In a recent interview with Information Regulator Pansy Tlakula, she told ITWeb that the institution was receiving in excess of 150 data breach regulations every month.

And the list of well-known organisations reporting on successful attacks and breaches continues to grow with the National Health Laboratory Service, Transnet and TransUnion all on the list.

Companies are wrestling with zero-day vulnerabilities, unexpected attacks, employee errors – the CSIR found that only 32% of respondents had received training – and limited access to skilled people while simultaneously trying to do business in a complex and disruptive market.

The cost of a successful breach continues to rise and the risk of losing the business to the damages and fines is increasing exponentially. It’s becoming incredibly challenging for companies to balance their security hygiene alongside their need for growth and market share.

Organisations are increasingly partnering with managed security services providers (MSSPs) to bolster and refine their defences and better manage their visibility around security costs. However, finding the right MSSP is often as challenging as managing the security in the first place.

Many traditional security vendors operate in silos. Some focus on product deployment, others on managed services while some consultancies may restrict their involvement to an advisory capacity.

Problem is, this fragmented approach creates vulnerabilities that sophisticated threat actors are increasingly ready to exploit. You want a trusted security partner that does more than just offer you point solutions or one side of the coin. A partner that delivers end-to-end security coverage alongside scalable solutions that grow with your business.

You also need to ensure that your MSSP is agile with adaptable strategies that respond quickly to emerging threats and with highly skilled teams that have proven, deep industry expertise.

Then, added to this demanding mix, you also want a team that will communicate with you clearly and often – transparent communication is the foundation of a trusted partnership.

Another often overlooked advantage that comes with partnering is the economic benefit of economies of scale.

A MSSP has access to enterprise-grade security solutions that are traditionally only affordable for larger corporations but thanks to the as a service security model, they are now available to organisations of all sizes.

It is a democratisation of security capabilities that protects everyone throughout the security chain, not only reducing risk for all companies, but minimising the risk of a small supplier potentially infecting a large enterprise due to poor security hygiene.

This then brings the conversation back to the capabilities of your MSSP.

A solid partnership goes beyond traditional vendor relationships, providing instead customised solutions, proactive advisory, flexible engagement models and comprehensive support all wrapped within one easy to use package.

When you and your MSSP are on the same page, it is far easier to identify and address vulnerabilities before they become liabilities and to respond effectively to security incidents.

And, you get to enjoy ongoing compliance to evolving regulations because they are, well, your MSSP’s problem.

And you want your security to be someone else’s problem. Peace of mind has become, in modern business, as much a commodity as gold.

So, ensure that your chosen MSSP can provide you with comprehensive security coverage, has proven technical expertise, is agile enough to adapt to your needs, and is responsive and accessible.

Working with a trusted security partner isn’t just about technology implementation; it’s about establishing a relationship capable of evolving with your needs and the threats.

There is no doubt that doing everything possible to prevent the crisis in the first place and then having a very carefully drafted playbook to activate an appropriate crisis response places a business in a far more favourable position than if it had no plans in place and is reacting in the heat of the moment.

The very idea can give CEOs sleepless nights. Now, consider that we live in times where cyber-attacks are increasing at breakneck speed and that everyone is a potential target. It is plain as day that every business needs a cybersecurity playbook.

Typically, a playbook relates to things you want to standardise and in this instance, it refers to how a business prepares and shores up its defences, as well as how it standardised its incident response procedure according to best practice in a way that results in the least amount of damage to the business.

Some of the most well-known businesses in the world, including in South Africa, have fallen victim to breaches.

Even if the data damage was minor in the greater scheme of things, they have suffered immense reputational and regulatory damage in the form of fines.

Just who are these threat actors? There are those who are in it for the money alone, others who are state-sponsored, some are driven by ideology and some may even be disgruntled staff in your own organisation. In some of the most malicious attacks, competition businesses pay threat actors to bring down a business’s systems to benefit their own.

How do they achieve their goals? If you pay them a ransom, they make money. If you don’t, they will make money selling your data.

They become vindictive and will widely publicise the extent of your data breach. Of course, if you did pay a ransom you will be attacked again because the threat actor knows you pay.

Often, as Armata, when we are called in to do an assessment of an environment after a breach we find that the threat actors have built a backdoor for another attack at a future date. Most times, we find many more areas of vulnerability that no doubt sophisticated hackers would also have spotted.

With this in mind, let’s take a closer look at what a cybersecurity playbook entails. It is a blueprint on how to react to the crisis with a clearly defined procedure. The incident response team is only one aspect.

