Category Risk Management

Cyber Risk – the Achilles heel for SMEs

28 August 2019 Aon South Africa
Zamani Ngidi, Principal Cyber Risk Consultant at Aon South Africa

Zamani Ngidi, Principal Cyber Risk Consultant at Aon South Africa

Many small and medium businesses assume that they are not likely targets for a cyberattack, believing that only large corporates, banks and government institutions appeal to cyber criminals. As a result, their security measures are typically nowhere near the levels needed to avert a focused cyber hack, making them easy pickings for a cyber breach.

According to Zamani Ngidi, Principal Cyber Risk Consultant at Aon South Africa, the number of companies claiming for cyber-related insurance losses has doubled since 2015. Consider these fast facts:

• 43% of cyber-attacks target small businesses according to the Verizon 2019 Data Breach Investigations Report (DBIR). The report analysed 41,686 security incidents. SMEs were by far the greatest percentage of all attacks with the next closest being the public sector at 16%, and financial institutions at 10%.
• The Verizon report also showed that 71% of attacks were financially motivated, and 25% of breaches were motivated by the gain of strategic advantage (espionage/theft of IP). 29% of these breaches involved the use of stolen credentials. Even more disconcerting is the fact that 56% of all breaches took months or longer to discover, all the while cyber criminals had access to confidential data and business IP.
• Malware attacks in SA increased by 22% in the first quarter of 2019 compared to the first quarter of 2018, translating to around 13 842 attempted cyberattacks every day according to Kaspersky Lab.

“Whether a large of small business, a cyber breach has the potential to inflict enormous reputational damage, cause major interruption to normal business operations and income potential, and can also have legal ramifications if personal and financial information is compromised in context of the Consumer Protection Act (CPA), the Electronic Communications and Transactions Act (ECT) and the Protection of Personal Information Act (POPI),” he warns. And the attacks on South African organisations of all sizes and industry sectors show no signs of abating, as the recent ransomware take down of the City of Joburg’s prepaid electricity system demonstrates.

“South Africa will also continue to see large-scale ransomware attacks that target administration credentials to gain access to and infect, wider networks – often targeting SMEs and contractors to gain access to larger client corporations. With the expected increase in ransomware attacks designed to spread through a network, organisations of all sizes and industry sectors urgently need to take steps to protect their networks, and ensure that their risk management and insurance programmes are fit for purpose to protect them in a worst case scenario,” urges Zamani.

The following checklist from Aon provides an indication on how risk ready your organisation is to face a cyber security event:

• When was the last time you reviewed your company’s patch management program? Your disaster recovery and business continuity plans?
• Can you identify where all of your mission critical data resides and whether regular backups are being made?
• Does your cyber insurance policy provide adequate coverage? Have you taken the necessary steps to ensure you will be eligible to make a claim if your company is impacted?
• Have you communicated with employees about the latest phishing and social engineering techniques?
• Do you have an incident response plan in place, and has it recently been tested so everyone knows what to do in the event of an attack?
• Are all necessary technical and procedural controls in place and operating properly?
• Has your security posture recently been assessed, tested and acted upon?

“There is simply no one-size-fits-all approach to cyber risk and insurance,” says Zamani. “It all depends on the size of the company, nature of its business and its unique levels of exposure. In this regard, consulting with a professional risk advisor is an invaluable exercise in assessing your exposures, developing a risk mitigation strategy and transferring that risk to an insurer in order to protect your reputation, data, clients and bottom line,” concludes Zamani.

Quick Polls


No developing economy has ever built a single-payer complementary NHI equivalent covering the entire population. NHI promises comprehensive care but it is also 100% free at the point-of-service. Is this practical?


It is doable but collaboration is key
South Africa is not in a position to build NHI
The only conclusion possible is that the private healthcare sector is not going to disappear or change
There is little chance that the NHI will be able to receive significant government funding
A E fanews magazine
FAnews August 2019 Get the latest issue of FAnews

This month's headlines

Create designer policies through AI
Are advisers in a precarious position?
A claim, COIDA and a dog bite
Non-disclosure never an innocent fraud
Prescribed assets: The threat to pensions
Cannabis and the issue of trust
Getting the most from disability claims
Subscribe now