Rashika Ramlal, Public Sector Country Leader, Amazon Web Services (AWS) South Africa;
South African businesses have paid an average of R18 million to ransomware attackers, and following their actions, it can take one to six months for businesses to fully recover from the attack.
Furthermore, South Africa ranks fifth in the world when it comes to cybercrime density.
“This means that South Africa is the fifth worst country in the world from a cybersecurity perspective,” Rasika Ramlall, AWS South Africa public sector country lead, said while speaking at the IT Web Security Summit in Cape Town.
Given this environment, cybersecurity can no longer be seen as the responsibility of a single person or department, she said, adding that cyber is everyone's responsibility. To achieve this, it is essential to put security at the heart of the business, and she outlined several ways to do this.
First, security needs to be embedded into every aspect of the business, says Ramlall: “Security can't be run as a project or program. Security needs to be a core function of the business. It has to be run as part of the broader operations.”
This means making sure the team is trained regularly and the board is properly educated on the situation and the risks. To succeed in the latter, she suggested that CISOs and security officers focus on impact.
To get executive buy-in, you need to show the potential impact of an attack, whether it's on customers or on business operations, because that can very easily translate to a company's bottom line, she said.
Ramlall said the next step is to focus on promoting a de-escalation friendly culture that fosters psychological safety.
In an environment that tolerates escalation, individuals feel empowered to speak up. And when they do, they'll feel psychologically reassured if they're thanked for speaking up, no matter what the problem may be. Ramlall said it's important to praise people for having the courage to point out problems before they escalate.
Finally, she suggested that companies support “security champions” – existing staff who are not security experts but who have a strong interest in security. Given the global shortage of cyber talent, it makes sense to upskill existing resources within a company. That way, companies can better scale their security efforts and foster a more holistic security culture. Think of these champions as security ambassadors with the know-how to embed security into every aspect of the business, from product development to customer service.