Military risks immediately spring to mind: a recent report found that even the Pentagon’s latest advanced military systems are vulnerable and can be “easily hacked”. The consequences for citizens of rogue military assets is unthinkable. But that fear is not reserved for fighter jets and frigates: the hacking of a nation’s tax collection system, for example, would have a crippling effect on the economy, global investor confidence, disbursement of social and public services, and citizen trust in government institutions.
South African cyber resilience in the spotlight
A succession of high-profile government data breaches both locally and abroad has cast a stark light on the importance of effective public sector cybersecurity policies and protections. Without fully functional public institutions such as revenue collection, freight handling, military defence, and social grant disbursement, governments will find it hard to instil confidence among its various stakeholders and service delivery to citizens, businesses and public institutions will be impeded.
The rise of the smart city – a catch-all phrase for cities that utilise emerging technologies such as IoT to improve service delivery and enhance the citizen experience – further complicates matters. With the digitisation of government in full swing, any exploitation of cybersecurity vulnerabilities of the operational technologies that power our electricity generation or freight handling capabilities could cripple essential government services and leave millions without much-needed public or social services.
The South African government has taken note: the Cybersecurity Hub established by the Department of Telecommunications and Postal Services is a positive step toward improved cybersecurity awareness and information sharing across the South African public and private sectors. And Defence Minister Nosiviwe Mapisa-Nqakula’s recent commitment to collaborate with other countries to effectively deal with the challenge of modern cybersecurity is a timely acknowledgement that South Africa is as vulnerable to cyber threats as its more developed peers.
I would argue that Minister Mapisa-Nqakula and her colleagues should prioritise cyber resilience within the public sector as a first line of cyber defence. Cyber resilience refers to an organisation’s ability to continue to operate or deliver services despite adverse cyber events. And its first port of call in this regard should be greater awareness among its hundreds of thousands of employees regarding the different types of cybersecurity threats, how to spot them, and how to prevent them.
Action plan for improved cybersecurity awareness
In a global study by Mimecast and Vanson Bourne, more than a third of global public sector companies lacked confidence in their employees’ ability to identify impersonation fraud asking for sensitive company data such as HR or financial information. And yet, only 14% train their employees continuously to ensure they have the awareness and knowledge to identify potential cyber threats.
Awareness training, a process of ensuring employees have the knowledge and insight to identify potential cyber threats, is an indispensable part of any effective cyber defence strategy. But government should look beyond defence-only cybersecurity to a cyber resilience strategy built on three key principles: 1) ensuring the correct security measures are in place prior to an attack; 2) implementing a durability plan to keep email and business operations running during an attack; and 3) ensuring they have the ability to recover data and critical IP after an attack.
The ability to adapt to continually evolving and escalating cyber threats is critical, but it’s a task made immensely challenging by a global shortage of skilled security professionals. This places the spotlight on end-user training: without the relevant security skills in place, it becomes even more important for cybersecurity to be a shared responsibility across the organisation. Government-led education initiatives in collaboration with private sector companies can significantly improve the awareness of staff at all levels of the public service to identify and combat emerging cybersecurity threats.
The concept of cyber awareness training should play a starring role in any government-led cyber defence initiative. Public sector employees that display risky behaviour – such as opening emails from unknown senders, clicking on links without validating them first, opening attachments without care and using work devices for personal activities – should undergo regular training to ensure they understand the risks associated with such activities.
According to a Google Consumer Research report commissioned by Mimecast, nearly one in four employees aren’t even aware of the most basic cyber threats to their organisation, including phishing and ransomware. Imagine the dire consequences of a successful ransomware attack on a government department providing medical services to vulnerable citizens. Cybercriminals are constantly innovating and finding new ways to infiltrate an organisations defences. So, without adequate awareness and understanding of the various ways cyber criminals could penetrate government systems, no amount of investment in technology will safeguard our public institutions.
Public sector employees are government’s most valuable assets in the fight against cyber threats. But without proper awareness and training, they will remain ill-equipped to deal with the growing complexity of modern cyber threats – with potentially devastating consequences for our citizens, country and democracy.
By Thomas Mangwiro, Public Sector Security Specialist at Mimecast