Years ago I received a kitchen appliance as a gift from a cybersecurity firm. That food processor, handy as it was for frozen margaritas and mango daiquiris, was also a cunning word play on that company’s new cybersecurity software that would counter what they called ‘blended’ threats (blending, get it?). Nearly two decades ago they had identified multi-pronged cyberattacks such as spam emails containing documents infected with hidden malware that would simultaneously skim off your personal details, then send the infected document to everyone in your address list, and open backdoors on your network.

Today blended threats are pretty much the default. Ransomware email demands money or it will send pornography from you to everyone on your list. And then lock down your computer. Then infect every computer near you, and lock those too. The moral of the story is that security threats evolve. It’s never just one thing and that makes it so much harder to defend against.

The consequences for listed companies is not so much the loss of productivity but the public relations fallout resulting from the possible loss of key intellectual property, the breakdown of trust with suppliers and customers and, ultimately, the impact of these revelations on the market. And more so now, since the Protection of Personal Information Act now compels companies to fully disclose the scope of its security breaches. Equivalent legislation is already in force in the US, and it’s now just a question of when it will be tested in SA courtrooms for the first time.

Loss of industrial IP aside, the financial sector remains a popular target because, well, that’s where the money is. In 2018, wherever financial transactions took place online, cybercriminals were waiting in the shadows. Phishing attacks using fake payment websites for Visa, Mastercard, PayPal and Amazon and many banks, are still going strong.

One of the biggest casualties has been the cryptocurrency business. The inevitable happened here too: individuals were defrauded of their wallets and cryptoexchange account details, and their virtual coin stash stolen. The anonymous nature of these transactions and the laundering of virtual money through the dark web compounded the problem, of course. Less obvious was the brazen planting of cryptomining software on PCs and corporate networks, harnessing this processing power for the criminals.

Now a new scourge has emerged globally that has not yet surfaced in SA: spear phishing attacks in the form of legitimate-looking procurement forms and letters from accounting firms (of course, state capture revelations make that all seem a bit tame).

Imagining these sustained, blended attacks coming in all shapes and sizes and on all fronts from national states, criminal syndicates, enterprising hackers and curious kids, it’s easy to see some cybersecurity fatigue setting in. Do we really have to maintain total vigilance with every email we open, every picture we share, and every site we log on to? Should CEOs panic every time they misplace their phone? Should staff be encouraged to be more paranoid?

After all, is this not just the flip side of the countless advantages that computers and smartphones have brought to the world of business? This is likely simply the cost of doing business in the information age, right?

Perhaps we could follow the example of the Oracle of Omaha. Warren Buffet notes that a worldwide nuclear attack would likely create bigger global problems than any individual CEO need worry about, but he quietly cobbled together two new Berkshire Hathaway insurance products: one for corporate cyber liability and the other to cover the costs of data breaches.

To those business experts who boldly claim that chaos is a business opportunity, I’m pretty sure this is not what they had in mind.

By Gavin Dudley
Image: Clinton Prins