By Dr. Eugene Wessels, chief technology officer at King Price Insurance
One of the biggest cyber risks we’re facing in 2023 isn’t employees logging onto public Wi-Fi, or leaving their passwords stuck to their screen on a post-it note. It’s not even the fact that the world of business has shifted online and into the cloud. Right now, what’s keeping CIOs up at night is how to defend against AI-driven cyber-attacks, which are increasingly sophisticated and have fundamentally changed the game.
There’s no doubt that AI is opening up entire new worlds of efficiency, productivity and creativity for businesses across all sectors. Generative AI tools are automating manual processes, improving customer services through micro-personalisation, and in some cases, reducing security risks like money laundering and fraud.
The problem is, of course, that AI isn’t only available to the good guys. We’re increasingly seeing criminals manipulating AI for use in ever-smarter cyber-attacks. They’re using techniques like data poisoning, where fraudsters manipulate the data used to train the company’s AI to sabotage the company. With adversarial attacks, criminals manipulate an AI system’s input data to force the system to make incorrect decisions. Model theft and tampering involves copying the model, modifying it, or inserting malicious code and then redeploying it back into the company. Not to mention the security risks associated with voice impersonation attacks, where cybercriminals use deepfakes to compromise vulnerable individuals…
It’s a headache for all businesses – but financial services providers (FSPs) remain one of the most attractive targets for cybercriminals, simply because of the nature of their business and the type of information they hold.
Apart from the potential financial losses caused by a cyber-attack, the biggest threat for FSPs is their reputation. Clients trust them to protect their data, so a network security or data privacy breach doesn’t just have a massive impact on their clients; it can also cause serious and lasting damage to the business.
FISA – leading the fiduciary conversations
- The Annual FISA Conference is well recognised now as the forum where academics and practitioners can share their
- knowledge in furtherance of fiduciary professionalism.
- Presentations are made at regional meetings
- FISA has an extensive archive of court case summaries related to fiduciary matters
- FISA is raising the bar for professionalism in fiduciary practice through the designation of Fiduciary Practitioner of SA
ESTATE PLANNING. TRUSTS. WILLS.ESTATES. BENEFICIARY FUNDS
What lessons can we draw from recent cyberattacks?
The biggest lesson we can all take is that it’s not a question of ‘if’, but ‘when’. 2022 was a record year for data breaches, according to the Identity Theft Resource Center – but many companies still think it will never happen to them. Interpol estimates that nine out of every 10 African businesses are operating without the necessary cybersecurity protocols in place, putting themselves and their clients at risk of massive financial loss.
IBM’s 2022 Cost of a Data Report shows South Africa has the highest global probability of a repeat breach: 83% of organisations experienced more than one breach in the last 12 months. The most common initial attack vectors are stolen or compromised credentials, phishing, cloud misconfigurations, and vulnerabilities in third party software. We should focus our efforts on securing these risk areas first.
How can financial services businesses build cyber resilience?
Apart from the security basics, like having a firewall, having enterprise-level anti-virus software, and backing up data regularly – the biggest step companies can take is to create greater awareness among their employees. It’s no use spending millions on security solutions if you don’t educate your people. When it comes to cybersecurity, your people are the weakest link. Your best defence is to create an active cybersecurity culture that gets everyone in the business following basic security habits.
The important thing to realise is that effective security awareness training isn’t a once-off thing. To maintain awareness and change employees’ mindsets around cybersecurity, it’s better to deliver ongoing short training and awareness sessions that highlight the direct consequences of poor security. Keep it relevant, interesting and engaging. Use tactics like phishing tests to see who clicks on dodgy links. Cover a range of topics, including poor password hygiene, misuse of personal email, and the correct way to use cloud storage and other shadow IT services.
And then it’s a smart business decision to get cyber insurance. It can’t save your business from attacks but it’s an important way to protect you from the after-effects of a breach. Good cyber insurance, like King Price’s cyber sure, will cover expenses for data breaches, including hiring legal and forensic IT professionals to help you recover your data; damage to computer systems and data after a network attack; disruption that brings your business to a halt and results in loss of income; and any financial losses resulting from fraudulent inputs into insured computer systems.