Protecting your environment from cyber-threats requires an “onion” approach


Protecting your company from cyber-attacks requires a multi-level approach that can be seen like an ‘onion’, panellists at the CIO South Africa Cybersecurity Summit heard.

During a discussion on cybersecurity and compliance at the CIO South Africa Cybersecurity Summit held on 20 February, head of digital South Africa at iOCO, Mary-Lyn Raath, likened implementing a security strategy to counter cyber-attacks to an onion.

She explained that the process needs to involve using an industry framework to develop each layer, and then review the implementation levels against the entire security environment as well as current regulation such as the Sarbanes-Oxley Act (SOX).

Dr Sylvia Sathekge, CIO at SNG Grant Thornton, explained that her doctoral research had resulted in a framework that cyber-professionals could use to implement security layers and responses. Her end result was a model based on Kaspersky and McKinsey models, which focused on people and processes. “It should not be the responsibility of the technical people,” she said.

However, it is impossible to keep it all secure, Mary-Lyn said, and iOCO is constantly looking at new technology and reviewing what it has in place. “It’s not just protection of data, but prevention of cybersecurity attacks.”

The cloud services company offers several solutions, such as software development, API solutions, cybersecurity, and enterprise applications. Mary-Lyn explained that, for example, it has a strict methodology for building application security. “Key to our response is culture and collaboration, you don’t wait for deployment before collaborating with stakeholders.”

She added that the client needs to be brought along during the cybersecurity process so that it’s possible to implement a change in the way of working as well in management and deployment, which takes time and is work intensive.

The cloud company’s multi-layered approach to fighting cybercrime has included putting a task team together from across the company to really tackle the issue in terms of policy, governance and approach among other aspects, said Mary-Lyn. “We are taking a more open approach to help staff do their jobs better and learn better, so they can fix their work as they go.” The company has rolled out a demonstrable co-pilot, which is working and will be developed further as needed.

“Everyone’s environment is different, and you need multiple layers.”

At iOCO, training is done twice a month to ensure that the onion is as protected as possible, and staff need to acknowledge that they have gone through the process as well as complete a questionnaire before they can get a bonus, said Mary-Lyn. “That’s how we make certain that every single person gets through the training.”

Sylvia made the point that, when staff are hired, they must have a safety mindset, which cannot be about tech alone, but about all aspects of the business. She likened a cyber-strategy to a car with all the safety features, much like Mary-Lyn’s onion.

At the same time, said Sylvia, cyber should be part of the board agenda. “I found during my research that not all hands were on deck. Cyber isn’t deliberated vigorously unless there’s an attack.” When cybersecurity is understood as part of the business strategy and risk, there is an acknowledgment that it’s an ongoing process, she said. “It’s a moving target.”

According to Seacom, the most common method of attack used by cyber-criminals is email phishing, at almost two thirds of all attempts. This is followed by attacks through compromised passwords at almost half, and data breaches at 44 percent. Many of these breaches occur because of hybrid or remote work, it says.

IBM Security’s annual Cost of a Data Breach report found that the average data breach cost for South African companies hit a record R49.45 million last year, an eight percent increase over the past three years.

Sylvia said this can be attributed in part to the fact that technology has become part of our nature, making cyberspace unsafe, and that collaboration and partnerships are lacking.

Artificial intelligence, too, is a potential threat, Mary-Lyn said, citing a 2024 CISCO Security AI survey, which found that CIOs across multiple countries all agree that they must do something different with generative AI being used in businesses. Twenty-seven percent of companies surveyed had banned its use, and more than two thirds were worried about what goes into such a system. “Companies are worried about losing intellectual property.”

“It’s about how you consume tech. It’s not safe in cyberspace. You can’t just assume the cloud is safe,” Sylvia concluded.

Related articles