Miranda Tshuma, Aris Brokers
COVID-19 has transformed the way the world conducts business and, more specifically, what can be accomplished digitally.
A post-pandemic world is of greater online function and it is unfolding before our eyes. With greater digital dependency and reward, comes greater risk in the form of cyber threats. The way businesses were able to adapt amidst the pandemic, the same applies to Cybercriminals who are constantly probing for weakness and developing their tactics. Any organisation that has an online presence is at risk of cyber-attacks.
SMES are actually the ideal targets of cybercriminals because of the weak or assumed weaker security when compared to big enterprises. They can be seen as a “wretch”, making them vulnerable to hackers. Cybercriminals typically look for targets that can be hacked with ease.
They often accomplish this by using software that automatically scans the web and identifies businesses with specific security weaknesses such as outdated or unpatched software, poor passwords, open web ports, unencrypted data in transit, lacking endpoint protection, etc. While cyber threats are not new, the complication and cost of attacks are unmatched. For big companies and large enterprises, they usually have multi-layered security systems to safeguard valuable data protecting clients and customers. However, for SMEs they do not have access or the supporting budget for sophisticated IT security infrastructure as well as a skilled IT team hence when it comes to IT security they are exposed and an ideal prey.
About 28 million malware attacks and 102 detections of unwanted programs (pornware, adware etc) were found across Africa in the first half of 2020. These numbers show that it is not only malware that attackers use but also “grey zone” programmes which users will not have an idea that they are there states the report. According to a report by (), the move to cloud-based services in response to restrictions brought on by the pandemic, cybercriminals responded with a 630% increase in cloud services attacks between January and April 2020 in Africa.
According to the Accenture Report (2020), South Africa was ranked the third most cybercrime victims worldwide losing over R2,2 Billion a year. The report attributed this loss to low investment in cybersecurity and lack of cybersecurity awareness. While the KSS report, (2020) found that in the first half of the year there were 415 000 malware attacks in South Africa. In South Africa, since the beginning of the lockdown, there has been an increase in cyber-crime activities. The same report found that ransomware is on the rise and can be a threat to big/small enterprises.
Potential Unwanted Applications (PUA’s) are programmes that when one looks at them and these are becoming more common in South Africa. They are not usually considered to be malicious and that is why they are growing in popularity. These usually go hand in hand with fake apps that one is not aware that they consented to their installation. They are usually exploited and disguised for malware download. An example stated by the iDefense report (2020) is the “CovidLock” that claims to provide real-time coronavirus information including heat maps and statistics while it contains sophisticated dubbed malware. This brings light to an emerged trend where hackers are using coronavirus fears to send you a computer virus. The malware is disguised as legitimate information about coronavirus.
WHAT CAN SMMES DO?
The company can educate employees on phishing emails as employees can easily click on these or take the bait of an impersonator. Organisations will need to enhance their cyber-security awareness training if they are to protect their employees and systems from avoidable threats. According to the Mimecast Report of 2020, employees are five times less likely to click on dangerous links. So investments into effective and regular awareness training can be hugely beneficial to an organisation’s overall security posture. Businesses should embrace the necessary safeguards, together with other measures to mitigate and lessen the risk of cyber-attacks in protecting data. Protecting the workplace laptops with a valid anti-virus like End Point Detection Response (EDR) increases your visibility and in turn, allows to have a faster and efficient response in the case of an attack. After getting all IT control measures in place, it is advisable to ensure that you research on purchasing malicious actors like BEC scams, phishing, vishing and smishing especially for small underequipped businesses.
Another avenue that is rather overlooked or underestimated because of the assumption that it will be expensive is Insurance Cover. Having covers on cyber, privacy and reputational risks and liabilities has now become just as vital as insuring against fire or theft. Business owners need to start viewing these types of policies as standard requirements for any venture. Cyberattacks are after all just another form of theft. iWeb adds that SMEs should make sure that they outsource or look into acquiring insurance tailored for their business.
Having a cyber-liability insurance policy, which covers first and third-party liability is vital because the cost of this will always be far less than the cost of shutting down a business in the wake of a cyber-attack. It is evident that the threat of cyber-crime is not going away anytime soon and the cost of a breach can be crippling to a small business.
WHAT CAN INSURANCE COMPANIES DO?
Insurers need to start marketing and advertise showing the SMEs the need for this cover as they are more at risk now that everything is digital. Most SMEs are of the opinion that Cyber Insurance is expensive hence they do not pursue it. This coupled with the idea that “It won’t happen to me,” is the reason why SMEs are not looking for Cyber Insurance. Insurance companies can then take this gap and opportunity to educate small companies on the importance of Cyber Insurance as well.
Given the fact that cybercrime is an increasing problem and arguably a threat that will endure into the future; the insurability of cyber risks needs to be emphasised. Businesses need to prioritise this because if this need is overlooked, it acts at its own peril. For instance, an FSP will be exposed to incurring various liability costs and also regulatory fines and penalties due to data breaches. Most importantly would be the reality of having to recover financially from reputational harm.