As the world is increasingly interconnected, everyone shares the responsibility of securing cyber space. The question we need to ask is, are we creating enough urgency around cyber crime?
When Newton Lee made this statement, he was cognisant of the fact that the world has become increasingly interconnected and that the majority of business done in the world today is being done over the internet.
Because of this, criminals have also moved a significant portion of their business to the internet. According to a report conducted by internet security company McAfee, cyber crime has been estimated to cost the global economy in excess of $400 billion each year.
The big hitters
According to a cyber crime report that was published on the bestvpns.co.uk website, 2017 was a busy year for cyber criminals.
According to the report, over 200 000 computers in 150 countries were affected by the WannaCry malware. In the same year, over 12 500 machines in 64 countries faced the threat of Petya ransomware.
Attacks and cost
As evidenced above, cyber crime does not only affect people in their personal capacity, but it also has the ability to influence the political space.
What are the biggest threats in society and what are the costs associated with them? According to the bestvpns.co.uk report, malware was the biggest threat in 2017 and carried a cost of $2 364 806.
Other types of attacks (and their cost) included:
• Web-based attacks which cost $2 014 142;
• denial of Service attacks which cost $1 565 435; and
• malicious insider attacks which cost $1 415 217;
Social engineering is when a cyber criminal hacks into the social media account of a party and assumes their identity. If this occurs, and a client is engaging with a criminal who is impersonating an insurer or a broker over social media, they may hand over important information thinking that it is a legitimate engagement.
South Africa and cyber crime
While the best vpns.co.uk report focuses on cyber crime on a global scale, it would be dangerous for South Africans to think that we are immune from cyber crime. In fact, recent reports in the media show that South Africa is one of the top countries in the world where cyber crime is committed.
So where does this leave us? A recent press release on htxt.co.za pointed out that during 2017, the Cybercrime and Cybersecurity Bill that has been in the works for a couple of years was pushed forward and into public consultation, with a view of swiftly passing in and incorporating into our legislation the tools necessary to efficiently address cybersecurity incident.
However, we were not safe. The press release added that in October, what appears to be the single largest personal data breach in South African history was uncovered. Hackers have managed to gain access and leak 13-digit-long personal identity numbers and other personal information material pertaining to roughly 30 million SA citizens.
What are the biggest cyber challenges that South Africa faces? Ethan Pitts, a Cyber Risks and Commercial Crime Underwriter at Camargue said that the South African cyber crime industry is very interesting.
“In order to understand how you may be at risk, you need to think why a cyber criminal might target your company. The primary reason is direct financial gain, hacking into bank accounts to make transfers or using phishing and other social engineering attacks to extract money from their unsuspecting victims,” says Pitts.
According to Pitts, the second most common incentive for hacking a company is to obtain confidential information, which can either be sold to competitors (think of the formula for a new drug which has not yet been patented) or black-market sources which specialise in Identity Fraud. With enough confidential information on someone, a skilled hacker can build an online persona and use that to gain access to the victim’s bank accounts or clone their identity documents.
The third attack, previously limited to financial institutions and the telecoms industry, follows the pattern of a DDoS attack. By locking down a network with ransomware or infecting the key systems of a business with disruptive malware, hackers can bring down businesses and then extort them for a solution to their problems. Very few businesses have considered the cost that a cyber incident can have in terms of lost revenue, not to mention the costs incurred in restoring systems.
An issue of quantum
While the information on the bestvpns.co.uk website is very relevant information, it is largely based on international research. There is very little information on this website which is relevant to the South African market in terms of the nature of cyber attacks or the costs associated with them.
“The primary costs incurred by any South African company, regardless of size, is the lost income during any downtime caused by a hacking incident and the costs of the specialists who help restore their systems. Bear in mind, these specialists first need to identify, then quarantine and finally restore compromised systems. This is a time consuming process where a company loses money due to a lack of productivity and then pays the specialist’s invoice afterwards,” says Pitts.
He adds that this is a best-case scenario where no 3rd parties are involved. Should client information be compromised, the companies would need to inform the affected victims of the breach which can be another costly process if there are thousands of individuals to be informed. Further, PR specialists will be required to mitigate brand damage and then potential legal costs in defending companies from class actions.
Prevent a heart attack
While the South African economy does have its fair share of large multinational companies, it is the Small, Medium and Micro-sized Enterprises (SMMEs) which are the heartbeat of the South African economy.
“In terms of small companies, the costs incurred to get back up and running are significantly smaller than a large-scale manufacturer or financial institution. Should a factory be halted while their computer systems are locked down, industrials can look to lose millions of Rands in a single day. Companies should therefore look at the costs of them going down for a week, or even longer and calculate the lost business during this time,” says Pitts.
Cyber insurance policies are a unique product in terms of the insurance market, therefore, as they provide cover for a combination of 1st party and 3rd party costs and expenses. While insurance cannot be the only form of risk mitigation, it does provide an effective risk transfer mechanism – especially for the SME market and smaller commercial ventures who may not have the budget to invest heavily in cyber security.
An unfortunate reality
According to Pitts, a lack of cyber awareness and the prohibitive costs of effective cyber security means that it forms a low priority of most executives.
“On a global level, only 50% of board members consider cyber security as part of the top ten concerns for their business – and South Africa follows this trend. For brokers, it’s important to advise all clients that due to our integration with technology, cyber exposure is now a risk which needs to be addressed in the same manner that one would purchase insurance for an office fire or generic theft,” said Pitts.
Explaining the losses and ways that a cyber incident could affect their client’s business, especially in terms of lost revenue, is often an effective way to make a client aware of the possible financial impact of an attack.
Additionally, as part of their fiduciary duties, directors are obligated to ensure that their companies are adequately protected from all risk exposures. Does this increase the urgency of regarding cyber liability as a top risk?