City of Johannesburg ransomware attack a wake-up call for boards, says IoDSA
Friday, 25 October 2019
The ransomware attack suffered by the City of Johannesburg today sounds a clarion call for boards to revisit their technology governance strategies and take a more holistic view of technology and the risk it poses, says Parmi Natesan, CEO of the Institute of Directors in South Africa (IoDSA).
“Cyber-attacks like this one represent a huge and present risk for all organisations in both the public and private sectors—the City is effectively unable to do business until its systems are restored, and vital corporate and customer data could be lost or compromised,” she says.
According to Marlon Moodley, IT Governance facilitator for the IoDSA, because technology now provides the underlying platform for most business in both the public and private sectors, directors’ responsibility in terms of technology governance is more important than ever before. Globally, directors of both public and private entities are not taking adequate steps to acquire broader skills to understand crucial developments in the fast-moving technology space.
In particular, he strongly argues that directors must beware of taking too narrow a view. Technology pervades every facet of business, and thus its governance must take a similarly holistic view. Financial governance and risk assessment looks at the whole organisation, and the same approach should be followed when it comes to technology. For example, servers are not the only vulnerability—cybercriminals can penetrate corporate IT systems via the multitude of devices in use inside and outside the working environment, as well as through exploiting vulnerabilities in human behaviour. A compromised device is a backdoor into the corporate environment. And a compromised IT environment puts every facet of the organisation at risk.
Data represents a key collateral risk. Hackers often post or sell corporate data on the Dark Web, so technology and data governance overlap to a great degree, he notes. South Africa, along with a growing number of countries, has tough data-privacy laws with stiff penalties.
“Because of technology’s pervasiveness, directors should make sure they acquire a broader understanding of technology and the trends driving it. But they should also be calling in experts to advise them. The key here, though, is to ensure that both they and the experts take a holistic view that encompasses the entire technology environment and its operational impact, including on sensitive data,” he says.
“Directors also need to ensure that adequate business continuity arrangements are in place. If the corporate IT systems are not usable, there should be an alternate data centre with a clean, reliable replication of the IT environment.”
Ms Natesan concludes that boards in both the public and private sectors face similar challenges relating to technology governance, and that the tendency to take too narrow a view of technology needs to be shifted.