An innocent-looking email could scupper your advice practice
As you scan today’s headline you will no doubt be sighing in unison with thousands of other FAnews readers: “Ah no, not another cyber risk piece”. Well, sorry for you, dear reader, cybercrime is a growing and topical threat that no business, small or large, can afford to ignore. To make the discussion more relevant to financial and risk advisers, FAnews attended (sic) the latest Morningstar South Africa Advisor 2.0 Webinar series, simply titled: ‘Cyberattacks’.
Exploring the ‘phishy’ business of cyberattack
Brian Pinnock, VP of Sales Engineering EMEA at Mimecast and co-host of the Phishy Business podcast, was the guest speaker on the day. He observed that his podcast role had given him the unique opportunity to interview a diverse set of authors; businesspeople; hackers; law enforcement officials; and lawyers all of whom have “fascinating and often very personal stories about the impact of cybercrime in their lives”. The presentation set out to answer some stock cyberattack-related questions like: How bad is the cyber threat really? How much is hype and how much is actual risk? And what, if anything, should businesses do about it?
The evolution the cybersecurity risk facing global businesses can be traced in the annual risk reviews published by global consulting group McKinsey. Pinnock noted that the group’s 2010 report on enterprise risks did not contain a single mention of cybersecurity, and that by 2016, just a couple of years before two of the most significant cyberattack tsunamis the world has ever seen, cybersecurity was barely mentioned. But by 2021, the McKinsey Risk Report mentioned cybersecurity more often than all other risks combined, including risks posed by competition; finance; geopolitical; regulation and even pandemic. This, he said, explained fearmongering news such as a Forbes piece hinting that “cybersecurity was a greater risk than climate change”.
The systemic risk in a cyberattack tsunami
Cyberattack and cybercrime have true systemic risk credentials, as illustrated by the aforementioned cyberattack tsunamis. The first of these occurred in May 2017, with the release of the WannaCry ransomware virus. “This virus took down the British National Health Service and a number of well-known brands like Nissan Motors, FedEx, China National Petroleum, Renault and a bunch of others,” Pinnock said. “This was the first inkling that we had of a massive, global systemic-type risk from cybersecurity breaches”. A month later, in June 2017, the so-called NotPetya virus wreaked havoc on global information technology infrastructure.
The virus, allegedly launched by Russia against Ukraine, took down systems at airports, banks and power companies in the latter country, but soon spread globally. In one example, pharmaceutical giant Merck & Co reportedly had to reinstall over 4 000 servers and 45 000 PCs globally following the breach, triggering a USD1.4 billion claim against the company’s insurers. A quick Google search revealed that in May 2023, the United States’ New Jersey appeals court ruled that Merck’s insurers could not rely on a war exclusion clause in their policy wordings in an attempt to avoid paying the claim. PS, as is typical when complex insurance matters head to the courts, almost five years have flown by since the loss was incurred, and it remains unclear whether the insurers will follow the court’s instruction or pursue other avenues of legal defence.
It should come as no surprise then, that cyber risk has been elevated to ‘elephant in the room’ status at company boardrooms, law enforcement agencies and regulators alike. “One regulatory intervention causing a bit of an outcry at the moment is the recent US Securities and Exchange Commission’s updated rules for notifying markets about any material data breaches, which must be done within four days,” Pinnock said. Data protection regulation in Europe, under GDPR, and South Africa, under the Protectional of Personal Information Act (POPIA) also mandate the notification of data breaches. GDPR gives firms two days to comply; while POPIA requires firms to notify of a breach “within a reasonable time”.
Cybercriminals have SA in their crosshairs
Cybercrime is pervasive domestically. Mimecast reports that around one-in-five of the attacks being blocked by its software globally are directed at its South African clients. “South Africa does seem to be disproportionately targeted, and we have seen a steady rise in ransomware incidents locally over the past five years; in fact, every seven hours, an employee of a South African firm receives an attempted attack by email,” Pinnock said. He added that it took firms up to seven months to detect successful attacks, and another two to three months to contain them. Despite this, SA-specific cyberattack / cybercrime stats are thin on the ground.
The annual Mimecast State of Email Security Report is one notable exception. This report places a lens over cyber threats that lurk in your company email. “The predictions of the death of email are just not true [with] 86% of survey respondents indicating that they are using email more than they have ever done before,” Pinnock said. He added that South Africa’s utilisation of email was above the global trend, which is of concern given that seven-in-10 survey respondents reported an increase both in the quantum of email-based threats, and the sophistication thereof. A key comment was that “threat actors target email because that is where your users are”.
Financial and risk advice practices that adopted so-called collaboration tools like MS Teams; Slack; and Zoom during and post-pandemic will be alarmed to learn that these platforms represent “a growing attack surface” for cybercriminals, with recent Mimecast research suggesting that employees “demonstrate measurably riskier behaviour when using these tools compared to other tools like email”. This makes sense; and this writer is sure he is not along in accepting just about every request his computer monitor throws at him in an attempt to get a scheduled MS Teams or Zoom meeting underway.
Value of cyber insurance under fire
There are only four things that your business can do about the risk presented by the terrible trio of phishing, spoofing and ransomware: you can reduce it; avoid it; accept it; or transfer it. “A lot of organisations have chosen to transfer some of their cyber risk to insurers; but we are getting fairly mixed reviews [with just] over half of respondents saying this cover is worth it versus around 40% who said cyber insurance is not enough,” Pinnock said. Insurers will have to think carefully about their cyber product designs, which are already considered expensive and overly conditional, in light of the survey finding that 90% of firms felt that they would rather divert their cyber insurance premium spend to other areas of cyber threat prevention.
Shifting focus to the small, medium and micro-enterprise (SMME) sector, Pinnock drew the audience’s attention to a Sage report titled Cybersecurity for SMEs. This report suggests that the challenges presented by cybercrime, and the incidences of cyberattacks, are similar in the SME and large corporate space. “The majority of SMEs implement strategies like backups and firewalls to overcome things like data loss from cyber breach; if you are not doing that, then you are probably out of step with your peers,” Pinnock said.
The presentation covered way too much to include in this newsletter. However, you can still benefit from some of the presenter’s closing advice. “We strongly recommend that you prioritise your email security [as] it is the number one attack vector; we also recommend prioritising identity and cloud protection and using multi-factor authentication where possible,” Pinnock said. The latter step requires going beyond just username and password hygiene to incorporating password managers, and using unique passwords for different systems, to name a few.
Some first steps to protect your practice
Finally, small businesses must make all employees aware of the IT and cyber security threat landscape. Pinnock closed his talk by encouraging attendees to understand their risk profiles; reduce their cyberattack ‘surface’ by eliminating unnecessary or unsafe devices and accounts; keeping software and systems up to date; transacting with reputable vendors; and always trying to maximise the protection on offer from existing software and systems before committing to additional expenditures.
Writer’s thoughts:
As a small business owner with a rather subdued online presence, this writer reckons he is fairly safe from the attentions of cybercriminals; but financial and risk advisers who hold terabytes of client data on file are not so fortunate. What have you done to mitigate the risk that cybercrime presents to your business? Please comment below, interact with us on Twitter at @fanews_online or email us your thoughts editor@fanews.co.za.
