As cyberattacks continue to surge, increasingly targeting small businesses, the need for robust cybersecurity risk management has never been more critical.
This October, marking International Cybersecurity Awareness Month, serves as a timely reminder that businesses can adopt simple yet effective measures to safeguard their online presence and protect the sensitive personal data of employees and clients.
According to the World Economic Forum, cybercriminals often target smaller companies that serve larger clients. SMMEs that serve critical infrastructure providers and global corporations are particularly at risk, as are those with systems that integrate into regulated industries such as insurance, healthcare, banking, and credit monitoring.
George Parrott, a partner at King Price Insurance, notes that as SMMEs integrate into the global digital ecosystem, they encounter new risks and vulnerabilities.
“Any organisation that holds the personal information of clients or employees – which by default includes every single organisation – or which has access to systems operated by external parties must start prioritising cybersecurity. A failure in this regard threatens the organisations as well as the wider ecosystems that they operate in,” Parrott said.
Data breaches outrank climate change risk
The Mimecast’s 2023 State of Email Security report identifies data breaches as a bigger risk than climate change, with South Africa ranking sixth on the list of countries most affected by cybercrime.
Interpol’s African Cyberthreat Assessment Report 2022 disclosed that 230 million cyber threats were detected in South Africa, of which 219 million, or 95.21%, were email-based attacks. And businesses – regardless of size – are alive to the threat.
The 2023 Santam Insurance Barometer Report showed a 12% increase in the number of commercial respondents who cited cybercrime within their top five risks.
Makolo Kalambaie, business head: Financial Lines and Cyber at Santam, said cyber-security risk management is a critical skill to acquire for both employees and business leaders.
“The digital age makes us more vulnerable to risks online despite the convenience it offers. Employees have a critical role to play in securing your business’s world,” he said.
What cybercriminals target
With these statistics in mind, Kalambaie shared information on the types of things cybercriminals are looking for, what a breach can mean for your business and ways to improve your cyber security.
Top data targets often include intellectual property and databases of personal information about employees, partners, suppliers, and clients that can be used for identity theft and fraud. Credential theft is a common and potentially devastating tactic used by cybercriminals. Other types of threats are:
- Attempting to “rent out” computer resources or extortion, where data is held ransom.
- Blackmailing businesses with Distributed Denial-of-Service (DDoS) attacks or threats of DDoS attacks. A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
- Wi-fi vulnerabilities: As you look for free wi-fi networks, you may unknowingly connect to a shadow network – a system that is intended to look like any other public network except that it is monitored by a cyber predator. Tip: set your device not to connect automatically to available networks.
Why invest in cyber insurance
The WEF’s Global Cybersecurity Outlook Report 2024 states that more than 30% of organisations that are breached report a reduced inability to deal with attacks. Parrott said this supports the argument in favour of partnering with IT security professionals to help prevent breaches, as well as with insurers that offer protection and support in the wake of breaches.
He said that for smaller companies, the implementation of robust cybersecurity measures and insuring against the effects of a breach are often constrained by budget. However, Parrott said these costs must be factored into monthly operational expenses.
He lists seven reasons SMMEs need to invest in cybersecurity and insurance:
- The actual cost of a breach. Although IBM reports that the hard costs related to data breaches increased during and after the pandemic, it is often difficult to define the real cost of a security breach, which includes intangibles such as loss of trust, reputation, and loyal customers.”
- Remote and hybrid work. IBM notes that, in 2021, the remote and hybrid work set-ups necessitated by Covid-19, which have since become the new normal, contributed to the highest average cost of cyber incidents in 17 years: $4.24 million. This is a 15% increase from three years prior. In addition, breaches cost $1m more when remote work was a factor, compared to companies that retained full in-house capabilities. These figures represent global statistics but, if you apply the current rand/dollar exchange rate, it becomes apparent that these numbers need to be taken seriously.
- More mobile devices. There are now billions of connected devices, and each presents an opportunity for cybercriminals. Every new Bluetooth speaker and smart appliance, for example, represents a potential entry point for a cyberattack.
- Increasing uptake of apps and AI tools. Time-savers such as pdf and image conversion apps are handy, but if they are not officially sanctioned, they are known as “shadow IT” because they could be doorways for cybercriminals to enter uninvited.
- Cybercrime consortiums. Modern hackers have forums, networks and tools, and they work together to find technical vulnerabilities.
- Time taken to detect. On average, it takes nearly 287 days to detect and contain a data breach. A solid cybersecurity and insurance strategy can reduce this time, helping businesses to bounce back faster.
- When a company’s customers know that the security of their data is prioritised it helps to build trust – an important pillar for ongoing relationships.
Impact of a cybercrime incident on a business
A cyberattack can immediately disrupt business operations, as Kalambaie points out, noting that “you can’t run a business if you can’t use your computers or access important data”. Beyond this, the long-term reputational damage could be severe. One of the key benefits of cyber insurance, he said, is that it enables businesses to recover from interruptions and financial losses caused by cybercrime.
Cyber insurance also provides practical support, such as access to IT experts to restore systems, recreate data, and anticipate future threats. Depending on the extent of the damage, businesses may also face liability and potential litigation.
Kalambaie emphasises the importance of having four key security measures in place to safeguard sensitive information and ensuring that employees are aware of and practising these measures.
- Create your security policy. Keep an eye out for news reports on the most common cyber threats. Educate employees on the dangers of cybercrime and constantly refresh their memories about the most important things they can do to protect your business – they are the first line of defence in a cyber-attack.
- Passwords: A strong password is at least 10 characters long and includes symbols (%, @, *) and numbers. You can use Lastpass – a password manager that acts like a vault for all your account and password information – or use a password generator.
- Be careful with software installations. Be strict about what can be installed on company computers without authorisation to increase your computer security. Be sure to install a firewall and anti-virus software and block access to restricted sites with internet filters.
- Keep operating systems, software and browsers updated. Called “patches”, they exist to fix vulnerabilities in software that can be exploited by hackers or malware.
