A recent report published by Mimecast, estimates the volume of malicious and opportunistic cybercrime has increased worldwide by as much as 33% between January and March of this year.
In addition, US-based cloud security company, Zscaler, reported an increase of over 30 000% in Covid-19 themed attacks.
Kirsten Cronin, manager of financial lines underwriting at SHA Risk Specialists, notes that this increase in Cyber incidents highlights the fact that no organisation is immune against cybercriminals. “Exposure to cybercrime is one of the most rapidly evolving threats that modern businesses face and the potential damage that any given cyber breach can cause for an organisation, is significant. With the spike in online traffic that occurs on Black Friday, there is a heightened risk of businesses falling victim to opportunistic cyber-attacks.”
She warns that businesses face the possibility of suffering catastrophic material losses in equipment and valuable company information if they are not prepared. “Despite the rise in known instances of cyber breaches, a recent survey by SHA has shown that over a third of businesses do not provide cyber awareness training for their employees.”
According to Cronin, the most significant risk to companies could possibly flow from the full implementation of the Protection of Personal Information Act, 2013, Act No. 4 of 2013 (PoPI) in South Africa from 1 July 2020. “Organisations have been given a grace period of 12 months, from 1 July 2020, to implement measures to protect and safeguard personal information. Failure to become fully complaint within this period will lead to hefty penalties. Businesses that have dealings in the European Union (EU), or who handle personal information connected to EU citizens, also face similar liability risks under the General Data Protection Regulation (GDPR).”
She adds that SHA’s 2019 Annual Risk Review indicates that a sizeable portion of the market is still perilously unprepared to deal with the fallout from cyber breaches. “According to the survey, one in every five professionals have fallen victim to phishing scams, and for 54% of these professionals, the scam in question led to third parties threatening them with litigation for damages incurred.”
In addition to this, one in five companies have been the target of a ransomware attack. With demands most commonly ranging from R10 000 to R25 000.
Cronin notes that the findings among small businesses paint an even bleaker picture. “Around 30% of small and medium enterprises (SME) surveyed, had fallen victim to a cyber-attack in the preceding 24 months. Of these companies, 82% suffered some degree of business interruption, as much as 87% were offline for up to 48 hours, and 12% for as long as three days. The cost of this downtime alone is significant with the survey revealing that the losses in 30% of cases exceeded R250 000 per incident. Just over half of the businesses surveyed, indicated that they had suffered reputational damage due to the down time.”
However, in spite of the prevalence of these incidents, around 48% of all the businesses surveyed, did not believe that they were at risk of suffering a cyber-breach. “Most businesses do not yet have proper cyber crisis plan in place for dealing with a cyber-attack. We believe this often stems from a false sense of security, particularly where the business may have made some investment in cyber protection or technical personnel. The truth of the matter however, is that no IT specialist can guarantee an organisation’s safety from cyber threats 100% of the time, especially when the majority of successful cyber-attacks exploit the core vulnerability – the human element – the employees in the business.”
In light of this, Cronin says that business owners need to prioritise cyber risk management and cyber awareness training in their organisations. “Measures such as conducting regular backups, ensuring that employees follow the right procedures to limit their exposure and having robust cybersecurity systems in place are paramount.”
In addition, having the right cyber coverage in place is crucial. “Commercial crime or professional indemnity with computer crime or cyber extensions really only cover a portion of the cost. Businesses need a dedicated cyber policy, which indemnifies a business against both first and third party losses – this is where the real risk lies.”
Even in this high-risk landscape, cyber cover remains an underutilised and undersold category of business insurance in South Africa. “Though the uptake of cyber cover is still low in South Africa, this is not reflective of the risk landscape, it will not be long before the cover becomes an essential risk transfer tool for businesses of all sizes, across all industries,” Cronin concludes.