Not only is cybercrime soaring in South Africa, but cyber criminals are becoming increasingly sophisticated in their attacks. Elaborate social engineering scams and database hacks have become more commonplace than perhaps many may realise. No business – big or small, is immune to the often financial and reputational devastation that is felt in the aftermath of a cyber-attack.
According to the latest Specialist Risk Review conducted by specialist liability insurer, SHA Risk Specialists, the past two years have seen a third of South African small businesses fall victim to a cyber-attack. 30% of these attacks were attributed to the installation of malware, while 26% were reported as phishing attempts.
Commenting on this is Bongani Nxumalo, Digital Distribution Specialist at SHA Risk Specialists, who says: “Doing business in the Fourth Industrial Revolution requires that all applications and systems be developed with cyber security in mind. Neglecting this aspect of risk management poses a serious threat to business continuity, and in the case of many small businesses with limited cashflow, a single attack can lead to complete closure.”
As he explains, the majority (69%) of the cyber-attacks targeted at South African businesses result in a full shutdown of operations as businesses are forced to go offline for more than 24 hours. Almost two thirds of the respondents to the SHA Risk Review also claimed to have been severely financially impacted by such attacks, with 34% of respondents reporting that they had fallen victim to an email scam.
For Nxumalo, these odds are staggering, particularly given that the most exploitable vulnerabilities are found in human error within business operations. Untrained and unvigilant employees are often the weakest link in the cyber security ecosystem. For this reason, an airtight cyber security policy must begin with awareness and an extensive educational drive to demonstrate the role of employees in protecting sensitive information and data assets.
As a starting point, employees need to be informed about the most common forms of attack, such as phishing and spoofing. The former involves the practice of using fraudulent misrepresentation to deceive online users into trusting an illegitimate source in order to install malware on the victim’s device or to steal money or data. Similarly, spoofing involves cybercriminals disguising themselves as trusted parties in order to gain the victim’s confidence and trust.
At the very least, employees need to be made aware of the most popular methods used by cybercriminals. This could include how to identify a fraudulent email or instant message, how to check the legitimacy of a website, how to protect their passwords and how to use multi-factor authentication (MFA) to safeguard their logins.
Some of the basics of good cyber practice also includes conducting regular backups and installing the necessary security patches on operating software and other applications. “Attention should also be given to reputable anti-virus software, data encryption, firewalls and automatic alert systems. Small businesses can also benefit immensely from partnering with an IT specialist or cybersecurity consultant to fill any knowledge gaps and keep abreast of the latest developments in the cyber risk landscape,” advises Nxumalo.
In addition to these safeguards, businesses can take out a cyber insurance policy to ensure that operations are not brought to a standstill by the financial fallout of an attack. Once such a policy is in place, it is equally as important for business owners to collaborate with their insurance advisers and brokers to gain a full understanding of their responsibilities in mitigating the related cyber risks.
As Nxumalo concludes: “Insurers and clients need to work hand in hand to ensure that the effective measures are in place from a risk management perspective. Cybercrime represents a rising business risk that will with undoubtedly impact organizations as the pace of digitisation accelerates.”