Assessing resilience of public sector Information Systems against cyber threats and attacks. A South African perspective

Abstract

The rapid increase of emerging technologies has become a backbone upon which organisations now increasingly rely on. It has prompted public sector organisations around the globe to embrace these technologies and digitise their information systems. To capitalise on these global technological advancements, public sector organisations in South Africa have been investing in electronic government (e-government) services to perform effectively, accelerate and improve efficiency in service delivery, promote transparency and accountability, and bolster information sharing and collaboration between government organisations. The e-government interaction includes governments, businesses, and citizens. However, these technological advancements and digital transformation come with unintended ramifications and at a high cost - such as unprecedented cyber risks that can cause disruptions to critical systems, networks, and data. The far-reaching impact of these cyber risks could include financial loss, damage to information assets, failure of Information and Communications Technology systems, reputational damage, violation of privacy due to data breaches. Therefore, public sector organisations need to ensure the protection of the confidentiality, integrity, and availability of their critical information systems. This research study sets out to assess the cyber resilience of the South African public sector organisations information systems, that is, the capability to anticipate, withstand, detect, respond to, recover from, and adapt to any disastrous cyber incidents with an ability to resume services at an acceptable level and time. To achieve the objective, a qualitative method and interpretive approach to collect and analyse data was adopted. Empirical data was collected from the South African public sector organisations in the Gauteng Province through semi-structured, face-to-face interviews as a primary source and utilising a survey raw dataset as the secondary source. Furthermore, data triangulation was used to strengthen and validate the thematic findings. This was accomplished by comparing the thematic finding from the primary source with the statistical results from the secondary source. Findings for this research study revealed that the South African public sector organisations are more vulnerable to cyber risks due to lack of basic cybersecurity controls requirements namely: a cybersecurity strategy, an adequate skilled workforce, an effective incident response plan, a cyber risk management strategy, a cybersecurity awareness programme as well as clearly defined cybersecurity roles and responsibilities for the executive management and senior management. Consequently, the impact of cyber-attacks on the South African public sector organisations can be potentially damaging and, in some instances, even catastrophic. South African public sector organisations surveyed in the study were found not to have the capacity and capability to anticipate, withstand, detect, respond to, recover from, and adapt to any disastrous cyber incidents and be able to resume services at an acceptable level and time. The South African public sector organisations need to implement the basic cybersecurity controls as the first step towards cyber resilient information systems. The South African public sector organisations need to be more pro-active; develop a cybersecurity strategy and a comprehensive cyber incident response plan; allocate sufficient budget for cybersecurity technologies, education, training, and development; and implement continuing compulsory cybersecurity awareness programmes.