start to hear more and more about:
Implementing robust security measures, next-generation anti-virus solutions, including:
- firewalls
- antivirus software
- encryption
- secure data storage
- regular data backups
- multi-factor authentication, strong access controls and incident response plans.
Building resilience means a business has the processes and backups to “bounce back” if they have fallen into a cyberattack trap. Sounds technical right? So, make sure that the team supporting you from an IT perspective is talking to you about these issues, ensuring necessary checks are in place and that your team and clients understand why the processes are required.
In summary, don’t let this be another case of “kicking the can down the road” because the consequences could put you out of business. Ask questions and find the right team to educate, advise and support you.
Sources
1. Financial services must move to comply with new standards for cyber resilience, by Tracy Burrows for Rubrik. www.itweb.co.za
2. What makes SA a target for cybercrime? What actions can be taken? by Eleanor Barlow, content manager at SecurityHQ. www.itweb.co.za
