Sizwe Cakwebe, Cyber Risk Manager at SHA Risk Specialists
The scourge of cybercrime has risen exponentially over the past decade, and if the last few years have taught us anything, it is that no business – big or small – is safe from attack. The rapid increase in online spending and the work-from-home environment has exposed many weaknesses for cyber criminals to exploit.
There has been a significant uptick in ransomware attacks over the past 12 to 18 months with 24% of South African companies falling victim to these attacks (Statista.com). In SHA’s 2020 Annual Risk Review, it was reported that 19% of respondents suffered some form of ransomware attack, on average, each ransom was for around R50 000. Most of the respondents in this survey were SME’s, hence the relatively low ransom amounts. Anybody that follows the news will have seen the ransom demands for millions of rands in multiple recent high profile cases.
Cakwebe highlights a new trend that has emerged in the cyber-risk landscape that could help focus risk management within companies. Over the past 12 to 18 months, we have noted a significant spike in the number of queries regarding a particular type of cyber-attack that results in the change of supplier, contractor or vendor banking details and subsequent payment to an incorrect bank account. Generally, this starts off as a phishing attack (targeted at a company secretary or specific admin person) with a more sinister intention of compromising a high-ranking executive’s business email account.
This trend clearly demonstrates one of the biggest weaknesses inherent in most companies’ cyber security strategy. The human element has always been the flaw within a computer system or cyber security controls. Cyber security control mechanisms will always do what they are configured to do. It is the misconfiguration by humans, or the circumvention of secure processes that bring about vulnerabilities. Humans are fallible and the systems, processes and applications developed by us often encompass those same weaknesses.
There are two solutions that can address these vulnerabilities:
- Professional services companies should purchase a Professional Indemnity (PI) policy to protect themselves against potential liability suits in the event that they “misconfigure a firewall” which results in a subsequent hack.
- Educate employees and contractors on cyber security and their role in protecting the organisation’s physical and information assets.
The rapidly escalating ransomware risk is major concern for the industry. Once again, this is a risk that is affected by the human element. It encompasses elements of data exfiltration and data encryption, and how those seem to play out within the market. A key challenge concerning ransomware attacks, is the accumulation of risk exposure that insurers face. Firstly, a single ransomware attack can trigger multiple areas of a single policy. Then, the widespread nature of attacks has the possibility of affecting large groups of businesses simultaneously and this can create a conglomeration of losses.
This has resulted in a number of insurers withdrawing from providing ransomware cover within their cyber policies. We see this market trend worsening potentially resulting in this cover element becoming obsolete within the near future.
For businesses to adapt to the changing risk landscape, it is essential that better technological solutions are adopted. When you consider the advancements in artificial intelligence (AI), robotics and the Internet of Things (IoT) brought about by the fourth industrial revolution, it’s clear to see that the business risk landscape is constantly teetering on the precipice of major change. As digital transformation gains momentum and companies move more systems and applications into the cloud, one sees an exponential increase in cyber risk.
Companies start getting the basics of cyber security right to protect themselves against this critical business risk. This includes doing regular backups, performing regular security patching, data encryption, anti-virus software, use of firewalls, ensuring proper passwords are used, and developing systems and applications with security in mind.
Adequately managing a company’s cyber risks requires close interaction between risk managers, underwriters, insurers, brokers and business owners. Risk management services play an integral role in cyber insurance. Historically one would seek cyber insurance to protect their business against cybercrime, whereas we now see the paradigm shift towards a more preventative approach. Packaging a cyber insurance offering together with risk management services results in a better risk and a well-informed client. Adopting a collaborative approach to drive cyber awareness and channel the correct cyber security behaviour is needed.