CSIR lifts lid on South Africa’s dire security posture
Cyber security incidents are now at the same scale as corruption in SA, says the CSIR security research team.
The financial implications of cyber attack incidents in South Africa are akin to corruption, says the Council for Scientific and Industrial Research’s (CSIR’s) Dr Jabu Mtsweni.
The chief researcher and manager of the CSIR information and cyber security research centre spoke yesterday at the presentation of the CSIR’s national cyber security surveys, undertaken at the end of the 2023/24 financial year.
The CSIR conducted the surveys in collaboration with the Cyber Security Hub, under the Department of Communication and Digital Technologies, with about 1 200 respondents from across ICT, financial and various other sectors.
The research delves into cyber security preparedness and resilience in the public sector, cyber security skills gaps, cyber security incidents and the digital identity landscape in SA.
Providing an overview of the findings, Mtsweni said cyber security-related incidents have been on the increase over the past 10 years, suggesting criminals are finding easier ways to make money, as they no longer physically have to rob banks.
Among the key issues, he revealed, is that companies are unable to respond timeously to cyber-related attacks, and the skills shortage continues to be a challenge.
“As a nation, we are ill-prepared in terms of dealing with this,” said Mtsweni.
“We are also seeing that cyber security awareness is not prioritised, with only 32% of organisations training their employees.
“Many organisations think that cyber security is something that you can do once and forget about it. When we make a fuss about cyber security incidents today, it is because it’s now at the same scale as corruption and other challenges in the country when it comes to financial and social impact.”
Repeat victims
Over the last few years, local organisations − particularly government entities, healthcare and financial firms − have fallen victim to attacks and data breaches, or been forced offline.
This led to the Information Regulator, SA’s data privacy enforcer, noting the alarming rate at which data breaches are increasing in the country. In the 2023 financial year (February 2024), the regulator said it received over 1 700 reported security compromises – more than triple the amount of the previous year.
Detailing the frequency of cyber attacks in the public and private sectors, Homba Ngejane, senior cyber security specialist at the CSIR, said 88% of the respondents indicated they had been breached, with 90% attacked more than once. Only 12% said they had not been attacked.
The types of cyber attacks experienced included denial-of-service, ransomware and wiper attacks, with malware, application attacks and insider threats emerging as the most common cyber threats.
“It was found that the root causes are mainly third-party connections to an enterprise, end-user phishing and hardware-based attacks,” noted Ngejane.
“We have observed that once an organisation has been attacked, the likelihood is that it will be attacked repeatedly.”
As to the financial impact of attacks, Ngejane said with fines and hiring service providers to remediate the incident, 4% of the respondents said they had lost up to R1 million. Other organisations incurred costs of up to R500 000.
Public shame
The CSIR’s research team also shared the findings of its survey of cyber security awareness and preparedness in the public sector, based on 301 respondents from government departments, municipalities and other public entities.
Thuli Mkhwanazi, cyber security researcher at the CSIR, said 47% of public sector institutions reported experiencing one to five cyber security incidents in the past year, reflecting the prevalence of cyber threats in the public sector.
She added that malware and phishing attacks are the most challenging cyber security threats faced by the sector.
“Public sector institutions in SA conduct cyber security risk assessments fairly frequently, with 68% doing so at least monthly. Despite 64% of the respondents being very prepared, there is still a small percentage (6%) that lack confidence in handling cyber security incidents.
“There’s a positive trend in employee cyber security awareness training, but there’s still room for improvement, with 7% not training any employees and only 32% training only 1% to 25%.
Meanwhile, 89% of the respondents reported having a formal cyber security incident response plan.
Based on the survey findings, the CSIR has made the following recommendations:
Invest in cyber security: Increase investment in cyber security infrastructure, education and research.
Develop a skilled workforce: Prioritise the development of a skilled cyber security workforce through training and education programmes.
Strengthen incident response: Enhance security response capabilities to effectively handle cyber attacks.
Improve digital identity: Implement robust digital identity solutions to protect users online.
Foster public-private partnerships: Encourage collaboration between the public and private sectors to address cyber security challenges.
“By addressing these recommendations, SA can significantly improve its cyber security posture and protect its critical infrastructure and citizens from cyber threats,” according to the researchers.