Man the barricades – and check your staff.

The risk of a cyber attack is ever increasing, and it seems more business leaders are alive to the threat.

Some Feedback from the talk I gave at the Risk Frontiers Commercial Risk Africa Conference taken from their Conference Report. Unknown who wrote the report.

Cyber risk does not just come from external threats but from within, delegates at the recent Risk Frontiers Southern Africa seminar were warned.

The internal threats are often ignored at the company’s peril, they heard. Laurie Pieter-James, director, criminologist, forensic profiler, at the Cyber Risk Institute, stressed that firms need to take an equally strong approach to both internal and external threats.

Running regular checks on staff is essential, she said, in maintaining cyber security. Equally, staff training is crucial.

Too often, she said, she visits firms only to find that staff who left months before still have access to the office. Not only do their keycards give them access to the building but, often, to the office IT system too.

Staff will routinely leave their computers open while they take their lunch break – with senior managers often among the worst offenders. They will share USBs or click on suspicious emails without thinking first.

Risk managers need to be alive to these simple risks and encourage good IT security habits from top to bottom of their organisation. She believes the insurance industry has a role to play in incentivising businesses to improve cyber security through premium pricing, but said firms must wake up to the risks they face.

MAJOR THREAT

With cyber risks recognised as the fastest-growing threat to business in Commercial Risk Africa’s Risk Frontiers Africa 2017 survey, it was no surprise that the subject of cybercrime cropped up throughout the day at the Botswana seminar.

Delegates agreed that every single aspect of life is now touched by cyber activity – both personally and in the workplace. However, they also acknowledged that the understanding of the risks posed to both businesses and individuals continues to be poor, putting business at serious risk.

Puso Motidi, of Multichoice South Africa, summed it up: “There is more to be done in terms of levels of preparedness. It is not just about attacks like WannaCry and denial of service but also about loss of information.”

Delegates agreed that risk managers and IT managers need to communicate better and ensure risk managers properly understand the risk, while IT managers need to understand the wider concerns of the business and the need for proper controls.

Ms Pieter-James said: “In the past few years there has been rapid expansion in the development and adoption of new communications technologies which continue to transform government, business and the ways in which we interact with each other. Cybercrime undermines confidence in our communications and online economy.”

According to KPMG, there were an estimated 5.1 million incidences of fraud and 2.5 million incidences falling under the computer misuse act in 2014. “Add recent high profile hacking cases and ransomware and the issue of cyber security is now more important than ever,” she said.

Unfortunately, around the room there was a feeling that hackers, hacktivists and cybercriminals are aiming ever higher and that the problem is only likely to get worse.

As Ms Pieter-James said: “Cyber attackers revealed new levels of ambition in 2016, a year marked by extraordinary attacks, including multimillion-dollar bank heists, covert attempts to disrupt the US electoral process by state sponsored groups and some of the biggest distributed denial of service [attacks] powered by a botnet [and] internet of things devices.”

However, she said while this seems incredibly scary, risk managers should not lose sight of the basics. “While cyber attackers managed to cause unprecedented levels of disruption, attackers frequently used very simple tools and tactics to make a big impact. Attackers are increasingly attempting to hide in plain sight.

“They rely on straightforward approaches such as legitimate network administration tools, spearfishing emails and ‘living off the land’ by using whatever tools are on hand.”

ROLE OF INSURANCE

Insurers can play a role in helping offset the cost of cyber attacks and, according to insurers from Lloyd’s, Allianz and Hollard who were in the room, insurance products are changing rapidly to meet customer demands.

However, they collectively stressed that insurance is powerless without good, strong risk management. That, they said, starts with proper understanding of the risk. They are seeing improvement in this but agreed that risk managers, and their boards, still have some way to go.

As Ms Pieter-James pointed out: “Cyber security is cited as the one of the top concerns by less than 25% of small businesses today. Yet it is fast becoming the only way to do business.”

If the problem is not taken seriously, increasingly there will be repercussions for businesses, whether ornot they suffer a breach.” For example, their customers may well lose confidence. Some 83% of consumers surveyed by KPMG are concerned about which services have access to their data, and 58% said a breach would discourage them from using business in the future.

Added to that, companies have to answer to their shareholders, who are less tolerant of a breach in which the company is revealed to have failed in basic security. “In a crisis mode, investors give the company the benefit of the doubt, thus easing short-term decrease in value,” said Ms Pieter-James, but they will not be so forgiving if it is revealed that the breach could have been prevented.

Then there is the question of business partners. According to Ms Pieter-James: “A recently published KPMG supply chain research supports findings that 94% of procurement managers say that cyber security standards are important when awarding a project to an SME supplier, and 86% would consider removing a supplier from their roster due to a breach.”

She warned: “Botswana’s small businesses value their reputation as one of their key assets. Yet they are hugely underestimating the likelihood of a cyber breach happening to them and its long-term impact.”

Quality of service is also a risk. Those surveyed who experienced a cyber breach found it caused customer delays (26%) and impacted on their business ability to operate (93%), according to the KPMG survey.

Ms Pieter-James stressed: “Protecting business data not only helps secure reputation, it puts businesses in a strong and competitive position to offer the service that customers now expect.

“Companies failing to adequately protect their data from cyber breaches don’t just put a few documents at risk. Losing valuable data can have a lasting and devastating impact on company finances, customer base, ability to grow and ultimately its reputation.”

The solution does not have to be overly costly or complicated, she explained. “Adequate cyber security does not need to be time consuming and complex. Businesses should follow these simple steps: use three random words to create a password; install security software on all devices; always download the latest software updates.

She concluded: “Having measures in place to be cyber secure is fast becoming the only expected way to do business.”