In today’s digitally driven world, information technology is a foundation for business growth and sustainability. The amount of data continues to grow exponentially, as does the rate at which organizations share data through online networks. Millions of machines such as tablets, smartphones, ATM machines, CCTVs, environmental control systems and much more are all linked together, increasing inter- dependencies exponentially. This increase in information, its availability and connectivity also implies losing direct control of data security.
Cyber threats are defined as the possibility of a malicious attempt to disrupt or damage computer systems. The current threats in our environment range from theft of PC’s with confidential information to ATM card cloning. Cyber criminals are aware that the market is vulnerable. Driven by a wide range of motivations, from pure financial gain, raising the profile of an ideology, to espionage or terrorism, individual hackers, activists and organized criminals are attacking government and company networks with increasing frequency and severity.
A minority of local businesses have made significant progress regarding their cyber security responsibilities over the past few years and most of these now boast of their impressive capabilities, controls and processes. They would not be an ‘easy target’ but they are still yet to attain an advanced level of cyber security maturity. The rest however have some catching up to do.
The majority of businesses lack discipline in some of the following areas:
Whilst most companies would hold the current difficult economic environment responsible for failure to implement solid cyber security measures, a closer look at the areas identified above would suggest that rigor around the operating eﬀectiveness of controls and processes that are already in place and implementation of recommended controls would boost security.
Cyber incidents are intentional attacks or unintentional breaches that can include gaining unauthorized access to digital systems to disrupt operations, corrupting data, stealing sensitive information or causing denial-of-service on business websites. Entities that use and/or retain large amounts of Personally Identiﬁable Information (PII) data e.g. financial institutions that process significant credit card transactions, insurance entities, healthcare organizations, and retail entities may be most vulnerable to such cyber incidents. However, PII could be stolen from entities in any industry, and the information stolen is not necessarily restricted to customer information.
The threat landscape continues to evolve. Criminals are looking to repurpose attacks used against banks to target other institutions such as insurers, e-retailers and the healthcare sector. Organisation are not by and large, dealing with scattergun attacks. Instead, they are facing a world in which their security measures are tested time and time again by highly informed, well prepared individuals and groups that target the following specific sectors:
A successful cyber incident can cause major damage to any business. It can aﬀect the bottom line, as well as business' standing and consumer trust. The impact of a security breach can be broadly divided into three categories: financial, reputational and legal. These cyber incidents often result in negative consequences for the entity.
The financial cost of cyber incidents arises from theft of corporate information, theft of ﬁnancial information (e.g. bank details or payment card details), theft of money, ﬁnes, disruption to trading (e.g. inability to carry out transactions online) or loss of business or contracts. Businesses that suﬀer cyber-breaches will also generally incur costs associated with repairing aﬀected systems, networks and devices.
Reputational damage will erode the relationship a business has with its key stakeholders. Trust is an essential element of the business customer relationship and lack of it can lead damage relationships. The impact of this may result in loss of sales caused by the decline in demand for the business products and reduction in proﬁts. The eﬀect of reputational damage can even impact suppliers, or aﬀect relationships the business has with their partners, investors and other third parties vested in the business.
Legal consequences: Organisations in sensitive sectors are typically required to actively manage the security of the data held particularly when it comes to the personal data and information. If this data is accidentally or deliberately compromised, and a business may have failed to deploy appropriate security measures, it may face fines and regulatory sanctions and these legal consequences will also result in major financial loss.
Cyber threats and cyber security are relevant to all business sectors since new technology is being used by these sectors to enable business innovation and growth. An organization framework should efficiently and appropriately address ongoing communication and direction throughout the organization. Although the local operating environment is tough, there is a lot that can be done to improve the cyber security state of any business. Business owners are encouraged to be aware of cyber threats and mitigate them by analysing their security capabilities and putting in place cyber security measures and controls starting from where they are.
This could be achieved through performing periodic network vulnerability assessments to scan, investigate, analyse, and report on any security vulnerabilities discovered on public internet- facing devices and internal networks. In addition, personnel may complete security training upon hire and a security ‘refresh training course, which focuses on IT security and access communications. These and other measures will spur the Zimbabwean businesses to success.
© 2021 KPMG Zimbabwe, Zimbabwean partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.