Cyber Threats in the Zimbabwean business environment Cyber Threats in the Zimbabwean business environment Cyber Threats in the Zimbabwean business environment

In today’s digitally driven world, information technology is a foundation for business growth and sustainability. The amount of data continues to grow exponentially, as does the rate at which organizations share data through online networks. Millions of machines such as tablets, smartphones, ATM machines, CCTVs, environmental control systems and much more are all linked together, increasing inter- dependencies exponentially. This increase in information, its availability and connectivity also implies losing direct control of data security.

Cyber threats are defined as the possibility of a malicious attempt     to disrupt or damage computer systems. The current threats in our environment range from theft of  PC’s  with  confidential  information to ATM card cloning. Cyber criminals are aware that the market is vulnerable. Driven by a wide range of motivations, from pure financial gain, raising the profile of an ideology, to espionage or terrorism, individual hackers, activists and organized criminals are attacking government and company networks with increasing frequency and severity.

A minority of local businesses have made significant progress regarding their cyber security responsibilities over the past few years and most of these now boast of their impressive capabilities, controls and processes. They would not be an ‘easy target’ but they are still yet to attain an advanced level of cyber security maturity. The rest however have some catching up to do. 

The majority of businesses lack discipline in some of the following areas:

• Documentation on policies and procedures in cyber security controls;
• Keeping Information and IT asset registers up to date;
• Tracking emerging threats;
• User awareness on basic security controls;
• Implementing key security patches;
• Re-configurations and system hardening of key platforms;
• Monitoring and controlling access management (particularly off-boarding of employees and contractors); and
• Back-up and recovery of critical data.

Whilst most companies would hold the current difficult economic environment responsible for failure to implement solid cyber security measures, a closer look at the areas identified above would suggest that rigor around the operating effectiveness of controls and processes that are already in place and implementation of recommended controls would boost security.

Cyber incidents are intentional attacks or unintentional breaches that can include gaining unauthorized access to digital systems to disrupt operations, corrupting data, stealing sensitive information or causing denial-of-service on business websites. Entities that use and/or retain large amounts of Personally Identifiable Information (PII) data e.g. financial institutions that process significant credit card transactions, insurance entities, healthcare organizations, and  retail  entities  may  be most vulnerable to such cyber incidents. However, PII could be stolen from entities in any industry, and the information stolen is not necessarily restricted to customer information.

The threat landscape continues to evolve. Criminals are looking to repurpose attacks used against banks to target other institutions such as insurers, e-retailers and the healthcare sector. Organisation are not by and large, dealing with scattergun attacks. Instead, they are facing a world in which their security measures are tested time and time again by highly informed, well prepared individuals and groups that target the following specific sectors:

• Insurance: Insurers have a wealth of data points on individuals including their health details, residential details and vehicles information. If banks hold the money, insurers hold the data. Identity fraud is therefore a significant risk. Cyber attackers will move to the point of least resistance. As banks strengthen their defences, attackers may move their focus to the insurance sector amongst others.
• Banking: Pressure is continuing to rise for banks to secure their digital banking channels and avoid counter fraud. The roll out of two factor authentication (authentication that requires not only a password and username but also something that the user has on them, such as    a physical token) has reduced online fraud levels in the banks that are implementing it. Chip and pin has limited the ability to exploit stolen card data, but online and mobile payment (card-not-present) frauds   are increasing in the market. Some shops  have  started  demanding that customers provide extra identity verification when making such payments as a way to curb fraud.
• Professional Services: Lawyers, consultants, architects, engineers and accountants are a few  of  the  professional  services  providers  that are being increasingly targeted as the trusted route into major organisations. They often hold sensitive client data and are subject to receiving phished emails from attackers who try to lure them into sharing their client information involuntarily. This sector frequently encounters ransom ware and bribery thus strong security systems and processes are highly recommended.
• Healthcare: Healthcare companies such as clinics, pharmacies and hospitals are often the victims of cyber incidents as they handle the most sensitive data such as prescribed medicines, private conditions and individuals’ medical treatments. Such private data sells big on the black- market and to newspapers.
• Retail: Web attackers are the biggest risk for retailers operating on the e-commerce platform and offering digital services to their customers. Currently the risk is still low as majority of the payment methods are mostly semi-automated and the systems are not connected directly to the payment platforms. In the past however, criminals have accessed retail systems and created their own accounts, debited a few dollars and shopped “for free”. IT staff also sometimes forget to perform basic tasks such as reconfiguring access ports and changing default passwords to the POS terminals. Recently the point of sale devices have also been targeted as these are generating many transactions and some are directly connected to the core retail processing systems.
• Telecommunications: As the heart of our networked country, telecom companies attract criminal attention as a route to compromise mobile devices. They also find themselves a target of infrastructure attacks, unavailability of services, incorrect mapping of mobile wallets to user accounts and social engineering attacks on helpdesk staff.

A successful cyber incident can cause major damage to any business.  It can affect the bottom line, as well as business' standing and consumer trust. The impact of a security breach can be broadly divided into three categories: financial, reputational and legal. These cyber incidents often result in negative consequences for the entity.

The financial cost of cyber incidents arises from theft of corporate information, theft of financial information (e.g. bank details or payment card details), theft of money, fines, disruption to trading (e.g. inability to carry out transactions online) or loss of business or contracts. Businesses that suffer cyber-breaches will also generally incur costs associated with repairing affected systems, networks and devices.

Reputational damage will erode the relationship a business has with its key stakeholders. Trust is an essential element of the business customer relationship and lack of it can lead damage relationships. The impact of this may result in loss of sales caused by the decline in demand for the business products and reduction in profits. The effect of reputational damage can even impact suppliers, or affect relationships the business has with their partners, investors and other third parties vested in the business.

Legal consequences: Organisations in sensitive sectors are typically required to actively manage the security of the data held particularly when it comes to the personal data and information. If this data is accidentally or deliberately compromised, and a business may have failed to deploy appropriate security measures, it may face fines and regulatory sanctions and these legal consequences will also result in major financial loss.

Cyber threats and cyber security are relevant to all business sectors since new technology is being used by these sectors to enable business innovation and growth. An organization framework should efficiently and appropriately address ongoing communication and direction throughout the organization. Although the local operating environment is tough, there is a lot that can be done to improve the cyber security state of any business. Business owners are encouraged to be aware of cyber threats and mitigate them by analysing their security capabilities and putting in place cyber security measures and controls starting from where they are.

This could be achieved through performing periodic network vulnerability assessments to scan, investigate, analyse, and report on any security vulnerabilities discovered on public internet- facing devices and internal networks. In addition, personnel may complete security training upon hire and a security ‘refresh training course, which focuses on IT security and access communications. These and other measures will spur the Zimbabwean businesses to success.