Preventing a cyber-attack and insuring against the resulting losses

A recent study titled “The State of Cybersecurity in South Africa” provides an update by the same research company that conducted similar research in 2019. Some of the findings then were quite scary, looking at today’s reality:

The biggest shortcoming in cybersecurity preparedness then was outdated software, with 77% of IT decision-makers reporting that it made their organisations highly vulnerable. In terms of additional vulnerability factors, senior management not understanding the risk slots was close behind, indicating a massive need for education and a need for a new approach to security, where it is an intrinsic part of the systems deployed by a business.

“All of this then leads us to imagine that the IT departments must feel under siege, yet they are supremely confident in their ability to protect companies,” says Arthur Goldstuck, chief executive of World Wide Worx.

“Although 99% say they are confident about protecting the company, the picture disintegrates when asked whether they have the skills to do so. Almost half – 45% – agree that they don’t have the skills to protect the company. This disconnect suggests overconfidence in their ability to protect the business,” adds Goldstuck.

The research highlighted that there will be breaches, but it is how business mitigates these risks going forward with a proactive approach to security that does not chase each breach, but instead shifts to a model that builds intrinsic security into everything – the application, the network, essentially everything that connects and carries data.

Fast forward to the 2022 survey

The latest study shows that about 75 of South Africa’s top 100 corporates did not feel fully protected by their current cybersecurity strategy, despite 68% investing more in cybersecurity than the industry average.

Goldstuck says this was not the case five years ago, when only half of the respondents believed cybersecurity was integral to business strategy.

“Corporations being over-budget on cybersecurity spend may look like a positive sign, but it also raises the likelihood that the budgets were too low to begin [with],” he says.

Daily Maverick reports that the majority (99%) of corporates are aware that disaster management is essential, but only 40% of large businesses use multiple solutions to protect, back up, and replicate their data in the event of disaster. This is possibly in light of the fact that most respondents (99%) had not experienced cyberattacks that resulted in financial loss.

The Cybercrimes Act, signed into law last year, requires companies to report any cybercrime offences to the police within 72 hours and retain all information related to it. Failure to do this can result in a R50 000 fine.

Major threats

The European Parliament website notes that, during the pandemic, companies had to quickly adapt to new working conditions – and thus opened new doors and more possibilities for cybercriminals. According to the European Union Agency for Cybersecurity, there are nine prime threat groups:

1. Ransomware – attackers encrypt an organisation’s data and require payment to restore access
2. Cryptojacking – when cybercriminals secretly use a victim’s computing power to generate cryptocurrency
3. Threats against data – data breaches/leaks
4. Malware – software that triggers a process that affects a system
5. Disinformation/misinformation – the spread of misleading information
6. Non-malicious threats – human errors and misconfigurations of a system
7. Threats against availability and integrity – attacks that prevent the users of a system from accessing their information
8. Email-related threats – aimed at manipulating people into falling victim to an email attack
9. Supply chain threats – attacking, for example, a service provider, in order to gain access to a customer’s data

Prevention is better than (inse)cure

Khairy Ammar, services sales director at Dell Technologies, says it is imperative for organisations to keep their online endpoints secure.

“You need intelligent solutions that prevent, detect and respond to threats wherever they occur. A procedural measure like taking on a certified cybersecurity partner to manage these services is often the best protection for corporates.”

Insuring against cyber-related losses

While corporates have the resources to employ a certified cybersecurity partner, smaller businesses can at least take out insurance against such an event.

Before accepting the risk of such losses, a reputable insurer will assess the measures in place, and recommend additional security measures to be implemented, which, in itself, is already a step in the right direction.

Santam, for example, describes itself as an internationally recognised IT security and incident response service provider. Its cyber insurance cover is specifically curated for businesses that employ up to 100 people with a turnover of up to R20 million. The following areas are covered:

• Data breach and restoration. After a breach, the business may incur legal costs and pay damages to third parties if the case is unsuccessfully defended.
• Third party liability. This covers your business against any claims that your clients or intermediaries make towards your business if they experience a cyber-attack on your system.
• Business interruption. This offering is designed to assist small to medium business owners to bring their business back on track after a breach.
• Cyber extortion and cybercrime. This extension helps to get businesses running as soon as possible after a cyber-attack and manages the financial implications as a result of the ransomware.

Although incidents such as the pandemic, the riots and latest floods were unforeseen events, cyber threats are far more likely to occur. Clients need to understand this.

Another consideration is the fact that reinsurers are getting more and more selective about what risks they are willing to cover. The potential losses from cyber crime are so huge that it may only be a matter of time before they withdraw from such cover as well.