Much like state capture, the advancement of cyber crime is moving into an area and time span of “cyber capture”.
This comes amid rising cyber crime incidents, according to professor Basie von Solms, director at the Centre for Cyber Security at the University of Johannesburg.
He was speaking at this week’s ITWeb Security Summit, detailing the importance of cyber security governance and corporate governance.
Von Solms expressed that cyber crime is not going away, noting that’s not even a possibility. “It’s going to grow day-by-day. Board members have an incentive for taking the lead in cyber security because they may be held personally accountable for a breach.
“Increasingly, governments and stakeholders are demanding greater accountability for security issues, considering it is an integral part of the director’s code of conduct.”
Like the rest of the world, South African organisations have increasingly become targets of cyber criminals. For example, in March, TransUnion’s systems were compromised, leaving millions of personal records of South Africans at the mercy of hackers.
Shortly afterwards pharmacy retail giant Dis-Chem announced that a cyber incident emanating from its third-party service provider resulted in data of over 3.6 million South Africans being compromised.
In September last year, over a million South African citizens potentially had their personal data exposed after a ransomware attack at debt recovery services firm Debt-IN Consultants. Most local banks make use of Debt-IN Consultants’ services.
In 2020, credit bureau Experian suffered a breach of data, which exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.
All aboard?
According to Von Solms, in terms of international best practice, corporate governance includes information technology governance, which includes cyber security governance.
Cyber security governance is therefore part of IT governance, he told the audience, adding that IT governance is an essential core part of corporate governance.
This, according to him, is the first message that the boards and executive management must understand – if they don’t already.
For those senior people within organisations – at executive and board level – to say IT and cyber security governance is a technical issue, it is simply not true. “It is part of your oversight and accountability responsibility as a board member.
“King IV clearly states, the board is tasked with the approval and overseeing of the technology and information policy of the company. This overseeing of these policies includes proactive monitoring of intelligence to identify and respond to incidents, including cyber attacks.
“Cyber security is a multi-dimensional and multi-disciplinary issue, which includes the legal department, the HR department, and the physical security department – it includes the whole company. Every worker is part of the cyber security protection of that company.”
He expressed that cyber security must be a permanent item on the agenda of the board of directors within companies, adding that board directors are responsible for risk management. “Just as the board is responsible for financial governance…it is responsible for cyber security governance.
“This does not mean that the board of directors must be technical cyber security experts, far from it. There must be somebody representing cyber security on the board, it may be an external consultant or the CIO.
“There must be a voice on the board with the knowledge to answer questions, such as how vulnerable are we? Are we going to be the next TransUnion? Or are we going to be the next Transnet hack?"
Share