02 December 2019

Are retailers geared to face the cyber risk of #BlackFriday?

Submitted by: Teresa Settas
Are retailers geared to face the cyber risk of #BlackFriday?

In relative terms, South Africa is still new to the Black Friday concept, where retailers offer massive discounts on goods and services over the last weekend of November.  With online shopping gaining significant traction in South Africa, more consumers are avoiding the crushing queues and shopping madness that comes with Black Friday and opting to do their shopping online, from the comfort of their home. 

Expanding into online business models exposes retailers to a host of inherent cyber risks, especially in the context of South Africa having the third highest number of cybercrime victims worldwide, losing around R2.2bn a year in cyber-attacks, according to the South African Banking Risk Information Centre (SABRIC).  Point-of-sale and ERP systems used in-store to process purchases are equally at risk of a major cyber take-down that could leave retailers unable to process any transactions.

“Given recent events and case studies on cyberattacks, the reality now is that it is not a matter of if, but when a cyber incident occurs. It is usually only at this point that executive teams take a granular look into IT infrastructure, systems and processes, and realise the redundancy of reactive approaches to cyber security.  By conducting proactive and regular scenario testing that is combined with a solid strategy to manage the cybersecurity environment, businesses can avoid panic and reactive decision making to identify and effect remedial action required,” says Zamani NgidiClient Manager: Cyber Solutions at Aon South Africa.

It’s impossible to completely eradicate cyber risk or the potential consequential damage to reputation resulting from a cyber incident. The risk is pervasive. But resilience is possible for organisations that contemplate a circular approach, which Aon terms The Cyber Loop.

Any if not all organisations will enter the cyber data ecosystem at any of the four stages set out in the process, namely assessment, quantification, insurance or Incident Response (IR) stages. Once in the Cyber Loop, the organisation becomes an active participant in managing its risk within a greater cyber security ecosystem, engaged in continuous review, improvement and investment in cyber risk management. With each revolution around the Cyber Loop, more data is extracted that strengthens the organisation’s ability to rapidly detect, respond to and recover from a cyber-attack. The ability to make informed decisions gets sharper and the company’s cyber resilience improves.

“It is generally advisable for an organisation to commence its risk journey in the cyber loop at an assessment stage, in order to give the leadership and executive teams a clear understanding of the organisation’s pertinent risks and assist decision-making around information security spend.  It will also greatly underpin the structuring of a cyber insurance portfolio that is built for purpose to manage the potential financial, liability, business interruption and reputational implications of a targeted cyberattack,” Zamani explains.

By implementing a proactive risk management approach, organisations increase their cyber risk maturity level.  “It builds an organisation’s ability to retain more of its cyber risk that ultimately translates into insurance premium reductions. The Cyber Loop pushes the fundamental purpose of insurance into a space where it is no longer a grudge purchase but rather an investment decision around a company’s risk profile and its ability to recover and continue business operations as quickly as possible. However, the overall benefit comes to the fore once a cyber breach occurs, as the organisation is prepared, this leads to the ability to speedily and adequately mitigate the effects of any attack inclusive of the resultant business interruption,” says Zamani.

“With a qualified risk advisor versed in the cyber risks facing South African businesses of all sizes, your organisation will be able to take the business through a comprehensive cyber risk assessment that will help quantify the risks your organisation is exposed to, as well as the potential fallout or quantum of such an incident. Having a built-for-purpose cyber insurance regime in place that is supported by an airtight incident response process will go a long way in achieving a cyber resilient operation,” concludes Zamani.