SA enterprise unprepared for breaches
South African enterprises are slow to understand that security breaches could cost them literally hundreds of millions of rands, says cyber insurance specialist Natalie van de Coolwijk.
Van de Coolwijk, MD of Cygeist, says specialist cyber insurance companies are starting to spring up in SA as enterprises abroad begin feeling the impact of major breaches.
"Global risk reports are citing cyber as one of the top 10 risks companies should be considering, but in South Africa, specialist cyber insurance is a new concept to most," she says.
This may be because many enterprises do not know the real value of the data they manage, and find it difficult to predict the potential losses they could suffer in the event of a hack, denial of service attack or data being lost, she says.
She points to incidents abroad, such as the Target breach in the US last year, where there is talk that the company's entire $100 million cyber policy and $65 million directors and officers policy will be eroded. In another case, the Sony PlayStation Network hack resulted in losses of around $171 million.
"In South Africa, enterprises know cyber risks are serious, but they don't foresee the extent of the costs involved in managing an incident," says Van de Coolwijk.
She notes that these costs might include notifying customers, legal advice, IT specialists to investigate extent of the breach and restore or recover data and systems, the work of forensic investigators, the cost of interruptions in business, and even an extensive public relations campaign to address reputational damage. "Once POPI comes into effect, it will be mandatory to notify customers in the event of a breach, and this will add to the costs," she says.
Van de Coolwijk points out that while large enterprises may seem to be key targets for attackers, smaller businesses have potentially more to lose in the event of an attack. "Small businesses may think they are less of a target due to their size, but they are also less able to absorb the costs should they suffer an attack," she says.
"For example, an individual tax consultant who has access to detailed information about 100 customers could face crippling costs if that data should be breached or lost and each customer takes legal action against him or her as a result."
Van de Coolwijk says cyber insurance differs from traditional liability cover in that traditional policies tend to cover tangible assets and material damages. "It is difficult to put a value to information loss and reputational or consequential costs incurred as a result of having to manage a cyber crime incident. However, we find most enterprises locally look to cover of between R50 million and R100 million. Specific cyber insurance encourages a proactive approach, as opposed to a traditional liability policy, where the enterprise sits back and waits for a summons. In a cyber incident, if you do this you have left it way too late."
Where IT security spend has traditionally focused on prevention, with most companies spending as much as 80% of their security budget on preventative tools and only 15% on detection and around 5% on response, companies are now having to shift their priorities, says Van de Coolwijk.
Van de Coolwijk will discuss the cost of cyber crime at the upcoming ITWeb Security Summit. The event is southern Africa's premier information security event for IT and business professionals. For more information about this event, click here.