A proper computer security incident response team (CSIRT) process will include the C-suite and other vital team members, such as those who are responsible for the day-to-day operations, dealing with stakeholders and customers, someone from the legal department, the heads of IT and people who look after the various systems, and marketing and communications. The playbook has clearly defined functions and responsibilities for each of these people. 

By way of example, suppose there has been a ransomware attack. The response may look like this:

The attack has only locked us out of our systems, and we can concur that no data has been stolen. The only impact is that it has affected the running of the business and so we either need to restore our systems or pay a ransom.

Legal says, yes we have not lost data so we do not need to report to the regulator about a POPIA breach, but it is advisable to let them know that we have had a ransomware attack and that we are looking at bolstering our security to stop it from happening again.

The CEO asks what would happen if an employee lets the news out and the story gains legs of its own, and so suggests that the business announces the attack publicly, and frames it as a business-impacting event where no customer data was stolen and that it is business as usual pending the restoring of systems.

The communications and PR team drafts the statement and reactive holding statements and manage potential media enquiries.

The business then engages a cybersecurity expert business to come in and run pen tests, analyse the system, and make recommendations on beefing up security and fixing vulnerabilities, or to take over the duties of a managed services arrangement.

The above is only surface-level for illustrative processes but it is useful in explaining the scope of a cybersecurity playbook.

Every organisation should take a moment to look into its own cybersecurity strategy and incident playbook and make sure that it has invested the type of attention it deserves.

Consider that if an organisation is attacked and the regulator finds that it did not take all reasonable steps to protect its systems, it could fall foul of compliance and be liable for massive fines and reputational damage.

Whereas, if the business had been working with an expert partner, those questions would have already been dealt with and the incident response would have been managed correctly.

Always seek out a partner that has experience, across industries and organisation sizes, so that you can get the best possible advice and service to protect your organisation and your customers’ data.

With South Africa being the sixth most targeted country worldwide regarding cyberattacks, it’s no surprise that organisations have to put numerous steps in place to protect their networks and data.

This is all the more crucial in a world where we have legislation such as GDPR and PoPI that dictate how people’s data can be stored, used and transmitted, with harsh financial penalties for those found in contravention.

More companies are investing in network and data security solutions and being proactive in preventing breaches by carrying out active threat hunting, while there’s also a growing effort to separate Information Technology from Operational Technology as an additional security measure.

With more investment into network and endpoint security, these threat actors are now turning to tactics such as phishing and spear-phishing in order to get malware onto an organisation’s network.

With employees more likely to be the weakest link in an organisation, the human firewall element has to be a key consideration, and cybersecurity awareness and training have to be carried out regularly.

Remote and hybrid working bring with them additional security challenges for organisations; while employees might receive cybersecurity training and practise safer online behaviour, the same might not be said for children or elderly members of the family who are sharing a WiFi connection and could potentially compromise all devices on the network. The security situation is worse if an employee connects from a public WiFi connection. Here, endpoint detection and response become key.

Employees will also have to be mindful of more than just digital security breaches, but also physical security issues. As an example, improperly discarded documents that contain personal, financial and other sensitive information can be used to build a profile against someone as part of a spear-phishing attack. Or, think of having confidential documents that stay displayed on a screen or are printed out and laid on a table for anyone to see. Employees will have to be cognisant of how they are storing and discarding information at home too.

New challenges also loom on the horizon for businesses. With larger organisations being able to protect themselves better, hackers are targeting third parties who might be smaller suppliers, business partners or even clients. The majority of large security breaches that occurred last year were due to a smaller company first being breached in order to ultimately gain access to a larger organisation. We are also seeing how artificial intelligence (AI) can be a double-edged sword, with tools such as ChatGPT now being used by hackers to create malware.

With threat actors always looking at new ways to breach corporate defences, organisations will have to respond with an ongoing investment in their security, both through the deployment of relevant products or solutions, and the continuous training of employees.

However, while organisations might be doing more to be better protected against cyberattacks, what happens if someone breaks into their offices and then walks out with their PCs and servers?

We have already seen the overlap between cybersecurity and physical security when it comes to ensuring employees take better care of confidential corporate information.

At the same time, at home – whether on a screen or printed – and it’s no surprise that we are seeing this convergence in the workplace too. Going forward, the overlap will necessitate the integration of cybersecurity and physical security in order to enable the sharing of events to the same security operations centre (SOC).