Reluctant to insure, despite past incidents
South African companies, according to GTC Risk Solutions, have suffered several cybercrime incidents over the past few years, yet local businesses are still reluctant to insure against this risk.
Roy Wright, Head of Risk Solutions at GTC says, “Many businesses are aware of cybercrime, but they, especially small and medium enterprises (SMEs), erroneously believe their organisations will not be targeted. There is a perception that this risk is more prominent in large businesses or those operating within developed markets, whilst other companies tend to believe their IT security systems are sufficiently robust to either prevent or recover easily from an attack, and therefore do not see the need for specific cyber insurance.”
Both these arguments, according to Wright, are flawed, especially when one considers the number of cybercrime incidents that have occurred in South Africa recently.
FAnews approached a few companies to get their feedback on cybercrime in South Africa and if there really is a way around cybercrime now, and for the future, once and for all.
Cybercrime in South Africa
“Since last year, more and more entities in South Africa are being targeted. There has been the Deeds Office hack where around half of the population had their details published on the Dark Web as well as an attack on the South African branch of Hetzner where client data was compromised. We then had the most recent one from Liberty in the third week of June where the hackers claimed they had 40TB worth of customer and financial data,” said Leroy Koster – IT Manger at Genasys Technologies.
In its 2017 cybersecurity report, Kaspersky noted a 46.8% increase in the number of individuals that have been affected by cyber threats such as malware and ransomware that are spread via local networks, USB’s, CD’s and other methods.
“According to the SHA Annual Specialist Risk Review, 38.5% of the respondents had experienced a network security breach, such as hacking, virus or ransomware over the past 12 months. In addition, 34% of business decision-makers feel their company is at risk of a cyber attack and yet startlingly, 42.5% of businesses do not have proper cyber risk procedures in place,” says Santho Mohapeloa, Cyber Risk Underwriter at SHA Specialist Underwriters.
Recent research shows South Africa reportedly has the third highest number of cybercrime victims worldwide, losing about R2.2 billion a year to cyber attacks. According to Trend Micro South Africans fell victim to 15 million ransomware attacks in 2017, and Trend Micro products detected over 10 thousand incidents of mobile malware and online banking malware. According to a Trend Labs report, over 133 million incidents of malicious code were detected in South Africa.
Author Jonathan Crowe says the trends in cybersecurity statistics from 2017/2018 show attacks are evolving to incorporate fileless techniques, antivirus solutions are being replaced or supplemented, security is getting more expensive and difficult to manage and ransomware is on a steep decline while crypto mining malware booms.
Change in mindsets is needed
“Business owners, especially those involved in the digital economy have to adapt to the increasing demands of their clientele. It is also vital to adapt technology to protect not only a company’s digital assets, funds and data, but also its reputation and future profitability. The issue of cybercrime requires that all industry players (private and public) synchronise their energies and efforts in educating the general public in order to combat this,” continued Mohapeloa.
“Many businesses are aware of cyber threats but sit with a mindset that they are too small to be targeted, compared to government institutions and large corporates. This is what will put businesses at risk of mass targeting attacks,” says Andre Van Rooyen, Fulcrum Group’s Head of IT.
“Criminals have automated tools able to scan and locate hundreds and thousands of potential targets in under a few hours, and to determine their value. We need to overcome the safety delusion we have and understand our significance and value to these criminals. I believe that we need to change the mindset not the technology. Once we get that right, we can focus on the aspects of technology, training, resources, etc,” continues Van Rooyen.
“The focus is too much on perimeter security and manual processes where we should also be looking at incorporating Artificial Intelligence (AI) for automated threat intelligence and beefing up internal security as part of a layered approach,” said Koster.
Drawing attention to legislation
With the introduction of legislation such as the General Data Protection Regulation (GDPR) in the EU, and the Protection of Personal Information (POPI) Act in South Africa, and the requirements of these pieces of legislation, it is likely there will be an increase in the demand for cyber insurance, given the cost of cybercrime attacks.
“Both the GDPR and POPI Act look at the integrity and confidentiality of data that requires a level of security, fitting to the risk characterised by the data and its use or need. The sensible thing would be to say yes, the demand for cyber security insurance will increase. This will ensure that businesses remain responsible for the data under their care/storage. However, the POPI act and GDPR legislation will make businesses directly accountable, with hefty fines that should make us think twice. But true to our nature, we will need a court case before we wake up and understand the implications - a true test of the Act; sadly to say,” continues Van Rooyen.
“According to the SHA Annual Specialist Risk Review, over 40 % of the business decision makers are not ready for the implementation of the POPI Act and do not properly understand the potential impact it could have on their business,” emphasizes Mohapeloa.
As we get more connected
“Cyber Insurance will evolve because cybercrime, like any other crime, is here to stay. We can, however, put measures in place to minimise the potential damage or financial impact due to loss. Like owning a car, it would be silly not to insure a business against these threats. We can create awareness, continuity plans and conduct disaster recovery tests to make our cyber footprint as small as possible, to reduce our attack surface,” concludes Van Rooyen.
“Should a business wish to survive and thrive in this digital era, it will have to change the manner in which it conducts business and protects its assets. Any forward-thinking entity will have to adopt a holistic approach in terms of mitigating the risk in question,” concludes Mohapeloa.
Editor’s Thoughts:
As Koster said, “There is no real way around it. All we can do is deploy multiple layers of defence incorporating AI and behavioural analytics to combat the scourge. User education also needs to be a priority.” Will we need a court case before we wake up and smell the coffee? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts [email protected].
