Safer Internet Day (today, 6 February) is aimed at making both individuals and companies more aware of the ever-more prevalent cyber risks that they could fall foul of.

And make no mistake: Cybercrime is a particularly serious threat to South African businesses. According to the UN, there are more than 2-million small, micro, and medium enterprises (SMMEs) in South Africa, and they represent more than 98% of formal business.. The Brenthurst Foundation reports that these SMMEs employ 50% to 60% of our labour force and contribute 34% towards GDP. Yet, globally, 60% of small businesses close their doors within six months of a cyber-attack.

And if those figures aren’t enough to put the fear of phishing into you, this should: IBM reports that South Africa has the highest global probability of a repeat breach, with 83% of organisations having experienced more than one breach in the 12 months preceding the 2022 study.

In 2019, IBM put the average total cost of a data breach in South Africa at R43,3-million. Can your business absorb that kind of cost, along with the reputational damage that a breach could cause?

George Parrott, commercial partner at King Price Insurance, says that South Africa’s Protection of Personal Information Act (POPIA) adds an extra layer of complexity.

“POPIA has fundamentally changed the way that businesses deal with consumers’ personal information. If your business is hacked, and you don’t have the correct procedures and safeguards in place, you could get fined by the Information Regulator in addition to the other costs involved with rectifying a cyber security breach.”

And yet this is where many smaller businesses fall foul: Thinking that they don’t store much personal information, they often don’t invest in the best firewalls and protections. SMMEs also often don’t have in-house experts to manage these aspects. But their biggest risk lies in a larger organisation with which they have links, such as a bank or a credit bureau, being hacked, which then endangers their own company info down the line.

AI enables cyber criminals

Cyber-risks for companies have shifted from the Covid-lockdown stage when employees were compromising company IT- and cyber-security while working from home and on unsecured networks.

“In 2023, we saw that the risk wasn’t even all related to companies shifting their operations and information online and into the cloud. Right now, what’s keeping CIOs up at night is how to defend against AI-driven cyber-attacks, which are increasingly sophisticated and have fundamentally changed the game,” says Parrott.

There’s no doubt that AI is opening up entire new worlds of efficiency, productivity and creativity for businesses across all sectors. Generative AI tools are automating manual processes, improving customer services through micro-personalisation, and in some cases, reducing security risks like money-laundering and fraud. And that’s all good.

The problem is, of course, that AI isn’t only available to the good guys. “We’re increasingly seeing criminals manipulating AI for use in ever-smarter cyber-attacks,” Parrott says. “They’re using techniques like data poisoning, where fraudsters manipulate the data that’s used to train a company’s AI to sabotage the company.

“With adversarial attacks, criminals manipulate an AI system’s input data to force a system to make incorrect decisions. Model-theft and tampering involve copying a model, modifying it, or inserting malicious code and then redeploying it back into the company.

“There are also security risks associated with voice impersonation attacks, where cybercriminals use deepfakes to compromise vulnerable individuals.”

He says the biggest lesson we can take going forward from Safer Internet Day is that it’s not a question of ‘if’ an attack will happen, but ‘when’. And still, Interpol estimates that nine out of every 10 African businesses are operating without the necessary cybersecurity protocols in place.

“With cyber-risk – and cyber insurance – being relatively new in the broker world, it’s imperative that insurers make it as easy as possible for brokers to add cybersure cover to their clients’ portfolios. And some have really stepped up to the plate with fit-for-purpose applications that are simple and straightforward, enabling brokers and their clients to apply for cover with minimal input,” says Parrott.