Cyber defence a critical component of an ESG strategy: Kaspersky

As cyberattacks on pipelines, water pumping stations and manufacturing plants hit the news, customers and investors grow more aware of the need for organisations to take responsibility for the protection of their potential cyber vulnerabilities. Cybercrime can have a significant impact on businesses, and cybersecurity is central to environmental, social and governance (ESG) analysis of a company’s sustainability.

Investment in ESG assets is set to grow to $50 trillion by 2025. With ESG forming a key component of financial reporting in South Africa, and with many businesses in the region on the journey to adapt to international reporting requirements and standards, organisations across the continent are looking for ways to strengthen their portfolios in this regard.

Protection against cyber threats is necessary not only for business continuity, but also for the preservation of the environment and human health. ESG programmes should therefore include aspects of cyber security in order to minimise the risk of the impact of a cyberattack on employees, the ecosystem and society as a whole.

“This is particularly relevant to critical infrastructure, where organisations tend to experience significantly more severe outcomes from operational technology security issues than others,” says Bethwel Opil, Enterprise Client Lead at Kaspersky in Africa.

Kaspersky research has found that over the course of 2021, there was a 45% increase in the incidence of spyware on computers used for industrial control system purposes when compared to the previous year. A cyberattack on a safety-critical power station or oil and gas installation, for example, has the capacity to have knock-on impacts that touch all components of ESG.

Furthermore, Kaspersky has found that approximately a third (30%) of companies globally experience significant operational technology security issues. They see four times as many incidents and suffer financial costs that are twice as large. These companies are also more likely to see these cyber risks manifest in terms of physical risk, such as injury or death (5 times more likely) and environmental damage (2.5 times more likely).

“Cybersecurity takes on a new level of importance for local organisations. It is not only about being protected against attacks that can threaten business continuity and damage corporate reputation, and from a business governance point of view, but there is a very real threat against human life and the environment – especially when industrial control system hardware that controls critical infrastructure is attacked,” says Maria Losyukova, Head of Sustainability at Kaspersky. “As a part of an organisation’s ESG, it will be the cybersecurity team leader’s responsibility to document current practices and to address issues of concern with solid and quantifiable security solutions. The days of enterprises simply declaring ‘We have cybersecurity insurance’ are over.”

Each year it becomes more challenging to secure and protect infrastructure and data assets at an enterprise level. Staff in security operations centres can get overwhelmed with alerts coming from different cybersecurity components. XDR (extended detection and response) products have emerged as a class of automated information security solutions designed to proactively detect threats at various infrastructure levels, respond to them, and counter complex threats. XDR comprises a wide range of tools that security specialists can integrate with available security programs and applications to perform data monitoring on endpoints, the network, the cloud, and mail servers. It also adds analytical and automation functions for the detection and elimination of current and potential threats.

Opil further comments, “The implementation of an XDR solution provides the organisation with a complete view of their infrastructure – and building an XDR solution with Kaspersky means customers can resist attacks on all their assets, manage products from different vendors from a single console, respond more quickly to incidents, and reduce downtime, all contributing to adhering to ESG standards.”
However, the effectiveness of even the most advanced cybersecurity solutions is diminished if organisations do not practice employee trainings.

“Staff must be trained on the changing threat landscape using more than traditional methods,” adds Opil. “To this end, Kaspersky launched its Automated Security Awareness Platform (KASAP). This is an easy-to-manage online tool which builds employee’s cybersecurity skills level by level. It provides organisations across industry sectors with a reusable online tool on which to launch and run their internal cybersecurity awareness programmes,” concludes Opil.

Cybersecurity is fast becoming more than just a security issue, with its environmental, social, and governance impacts moving to the forefront. Long-term business resilience requires profitable business vitality along with a healthy society and environment. Investing in cybersecurity today will not only help an organisation avoid a breach or an insurance claim, but also boost trust, reduce risk, and contribute to overall economic growth.