Ransomware attacks have skyrocketed in recent years. SHA Risk Specialist’s most recent Annual Risk Review found that one in five small and medium enterprises (SMEs) have been victims of ransomware attacks, with demands most commonly ranging from R25 000 to R50 000 – this is in line with global statistics.
Thirty seven percent of businesses surveyed said that they had experienced some form of a cyber event in the past 12 months, with just over half of the incidents arising out of the negligent actions of an employee. That would likely have involved the staff member unwittingly having clicked on a malicious link in a phishing email.
These statistics clearly indicate that risk management and cyber-awareness training for employees are not enough of a priority within small businesses.
Cyber-awareness training
By all accounts, the human element is still the greatest threat to cyber security. It is a business imperative to ensure that employees and contractors are informed and trained on the latest cyber security risks and trends. Businesses can spend millions on security but if users are not trained, it is all for naught.
This can be done by educating staff (including IT) on some of the most common access points into a business that cybercriminals use and how to avoid falling victim to these scams. Examples of these include not clicking on unverifiable links or untrusted email attachments, strict download policies, tighter controls on personal data, using Virtual Private Networks (VPN) and the likes. Most importantly, all companies should conduct frequent data backups, as that will ensure that data recovery is less problematic should they fall victim to a ransomware attack.
A risk transfer standpoint
Ransomware and extortion attacks have become far more sophisticated and cyber exposures are not limited to businesses that store confidential information. Companies that operate technology driven manufacturing plants or distribution centres are also vulnerable to cyber risks. For these entities, being offline for even a few hours can mean a serious drop in revenue. The 2020 Risk Review showed that in the SME sector, 23% of commercial victims were offline for between 24 and 72 hours. A further 7% suffered business interruption exceeding three days.
Given the high volume of successful ransomware attacks, which continue to rise in both frequency and sophistication, it is almost inevitable that any modern business may find themselves at the mercy of these cybercriminals at some point. From a risk transfer standpoint, our survey showed that only 18% of businesses had some form of cyber cover in place. It is worth noting that the purchase of coverage remains higher in the larger, corporate sector where governance and risk management tends to be more of a business imperative. While the more vulnerable small businesses remain largely exposed and are far less likely to recover.
Cyber insurance policies
Cyber policies generally respond to first- and third-party losses, following hacking or privacy breaches, and extend to cover a range of regulatory exposures. Some cyber insurance policies cover a wide variety of first party (own damage) cyber exposures ranging from data breach response, restoration, business interruption, cyber extortion and ransom, cybercrime (theft of funds), PCI-DSS as well as a range of third party (liability) based exposures such as, confidentiality and privacy, network security and media liability.
The numbers reflected in SHA’s 2020 Risk Review are somewhat encouraging, as it appears as though businesses are becoming more aware of the escalating cyber risks. Of the companies surveyed, 84% are now relying on antivirus software (an increase of more than double reported in 2019), 70% have firewalls in place and more than half do regular data backups to protect company information. If there was any benefit to the global tragedy of the lockdowns, it seems that more focus was placed on keeping company networks secure as businesses were forced to adapt to employees working remotely. The fact remains however, that without cyber insurance, any business remains exposed to significant financial losses after an attack.
Sizwe Cakwebe
Cyber Risk Manager