Almost a third of South African businesses surveyed for PWC’s Global Economic Crime and Fraud Survey 2018 were affected by cybercrime over the past two years, ranking South Africa second for cybercrime, globally. On top of that, more than a quarter of local respondents consider cybercrime to be the most disruptive economic crime that will affect their organisations over the next 24 months.
There is no question: cybercrime has pushed the awareness of cybersecurity and risk to the top of the pile and along with it the need for a well thought out Governance, Risk and Compliance (GRC) strategy.
The escalation of cybersecurity threats over the past few years has shifted the way businesses view risk and the management thereof. In addition, Ransomware and other prevalent malware attacks have increased many business’ investments in cybersecurity solutions. However, with the impact of these threats extending beyond IT to affect business operations and tear at the value of data, it has also shone a spotlight on the way businesses manage their GRC strategies.
Governance, enterprise risk management and regulatory compliance are elements which combine to form an organisation’s GRC strategy. This strategy used to be regarded as a “nice to have” but is now considered to underpin and align the enterprise’s IT, security and business strategies.
With the surge in cybercrime, it has spurred governing bodies to take action, imposing regulations that define how businesses protect and store personal information so that it remains out of the hands of cybercriminals. Businesses are compelled to comply with the likes of GDPR and will soon be expected to be compliant with the Protection of Personal Information (PoPI) Act as well. This focus on regulatory compliance has shot cybersecurity from a purely IT function to become a business GRC concern.
However, not all businesses have paired GRC with cybersecurity yet, and policies outlined by GRC strategies may not incorporate the risks of cyberattacks or the processes, controls and mechanisms required to enforce cybersecurity.
GRC has traditionally been approached by most organisations as a ‘tick box’ exercise, though the rise in cybercrime has elevated the risk potential. Businesses consider cybercrime to be less of a potential threat to their business and more of a likely eventuality, meaning that their approach to GRC not only needs to take cybersecurity into account now, but also needs to be re-evaluated and updated more frequently than before.
In addition, the understanding of what is considered ‘acceptable risk’ has shifted from annual risk monitoring and possible risk occurrence to identifying real threats on their assets and operations and planning accordingly.
As more businesses are impacted by cybercrime, like Ransomware, the risk to business becomes more real – and businesses are responding by incorporating cybersecurity measures into their GRC strategies.
Proactive GRC strategies that take cybersecurity into account help to create more internal – and external – awareness of risk through the adding, implementing and continual updating of policies, procedures and rules.
GRC is something that many large organisations have always done and are now adapting to include cybersecurity, however, smaller businesses may not have GRC policies in place at all. With GDPR and PoPIA compliance becoming necessary regardless of the size of a business, smaller organisations are going to need to build GRC strategies and apply the same principles in their businesses. To do so, they will need to understand the risks they have and the controls and mechanisms they can leverage to mitigate them.
The types of cybercrimes that have impacted local businesses have indicated that the goal of cybercriminals is primarily to make a profit. While larger businesses may prove to be more profitable targets and will certainly not stop being targeted, smaller businesses with less defined GRC policies and the likelihood of a smaller investment in cybersecurity may prove to be easier targets.
All businesses need to evaluate their GRC strategy, ensuring they have one in place that covers risks from all angles, and that takes the latest security concerns into account alongside traditional risks.
Businesses who do not have a solid GRC strategy in place, or who continue to view this as a simple ‘tick box’ exercise are likely to be affected by cybercrime sooner or later. Although there is no guarantee against cybercrime, having the right processes, policies, controls and supporting tools in place is the only way to guard against attack and reduce the risks.
By Simeon Tassev, Managing Director and Qualified Security Assessor at Galix Networking