Press Office Feature : South African businesses unprepared for the growing risk of cyber attacks
|Company:||Aon South Africa|
|Posted:||19 Jun 2013|
South Africa's own Star Newspaper was the victim of a cyber-attack when an organisation took down Independent Newspaper's Internet and e-mail service with a distributed denial of service (DDOS) attack.
Fortunately none of their servers were breached so no internal information was compromised according to editor, Makhudu Sefara.
According to Kerry Curtin, Principal Broker: Financial Institutions & Professional Risks at Aon South Africa, this should serve as a very serious wake-up call to business leaders to put every resource and effort into managing their cyber breach risks and it must be a priority in boardrooms, rather than left to IT departments to deal with in isolation.
"South Africa is not immune to this type of attack, in fact a lack of preparedness could make local businesses much easier targets and hence we could see an increase in the frequency and voracity of attacks taking place on local business."
"We are by no means immune to the type of spectacular cyber-attacks against large organisations such as Sony, Citibank, Lockheed Martin, the UK's National Health Service (NHS), the National International Monetary Fund (IMF), and the Hong Kong gold and silver investment and securities trading companies.
"It's essential that business leaders understand the level of network security threats, the consequences of those risks, and the availability of cyber insurance policies."
"Legislatively, the Protection of Private Information Bill (POPI), which has just been passed by parliament and will be signed into South African law within months, will also make onerous demands on how a client's personal data is managed, stored and used by a business," warns Kerry.
In fact cyber risk was identified as a seriously underrated risk by organisations surveyed in Aon's 2013 Global Risk Management Survey released little more than a month ago.
Looking at the overall risk ranking, there are several on the list that Aon believes might have been underrated, but could emerge as key risk concerns for organisations if not managed properly.
For example, computer crimes, hacking, viruses and malicious code are recognised as the number eight risk by respondents in North America, where hardly a week goes by without hearing news reports about data security breaches.
The barrage of media reports have heightened people's awareness and influenced companies' perception.
"However, this same risk is ranked lower by respondents in other regions - Asia Pacific (37), Europe (19), Latin America (35), and Middle East and Africa (19)."
"With the recent high-profile network breaches in South Korea and the cyber-attacks on the European Commission, the ranking of this risk is very likely to be re-evaluated."
"The legal exposure, reputational harm and business interruptions from cyber-attacks could wreak havoc on a company's bottom line. Social media, which is currently ranked number 40, is another underrated risk."
"Social media can serve as a valuable marketing and communication tool in this digitally connected world but can also turn into a nightmare, rather quickly, damaging a company's reputation in as fast as a tweet," warns Kerry.
"The growing use of cloud computing also brings with it its own set of security challenges. The reality is that most companies have no idea where their information is stored."
"They know that they outsource to a company but where that company sends information, they have no idea."
"Organisations need to remember that while they may be depositing their data in a public cloud, they do not transfer their risk."
"If any information is compromised the liability remains with the organisation and while they may have some recourse against the cloud provider, it's cold comfort if their reputation gets blown.
"If a company database containing personal information is compromised by a virus or hacking attack, the extent of the damage can be massive."
"If a client can verify that they have suffered a loss due to the data breach, they may hold the company responsible for the loss."
"In this regard class action is also very likely - Sony for example faced 58 class actions after breaching millions of customer accounts," says Kerry.
Sony is by far the most publicised and recent security attack. After its PlayStation network was shut down by LulzSec, Sony reportedly lost almost $171 million.
The hack affected 77 million accounts and is still considered the worst gaming community data breach ever.
Attackers stole valuable personal client information - names, logins, passwords, e-mails, home addresses, purchase history and credit card numbers.
Now for the really bad news - Sony's losses were not insured.
"Cybercrime costs global economies an estimated $100 billion a year."
"These attacks, coupled with the liability claims that they might encounter, can leave local businesses in ruins if they are not properly insured against cybercrime," warns Kerry.
Reports show that hackers earned $12.5 billion in 2011, mainly by spamming, phishing, and online fraud.
Hackers targeted major companies including Sony, RSA Security, and Citigroup, but also governmental websites and smaller firms.
Many of these attacks could have been prevented, and the business in question did not just lose money, but their clients, reputation and market shares went down the tubes with their data.
Millions of people are affected by security breaches worldwide, and litigation in this regard is stepping into high gear.
The South African risks are no different, however it seems that businesses are more laissez-faire in their handling of their cyber and data breach risks, despite the fact that South Africa is fast becoming a leading target for cyber criminals.
There is a tendency within the South African environment to leave regulatory and security compliance until late in the game.
"Phishing volumes have increased in South Africa, making the country one of the leading targets of cyber criminals in 2011."
"Recent statistics have revealed that South Africa is the third most attacked country globally, with 7.5% of attack volumes."
Local companies could soon also be forced to comply with US Security and Exchange Commission requirements too.
"It is mandatory for companies situated in the United States to notify an entire database of a security breach, which can be very costly."
"This could very soon become mandatory for South African businesses who encounter a cyber-attack."
"This in turn is expected to drive demand for insurance products to protect businesses exposed to a virus or hacking attacks as cyber and IT risks become more aggressive, and very public knowledge."
She also says that while liability policies generally only respond to third party claims, certain cyber liability policies will also provide first party cover - in other words cover for the costs incurred by the policy holder to rectify and recover from the breach.
Companies need to consider the security implications that their businesses are exposed to.
Those that are most at risk are those who provide technology services, and those who are heavily reliant on technological systems to provide a service.
"Companies who outsource protection and who are reliant on technology should ensure that they use reputable IT security providers who are indemnified."
"Businesses should ask themselves what kind of service they offer and what the business entails."
"For example, if they provide IT services to companies that rely on technology, and inadvertently their systems infect the client's systems, the costs to both companies could have devastating effects."
"The biggest concern here, however, is the client who depends on a network to run their business."
Over and above investigating insurance options, local businesses should ensure that firewalls, IT security and virus protection measures are properly in place and regular tests are run to gauge effectiveness.
"There is no one size fits all approach to cyber insurance. It all depends on the size of the company, nature of its business and its unique levels of exposure."
"In this regard, consulting with a professional risk advisor is an invaluable exercise in protecting your reputation, data, clients and income," concludes Kerry.
|There are no comments at this stage. Be the first to comment!|
|Please Login To Comment On an Article - Click here To Login|
Car Insurance Quotes
Household Insurance Quotes
Business Insurance Quotes
Funeral Insurance Quotes
Life Insurance Quotes
Read the InsuranceQuotes Blog