James George | Complacency on cyber threats is a compliance disaster waiting to happen
The work-from-home revolution has largely shifted to a hybrid model, with going into the office being the norm again for many. While compliance around Covid-19 safety regulations has relaxed, complacency at work may have crept in on some crucial factors for business to continue safely and securely.
The World Economic Forum cites cyber risk as 'the most immediate and financially material sustainability risk that organisations face today', and we are starting to see regulators take note of those who aren’t prioritising cyber safety.
In Australia, a licensee in the financial services sector was the first to be taken to task by the Australian Securities and Investments Commission earlier this year, for breaching its license obligations. The breach related to failing to manage cybersecurity risks and while the ruling judge acknowledged it’s not possible to reduce cybersecurity risks entirely, it is possible to reduce some risk through putting adequate controls and documentation in place – and this should be the standard.
Any organisation’s risk management framework should account for cybersecurity risk across your organisation’s digital supply chain. By ignoring this, you could be seen as non-compliant.
To simplify what best practice in compliance is becoming, would be moving from tick-box to proving you did everything you could to avoid risks arising. What has happened in Australia is a good example of the consequences of ignoring best practice.
Assessing where your business is digitally vulnerable should be done on an ongoing basis. Cyber resilience should be the constant priority.
Incident response- and business continuity plans are paramount to being prepared in the event of a cybersecurity incident. If something does go wrong and a breach occurs, it’s important to disclose it to relevant parties as soon as possible, as well as to note it in any annual operational or financial reports. A record of any near-cyber incidents will also help to prove you are managing compliance responsibilities.
There should be very clear processes in place as to the expectations for all within an organisation, including sharing and storing sensitive data. A regular refresher on this is advised as bad habits and human error can creep in – which is even more likely in adjusting to hybrid work schedules.
Through the global adoption of technology and digital transformation, as hybrid working takes over, new challenges have changed how we approach compliance. In the 2022 Reuters Cost of Compliance report, an alarming insight was the perception by some that increased technology meant reduced compliance requirements – when it can be quite the opposite, particularly as cybercrime risk intensifies.
Global cybercrime is predicted to reach $10.5 trillion per year by 2025, according to Cybercrime Magazine, an authority on global cyber statistics. Cybercrime density is another clue as to the risks we are really facing. According to Surfshark, the Netherlands-based virtual private network (VPN), South Africa is number six out of the top ten countries with the highest cybercrime density, which means a high percentage of cyber victims per one million internet users. Poor knowledge around cyber safety was noted as a possible reason for making the list.
Finalising the Cybersecurity Bill and draft regulations is firmly on the agenda for South African government as the battle for data privacy continues. With the hybrid working world set to stay, strong compliance oversight, accountability and cybersecurity controls will be a large part of keeping the lights on for business.
*James George is a Compliance Manager at Compli-Serve SA.
Leave a Comment