Cyber Risk – the Achilles heel for SMEs
Submitted by: Teresa SettasMany small and medium businesses assume that they are not likely targets for a cyberattack, believing that only large corporates, banks and government institutions appeal to cyber criminals. As a result, their security measures are typically nowhere near the levels needed to avert a focused cyber hack, making them easy pickings for a cyber breach.
According to Zamani Ngidi, Principal Cyber Risk Consultant at Aon South Africa, the number of companies claiming for cyber-related insurance losses has doubled since 2015. Consider these fast facts:
- 43% of cyber-attacks target small businesses according to the Verizon 2019 Data Breach Investigations Report (DBIR). The report analysed 41,686 security incidents. SMEs were by far the greatest percentage of all attacks with the next closest being the public sector at 16%, and financial institutions at 10%.
- The Verizon report also showed that 71% of attacks were financially motivated, and 25% of breaches were motivated by the gain of strategic advantage (espionage/theft of IP). 29% of these breaches involved the use of stolen credentials. Even more disconcerting is the fact that 56% of all breaches took months or longer to discover, all the while cyber criminals had access to confidential data and business IP.
- Malware attacks in SA increased by 22% in the first quarter of 2019 compared to the first quarter of 2018, translating to around 13 842 attempted cyberattacks every day according to Kaspersky Lab.
“Whether a large of small business, a cyber breach has the potential to inflict enormous reputational damage, cause major interruption to normal business operations and income potential, and can also have legal ramifications if personal and financial information is compromised in context of the Consumer Protection Act (CPA), the Electronic Communications and Transactions Act (ECT) and the Protection of Personal Information Act (POPI),” he warns. And the attacks on South African organisations of all sizes and industry sectors show no signs of abating, as the recent ransomware take down of the City of Joburg’s prepaid electricity system demonstrates.
“South Africa will also continue to see large-scale ransomware attacks that target administration credentials to gain access to and infect, wider networks – often targeting SMEs and contractors to gain access to larger client corporations. With the expected increase in ransomware attacks designed to spread through a network, organisations of all sizes and industry sectors urgently need to take steps to protect their networks, and ensure that their risk management and insurance programmes are fit for purpose to protect them in a worst case scenario,” urges Zamani.
The following checklist from Aon provides an indication on how risk ready your organisation is to face a cyber security event:
- When was the last time you reviewed your company’s patch management program? Your disaster recovery and business continuity plans?
- Can you identify where all of your mission critical data resides and whether regular backups are being made?
- Does your cyber insurance policy provide adequate coverage? Have you taken the necessary steps to ensure you will be eligible to make a claim if your company is impacted?
- Have you communicated with employees about the latest phishing and social engineering techniques?
- Do you have an incident response plan in place, and has it recently been tested so everyone knows what to do in the event of an attack?
- Are all necessary technical and procedural controls in place and operating properly?
- Has your security posture recently been assessed, tested and acted upon?
“There is simply no one-size-fits-all approach to cyber risk and insurance,” says Zamani. “It all depends on the size of the company, nature of its business and its unique levels of exposure. In this regard, consulting with a professional risk advisor is an invaluable exercise in assessing your exposures, developing a risk mitigation strategy and transferring that risk to an insurer in order to protect your reputation, data, clients and bottom line,” concludes Zamani.