Cybersecurity company Trellix's 'Mind of the CISO 2023' report found that nearly half of South African organisations found it necessary to completely overhaul the skills and qualifications of their cybersecurity teams and make significant process and technology improvements following major cybersecurity incidents in 2023.

The report surveyed 500 security executives from 13 countries around the world, including South Africa. South African respondents represented organisations with staff sizes ranging from 1 000 to 10 000 employees, mainly in healthcare, energy, manufacturing, financial services and the public sector, the Trellix Advanced Research Centre said.

Most respondents said cybersecurity incidents involved phishing at 40%, ransomware at 36%, business email compromise at 32%, credential stealing at 28% and distributed denial of service (DDoS) attacks.

Respondents also shared that 28% of attacks were State-sponsored, which are hacking syndicates backed by hostile States, while 24% of threat actors were insiders.

Further, the leading cause of major cybersecurity incidents was password misuse at 56%, followed by insider threats at 44%, supply chain breaches at 40%, non-detection by existing technology at 40%, missed vulnerabilities at 36%, and various forms of malware.

“The persistence of threat actors from around the world, and Africa’s rapid economic growth and industrialisation is placing incredible pressure on large organisations and their cybersecurity teams,” said Trellix South Africa country lead Carlo Bolzonello.

“South Africa, as a leading technological, political and economic nation, is especially targeted. Organisations of all sizes need to start adopting a more comprehensive approach to cybersecurity, driven by smart tools, shared data, and close collaboration with internal and external stakeholders,” he noted.

South Africa is the most targeted African State, accounting for 42% of all detected ransomware attacks and more than half of business email compromise attacks on the continent.

INCIDENT IMPACTS
In 56% of cases, these incidents mainly led to a loss of customers, in 48% led to significant stress to security operations teams and business downtime in 44% of cases.

In 28% of incidents, companies suffered reputational damage, damages due to third parties, regulatory penalties and higher insurance premiums, and only 60% of respondents were fully covered by their cybersecurity insurance.

In cases of ransomware, 78% of South African companies paid a ransom of between $5-million, or R93.7-million, and $10-million, or R187-million.

“Following major incidents, 44% of South African organisations had to completely overhaul the skills and qualifications of cybersecurity teams, compared to 34% globally.

In South Africa, 36% of organisations made significant improvements following a cybersecurity incident, similar to 35% globally. Also, in line with the total global pool, 32% of local companies overhauled their processes, while 40% overhauled technology, compared to 35% globally.

”After a breach, 48% implemented new frameworks and standards, and 52% increased their budgets for additional technologies and tools, which they said significantly enhanced resilience following an incident,” the report showed.

Meanwhile, 48% of cybersecurity operators said they received significantly more support from their boards following incidents, but 52% received only a little bit more support and cited a lack of skills and security operations centre analysts, threat hunters or incident responders as major setbacks.

A vast majority, at 76%, of respondents stated that technology vendors were vital in not only providing the best tools, but also a deep understanding of the threat landscape and intelligence at 76%. They also expect detailed debriefs of incidents, as well as steps for remediation or avoidance of similar incidents in the future from vendors, at 72%.

Only 20% of organisations switched vendors, while 12% stated plans to switch. Around 68% decided to stick with their existing vendor, with 71% saying the cost and effort of transitioning were too great.

In terms of the technologies used prior to and then after an incident, 52% of respondents used extended detection and response (XDR) before, and 36% adopted it after the incident.

Of the respondents, 64% used Endpoint Detection and Response (EDR) before an incident and 24% adopted it afterwards, and 44% of companies used Security Information and Event Management (SIEM) before, with 36% adopting it post-incident.

Similarly, 40% of respondents used network detection and response (NDR) prior to an incident, and 44% adopted it after, while 44% used managed detection and response (MDR) before an incident, with 48% adopting it post-incident.

Additionally, 28% of companies used data loss protection (DLP) prior to, and 48% then adopted it after the incident, while 44% used threat intelligence platform (TIP) before, and 40% adopted it post-incident.

In terms of security orchestration and automation platform (SOAR), 48% of respondents used it prior to an incident and 32% adopted it afterwards, while 60% used email security before an incident, and 24% then adopted it after an incident.

“In more than half of all cases, a switch to XDR solutions led to faster and more efficient threat detection, and many professionals admitted that major incidents could have been prevented. However, most of the time technology was simply not configured correctly and, detection policies were not enabled,” highlighted Bolzonello.

“This is why it is so important that, as threat actors collaborate with each other, large organisations need to adopt a holistic security strategy that involves close consultation with technology vendors, foreign partner nations and global law enforcement to rapidly and effectively erode the power of threat groups,” he advised.