By: Claude Hamman is the Head of Specialist Risk Advisory at Indwe
The digitisation of the workplace has accelerated at an extraordinary pace over the last 6 months as businesses have scrambled to ensure the continuity of operations.
One IT leader recently commented that change has never been accepted so willingly by employees as in the past few months. Traditionally, changing systems and operating procedures could be a laborious process, but the onset of work-from-home strategies resulted in an almost immediate adoption of change as people were forced to incorporate technology to communicate effectively. The ability to communicate then opens remote operational activities like finance, administration, production and sales to ensure that products and services continue to be provided to customers at a steady rate.
The amount of information being shared digitally has grown exponentially and the risks of losing this information due to criminal threat or failure of systems has matched this growth as our reliance on technology increases. Employees are starting to show signs of burning out due to VC fatigue as a result of non-stop digital meetings, which has effectively taken over our lives to the point where the line between work life and home life is almost unrecognizable. It is important to step back as a leader to evaluate some of the risks and ensure effective mitigation is put in place to protect against the evolving digital risk landscape.
Firstly, consider one of the primary concerns when dealing with a cyber security breach, namely the impact on the reputation of the company. Any loss of information relating to customers or employees is a serious concern and the wider loss of trust can cause irreparable harm to an organisation if not managed effectively. The General Data Protections Regulations (GDPR) continues to drive data protection standards globally and in South Africa, the Protection of Personal Information Act (POPIA) is no different, as organisations are required to protect the privacy of their customers and ensure that personal information is adequately safe guarded.
There are strict protocols required to ensure that data is properly accessed, stored, processed and eventually destroyed. Companies can be held liable for damages and fined by regulatory authorities in the event of a loss of information, caused by negligence, or as a result of inadequate security resulting in a third party accessing information unlawfully (Hacking). Consider using scenarios to identify weaknesses and ensure that effective cyber security is adequately maintained across all systems. An effective disaster recovery plan must also be tested regularly alongside third-party penetration testing.
A global technology company was recently held for ransom as all their systems was “locked” by an unauthorized third party who gained access to their systems and effectively shut down their entire operation. The hackers demanded a ransom to be paid for the company to regain control of its systems and continue its operations. Executive leadership were forced to choose between paying the ransom or face the permanent loss of their core systems and data. In the end, the ransom was paid but at great financial and reputational cost to the company. Any unauthorized access can result in the destruction of data or distribution of personal information either into the public domain or to be sold to digital criminals for future cyber-attacks and social engineering schemes.
In a world where we are having less face-to-face interactions, it becomes easier for con artists to use social engineering and digital manipulation to convince us to accept their version of reality.
The checks and balances involved in a traditional payment approval process for example, becomes distorted with so much change and employees can be caught unaware resulting in significant financial loss and/or loss of intellectual property. Fake request for changes in banking details or payment instructions to fictitious suppliers seemingly originating from the CEO (or similar senior executive) is a common modus operandi. Fraudulent instructions sent via email are often accepted without additional verification and validation.
An employee at a financial services company was asked to attend a prestigious online conference with international guest speakers and a remarkable line-up of specialists that were going to share their knowledge and experiences. The payment was promptly made to secure a seat at the event only for it to be delayed due to “technical problems”. After the second “postponement”, they made some calls only to find out that the conference had in fact taken place 7 months ago and that none of the speakers were scheduled for a follow up performance. These are hard lessons to learn that could be prevented with some basic verification protocols prior to the payment being released.
A risk that should not be underestimated is the impact of social media. The use of real or fake news to drive an agenda could compromise a business or its leadership team. A local retailer experienced the impact of social media as people were outraged by one of its advertisements resulting in the closure of several hundred stores and reputational damage as protesters started looting stores. One social media post can go viral in minutes destroying your hard-earned reputation. Companies should educate their employees on the risks of social media and seek protection from being exposed to a digital world where opinions are often considered to be facts. Everything you type or take a picture of can potentially be shared and viewed by millions, our actions and words can be stored digitally and is part of your digital footprint, so it is up to us to act responsibly in the way we approach social media.
Insurance contracts can offer partial protection to individuals and companies faced with these risks. Unfortunately, not all cyber related risks can be covered by insurance and the cost of cyber insurance continues to rise. Deductibles are increasing, and capacity may reduce as the frequency and severity of cyber related incidents continue to rise globally and more so in South Africa. Organisations are advised to focus on prevention through cyber security improvements and training rather than relying purely on the safety net of insurance.
Insurance will not protect you against the loss of trust and resulting fallout with customers and suppliers. Reputational cover however, is available to support the company with crisis management and public relations, additional advertising cost to recover market share, and net profit losses following a reputational event. Decision makers will need to evaluate these risks carefully and decide on the most effective way to address their unique exposures.
Contact your Indwe Risk Advisor for more information on risk management and insurance advice for cyber and reputational risks.
About the author:
Claude Hamman is the Head of Specialist Risk Advisory at Indwe, he’s a certified Risk Management Professional (IRMSA), a member of the Insurance Institute of South Africa and an affiliate of the Business Continuity Institute (BCI).