South Africa is the fifth-most targeted country in the world in terms of cybercrime attacks, while informal consensus within the private sector places South Africa third behind Russia and China – but companies are not doing as much as they could to protect their systems.

Cybercrime is any crime involving a computer or Internet and South Africa is perceived by syndicates as fertile ground for hacking attacks as they believe there is little chance of arrest and successful conviction. Beyond the immediate threat of cyber-attacks, the criminal activity is also linked to other illegal activities such as human trafficking, drug smuggling and money laundering.

“Despite the potentially devastating financial, legal and reputational consequences of a major cyber breach on a corporate entity, there is widespread apathy across South Africa’s business sector to insure their bottom lines against serious losses and the cost of recovery due to cybercrime attacks,” says Kerry Curtin, principal broker: Financial Institutions & Professional Risks at Aon South Africa.

“Another challenge is that most attacks are underreported, as no business wants to admit publicly that they have been compromised, despite them being legally compelled to inform all clients of any breach that could compromise their personal data.”

A report by global risk advisory and insurance brokerage Aon, entitled “Exploring the Latest Cyber Risk Trends in EMEA” shows that there is still a low level of board involvement in actively addressing cyber risk management across the EMEA. Not surprisingly, this is also reflected in the global average. At the same time, the report shows that in some EMEA countries a large percentage of companies had a data breach or a serious technical outage in a defined 12-month period, while the global average indicates that one in three companies report suffering from some type of incident during the same period.

“Based on local take up of specialist cyber risk insurance, we estimate that over 70% of South African businesses, including large corporates and institutions are woefully unprepared for the financial, legal and reputational ramifications of a major cyber hack,” says Curtin.

“Recent news headlines provide compelling reason for business leaders to get very serious about managing their cyber risks and it should be a priority in boardrooms, law enforcement agencies and intelligence units.

“There will be increasing pressure on an organisation’s board to familiarise themselves with the company mechanisms associated with cyber risk and security. Recent high profile cyber-attacks and subsequent losses have left the positions of high profile executives untenable. An understanding of the severity of the threat has become an absolute requirement, imperative to the future of the business in many cases.

“Cybercrime is alive and well on South African soil and costs the economy an estimated R6-billion a year, a figure that’s steadily growing,” Curtin adds.

In May 2014, an international cybercrime syndicate was exposed with 12 people arrested on South African soil in Pretoria, while another 10 were arrested in the United States and Canada. The arrests came after a joint operation
between the Hawks, Crime Intelligence, SA Tactical Response Team and department of home affairs and Interpol, the US Immigration and Customs Enforcement (ICE) and Homeland Security Investigations (HSI).

In Washington last year, hackers took over Twitter accounts of the New York Post and United Press International, writing messages including about hostilities breaking out between the United States and China. Several media organisations have also had their Twitter feeds hacked over the past two years including AFP and the BBC, and locally the Star newspaper.

By far the most unprecedented hack ever inflicted on a business was on Sony Pictures in December 2014.

“South African businesses are in no way insulated from suffering such a catastrophic breach and cyber-crime is already having a significant economic impact on the country, and is expected to get worse,” Curtin says.

“According to a report compiled by McAfee software on behalf of the Centre for Strategic and International Studies (CSIS), the ‘Global Cost of Cyber-crime’ report puts the cost of cyber-crime to the global economy in the region of $400-billion.

“In South Africa, the McAfee report says that the economic impact of cybercrime locally is equal to about 0,14% of the country’s total GDP. As our GDP contribution is R4,1-trillion, that means that cybercrime is costing South Africa almost R6-billion per year,” she says.

And while lower-income countries may have smaller losses now, this will change as these countries increase their use of the Internet and as cybercriminals move to exploit mobile platforms.

“But by far, the greatest cost to companies is the clean-up afterwards. While criminals may not be able to monetise all their gains from an attack, victim companies still have to put measures in place as if they have lost all their data to criminal threats. The aggregate cost for recovery is far greater than the gains by cybercriminals.”

The very nature of the Internet means that cybercriminals from anywhere in the world can direct their attention to specific targets. It’s also believed that local hackers could be more organised than previously thought, as per the recent rise of hacker group Anonymous with its South African chapter.

“Amidst all the cyber mayhem, South African businesses are still slow to understand that network security and privacy risks are emerging and constantly evolving issues, and businesses must ensure that adequate measures are in place to address them, including systems and processes on the IT front in relation to harvesting, storing and disseminating information, and controls around personnel access,” Curtin warns.

She adds that companies should consider specialised insurance cover for cyber risks.