In 2021, KnowBe4, Lynchpin and ITWeb conducted surveys across Nigeria, South Africa and Kenya to unpack how remote working was influencing the security paradigm for organisations. The survey found that a significant percentage of companies will very likely continue leveraging remote working. At the time of writing the report, 57% of organisations in South Africa, 29% in Kenya and 32% in Nigeria will continue with remote working on a flexible basis.
Anna Collard, SVP, Content Strategy and Evangelist, KnowBe4 Africa, pointed out that remote working may have become an invaluable tool for the organisation, but it comes with a security caveat – people have to be properly trained to recognise the risks inherent in online interactions.
“One of the immediate defences against cybercrime is an employee that has been well-trained and understands how to spot and report cyberthreats,” she added. “People should know what a social engineering attack looks like, and why they should not click on links or open attachments. While many respondents in the survey believed that their remote workers were adequately trained to withstand social engineering attacks, a significant percentage was unsure as to how well their people would react to a security threat. And this points to an urgent need for security training.”
People are both the problem and the solution. On one hand, they are the human firewall that can stand against the threats and play a huge role in mitigating security risks. On the other, they can be the vulnerability that bypasses the complex and expensive security by simply clicking on a link or succumbing to a phishing attempt. Companies that are focusing on hybrid or remote working frameworks going forward will have to put training at the forefront of their policies and planning. Ultimately, a breach could cost them financially and reputationally – particularly now, in the era of rigorous protection of personal information legislation – and poor user behaviour is a leading cause of security incidents across the three countries. While the number of security incidents experienced by companies overall dropped in 2021, those attacks that got through used phishing, social engineering, ransomware and malware. Unintentional data leaks sat in the third position in South Africa alongside credential theft, while Kenya battled with phishing and ransomware. Nigeria’s biggest problems were social engineering and phishing.
“Companies across Nigeria, Kenya and South Africa have also struggled with insecure home Wi-Fi networks and people sharing their corporate devices with family and friends,” said Collard. “The pandemic threw everyone in the deep end in 2020, and they all spent 2021 learning how to swim. Now, in 2022, it is time to redefine and reshape how the organisation manages security and remote working as effectively and dynamically as possible.”
This means that companies need to refine their security awareness processes alongside providing training and education. The first step is to invest in robust security policies that outline the risks, and that inform users how to report and act when faced with a potential cyberattack. The simpler and more straight forward those processes and tools are, the higher the probability that people will play their part. While the report found that most companies have put a lot of time and effort into shoring up the security walls, many do not prioritise it as much as they should – often cutting security budgets and leaving IT teams with limited resources.
“The reality is that cybersecurity is a constantly evolving landscape that expects organisations to evolve along with it,” she said. “As remote working gains traction and stability, cybercriminals are going to exploit every weakness they can find – from a poorly secured home network to a badly trained employee. This is the perfect time to establish a security culture within the business and prioritise its value and importance.”