By Candice Sutherland (@Lady_Liabs) candices@itoo.co.za
Cyber-crime has surged fourfold in the last several years and has increasingly become one of the most crucial security concerns for companies. From credential theft, to phishing and ransomware – hackers of all skill levels have looked to cash in and done very well for themselves. Companies of all sizes are exposed, cyber-crime is not purely a corporate problem, we have seen many small companies affected.
Below we discuss the security concerns and data related to Cyber-Crime.
A breach is an incident in which sensitive, protected, or confidential information is either stolen, copied, transmitted, or used by an unauthorized person. This data could belong to the company itself (intellectual property) or third-party clients, suppliers, contractors, or employees
Cyber-crime is the 4th most reported crime in South Africa and our phishing rate is the highest in the world. We also have the highest global probability of a repeat data breach.
The Ponemon Cost of a data Breach Report 2021 found that business email compromise was responsible for 4% of breaches, but had the highest average total cost of initial attack vectors. The second costliest was phishing followed by malicious insiders, social engineering and compromised credentials
The report further showed the following alarming statistics:
- Average cost per lost stolen record R2 412
- Average total cost of a data breach R48 million
- The average number of days to identify a breach was 287 days and then a further 75 days to contain the breach
- 11 consecutive years that healthcare had the highest industry cost per breach
Attacks such as ransomware are indiscriminate and can affect any company and every industry. Smaller companies are often a target for hackers particularly if they have a less “sophisticated” IT infrastructure – these companies can be severely impacted by a breach as they have to absorb the incident response costs and with many recent breaches reaching news headlines this advertising medium is often used to boost a hackers’ reputation.
Cybercrime is not an IT issue; it’s a people problem and your employees are your biggest risk. 63% of network intrusions were the result of weak usernames and passwords and phishing attacks remain a highly effective form of attack accounting for 71% of interceptions. Attackers also use software updates to infiltrate organizations where traditional infection vectors are unsuccessful
Any entity that makes use of an IT system or stores employee and/or client data has a cybercrime exposure. The following factors should be considered:
- what is your level of dependency on systems?
- what amount of sensitive data do you collect/store/process?
- how long would it take for you to recover operations?
- what are your business interruption expenses?
- the complexity of your specific environment and preparedness for a cyber incident
- market presence of your company (public relations costs and crisis communication requirements as well as legislative notifications)
The Protection of Personal Information Act (PoPIA) was designed to protect our constitutional right to privacy. Under the Act, a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate and reasonable measures to prevent loss, damage, or unlawful access to such personal information. The risks of non-compliance include reputational damage, fines and imprisonment, and paying damages to data subjects.
Under section 99(1) – which came into effect 1 July – an employer may be held liable for the conduct of its employees, regardless of whether there is any willful or negligent conduct on the part of the employer
The costs covered by a typical cyber insurance policy and in the absence thereof, the costs that would need to come out of your bottom-line revenue are:
- Business interruption losses and increased cost of working;
- Costs to obtain professional (legal, public relations and IT forensic) advice, including assistance in managing the incident, co-ordinating response activities, making representation to regulatory bodies and coordination with law enforcement;
- The costs to perform incident triage and forensic investigations, including IT experts to confirm and determine the cause of the incident, the extent of the damage including the nature and volume of data compromised, how to contain, mitigate and repair the damage, and guidance on measures to prevent reoccurrence;
- Costs to restore, recollect or replace data that has been lost, stolen or corrupted;
- Crisis communications and public relations costs to manage the reputational damage, including spokesperson training and social media monitoring;
- Communication costs to notify affected parties as well as remediation services such as credit and identity theft monitoring to protect affected parties from suffering further damages;
- Cyber extortion costs to investigate and mitigate a cyber-extortion threat and where required pay the ransom demand; and
- Fines and penalties to the extent insurable by law.
When a third-party or client is affected by the breach (network security or privacy breach) the policy provides the following cover:
Defence and settlement of liability claims arising from:
- Compromised sensitive or personal information, this extends to include physical hard copy information;
- A system security incident affecting systems and data as well as causing harm to third-party systems and data;
By way of examples these are the typical costs incurred following an incident:
A hacker gains access to a network and steals customers personal data. Costs incurred:
- Forensic investigation costs to confirm the nature and extent of data stolen
- Notification and credit monitoring expenses for affected parties
- Defense and settlement of ensuing liability claims
Customer designs are compromised after an employee opens an email attachment containing malware. Costs incurred:
- Specialist costs to contain and remove the malware and recover data
- Increased costs of working i.e., overtime
- Lost revenue as a result of downtime
A third-party service provider’s employee steals sensitive and personal data and makes an extortion demand not to publish the data online. Costs incurred:
- Forensic investigations
- Specialist costs to investigate and mitigate the cyber extortion threat
- Where mitigation is not possible the cost to terminate the extortion threat
60% of small and medium enterprises were forced to close within 6 months of being hacked. Failing to implement an appropriate cyber risk management strategy could constitute a breach of Directors’ fiduciary duties, so driving awareness and creating a cyber readiness programme which includes cyber insurance should be top of mind for any company especially the Board of Directors as they are the individuals being named as defendants in costly and intrusive litigation.
Please speak to your Insurance Broker about obtaining quotes from ITOO Special Risks
ITOO is a special risks Underwriting Management Agency (UMA) focused on liability, special and emerging risks underwritten on the Hollard Insurance license. www.itoo.co.za
Written by Candice Sutherland (@Lady_Liabs) candices@itoo.co.za
K2014107940 (Pty) Ltd ta Metal Management Solutions