ARTICLE by
STEVE MBEGO
Why You Must Protect Your Organisation’s Critical Data If you want to make a good business decision, you are going to need security strategies that not only protect your business, but they also give you a competitive advantage In the face of an ever-evolving technological landscape, companies across industries are eagerly embracing digital transformation to drive growth, enhance efficiency, and stay competitive. This paradigm shift offers unprecedented opportunities to streamline processes, engage customers on a deeper level, and unlock new avenues of innovation. However, alongside these remarkable advantages come inherent risks key among them cybersecurity risks which come in many forms key among them data breaches. Threat actors are going after organisations’ sensitive data in an evolving threat landscape and new breaches are reported every other time. In April 2023, Naivas, Kenya’s largest supermarket chain, announced it was a victim of a ransomware attack carried out by an online criminal organization. There were two surprising things about this attack. One was the audacity, the other, the transparency. The ransomware attack did not only target Naivas but other corporates and organisations locally and beyond according to Willy Kimani, Naivas’ Chief Commercial Officer. Cybersecurity firm Kaspersky states that spyware attacks on organisations in South Africa, Kenya and Nigeria increased in Q1 2023. It recorded an increase of 18.8 per cent in South Africa, 12.9 per cent in Kenya, and 14.6 per cent in Nigeria from Q4 2022 to Q1 2023.
Let’s start from the basics. What is a data breach? A data breach occurs when information is unlawfully accessed or obtained and potentially shared from a system, without proper authorisation. The system may contain highly sensitive data such as bank account details, credit card information, names, addresses and customers’ personal identifying information (PII). If your organisation is breached, the consequences may include the leaking of confidential information, the theft of intellectual property, identity theft, financial fraud, a run in with the law, and significant reputational damage. If you are a healthcare CIO, picture a scenario where confidential patient records have been pilfered and simultaneous publication revelation of such data. From small businesses to government agencies, no entity is immune to the perils of data breaches. However, some are more prone to the activity than others based on the measures they put in place to prevent it from happening and how they react after it has happened. Richard Muthua, Executive Head of Cloud and Cyber Security, Liquid Intelligent Technologies and Shalom Onyibe, Head of Cybersecurity Assurance Services, CYBER1 Solutions respectively help map out the causes of data breaches. Onyibe narrows it down to three main areas which he says are
14 www.cioafrica.co | MAY 2023 | CIO Africa Magazine | by dx⁵
the lack of policies, lack of training and people behaviour. Data breaches can occur thanks to various sources, including cyberattacks, insider threats, weak passwords, thirdparty vulnerabilities, physical security breaches, human error, malicious insiders, and phishing. Hackers, for example, can use the latter to get the credentials of database administrators which they then use to infiltrate the data. Database administrators may mistakenly expose their application programming interface (API) keys to threat actors which they then use to access the database. Muthua attributes incidences of data breaches to a lack of understanding about the organisation’s important data assets, including their location and who should handle them. This lack of knowledge, according to him, makes it difficult to effectively protect the data. He also blames the lack of insufficient or nonexistent policies and controls governing data management, leaving vulnerabilities in the system. “When policies are in place, there is often a lack of enforcement, allowing for negligence and noncompliance,” he says. He sees yet another contributing factor. The insufficiency of training across all levels of the organization, from the board to every employee. “When training staff on how to protect themselves against hackers, the activity should cover topics like
