As the frequency and voracity of cyber attacks increase worldwide, it is estimated that over 70% of South African businesses are significantly unprepared for cyber liability risks.
Local businesses are also woefully underinsured when it comes to managing the financial and legal implications that follow a major cyber breach. Business leaders need to adopt a more serious attitude towards managing their cyber breach risks, and it should be a priority at executive level, as opposed to an IT issue.
This is the view of Jenny Jooste, account executive for professional risks at Aon South Africa. In the wake of high-profile cyber attacks against a number of large organisations, there is an increased need for business leaders to understand the level of network security threats, the consequences of those risks, and the availability of cyber insurance policies.
Legislatively, the Protection of Private Information Bill (POPI), which has just been passed by parliament and will be signed into South African law within months, will also make onerous demands on how a client's personal data is managed, stored and used by a business.
The growing use of cloud computing also brings with it its own set of security challenges. According to Deloitte, people refer to cloud computing without a clear knowledge of what it actually is.
The reality is that most companies have no idea where their information is stored, Aon believes. Organisations need to be mindful of the fact that, despite depositing their data in a public cloud, they do not transfer their risk.
If any information is compromised, the liability remains with the organisation. While it may have some recourse against the cloud provider, it's cold comfort if its reputation is impacted on negatively, according to Aon.
"If a company database containing personal information is compromised by a virus or hacking attack, the extent of the damage can be massive. If a client can verify that they have suffered a loss due to the data breach, they may hold the company responsible for the loss," said Jooste.
"Cyber crime costs global economies an estimated $100 billion a year. These attacks, coupled with the liability claims they might encounter, can leave local businesses in ruins if they are not properly insured against cyber crime," warned Jooste.
Reports show that hackers earned $12.5 billion in 2011, mainly by spamming, phishing and online fraud. Hackers targeted major companies including Sony, RSA Security and Citigroup, but also governmental Web sites and smaller firms.
Many of these attacks could have been prevented, and the businesses in question did not just lose money, but also their clients, and their reputation and market share plummeted, says Aon.
The risk in SA is no different to those in the rest of the world. However, it seems businesses do not seriously consider cyber and data breach risks, despite the fact that SA is fast becoming a leading target for cyber criminals. There is a tendency within the South African environment to leave regulatory and security compliance until late in the game, according to Aon.
"Phishing volumes have increased in South Africa, making the country one of the leading targets of cyber criminals in 2011. Recent statistics have revealed that South Africa is the third most attacked country globally, with 7.5% of attack volumes," says Jooste.
Local companies could soon also be forced to comply with US Security and Exchange Commission requirements. "It is mandatory for companies situated in the United States to notify an entire database of a security breach, which can be very costly. This could very soon become mandatory for South African businesses that encounter a cyber attack."
Aon is of the view that companies need to consider the security implications that their businesses are exposed to. Those that are most at risk are those that provide technology services, and those that are heavily reliant on technological systems to provide a service.
"Companies that outsource protection and that are reliant on technology should ensure they use reputable IT security providers that are indemnified. Businesses should ask themselves what kind of service they offer and what the business entails.
"If they provide IT services to companies that rely on technology, and inadvertently their systems infect the client's systems, the costs to both companies could have devastating effects. The biggest concern here, however, is the client who depends on a network to run their business."
Share