Cyber incidents ranked as the 2nd biggest business risk internationally according to the results of a recent survey conducted by Allianz Global Corporate & Specialty (AGCS) and based on insight from more than 2400 risk management experts in over 80 countries, including South Africa. This was only surpassed by business interruptions like supply chain disruption and service outage. Cyber incidents ranked above concerns like natural catastrophes, changes in legislation and regulations, and even fire and explosions. Over the past 5 years, Cyber Incidents went from ranking at 5th in 2015, 3rd in 2016 and 2017 to 2nd in 2018. Basically, investing in cyber security for a business can directly impact its bottom line.
Cyber Incidents such as privacy breaches, DDOS (Distributed Denial of service) and Ransomware encryption attacks can cause business interruptions, loss of reputation, liability claims (from other businesses and people) and extensive financial loss. According to AGCS, the average insured loss over the past 5 years from a cyber incident is now in excess of R33.6M ($2.3M). Claims of this nature revolve around mega data breaches like in the recent cases of Marriott Hotels (380 million records), Uber (57 million records) and Facebook (50 million records) of course. The cost of the Marriott breach was estimated to exceed R2.9bn ($200M) according to AIR Worldwide. As cyber criminals become more pervasive and threats evolve, the risks and costs to businesses are sure to increase. For small- to mid- sized (SME) businesses, these incidents can be terminal.
This year we have seen cyber criminals turn away from large, well-funded organisations to targeting SMEs. The simple truth behind this change is that it’s just easier. SMEs have less staff, lower grade infrastructure (network hardware, workstations, servers, etc.), smaller budgets, limited to no IT departments, and in most cases, little cyber security expertise in comparison. Luckily, there are numerous cyber security offerings available to protect organisations against external as well as internal threats. These security offerings can also usually be customized to best suit an organisation’s needs since one size does not necessarily fit all.
These are some of the options available to protect any business:
- Endpoint security (Anti-malware) – scans files on access and protects against traditional virus and malware threats.
- Email Threat Scanning – scan emails before delivery.
- Patch Management – reduce chances of vulnerability breaches.
- Regular Backups – onsite & offsite backup for redundancy purposes.
- Vulnerability Scanning – scan for security weaknesses in IT infrastructure.
- Network Monitoring – real-time network activity monitoring.
- Staff Training – raise awareness and reduce chances of a social engineering attack.
- Managed Security as a Service (SECaaS) – external managed protection services by cyber security professionals.
- Managed Infrastructure as a Service (IaaS) – hosted infrastructure (servers, remote desktops, etc.).
- Software as a Service (SaaS) – MS Office 365, Maximizer, Dropbox, etc.
Most companies already have some of the above-mentioned solutions and services incorporated into their annual budgets and with a small increase in funds, would be able to have a more comprehensive protection plan in place. Ideally, at least 5 of the above points should be met in order to have enough peace of mind. The cyber world is ever-evolving and businesses should have the tools readily available to cope with the changing tides in order not to get caught with outdated cyber security practices and be forced to pay a ransom or fine and lose credibility with clients.