South Africa has the third-highest number of cybercrime victims in the world, and loses an estimated R2.2-billion annually to cyber attacks – but local companies are still reluctant to insure themselves against this risk.
In an FAnews article published today on cybercrime in South Africa, the Fulcrum Group’s head of IT, Andre van Rooyen, is one of several experts canvassed on the issue.
“Many businesses are aware of cyber threats but sit with a mindset that they are too small to be targeted, compared to government institutions and large corporates. This is what will put businesses at risk of mass targeting attacks,” Van Rooyen is quoted as saying.
“Criminals have automated tools able to scan and locate hundreds and thousands of potential targets in under a few hours, and to determine their value. We need to overcome the safety delusion we have and understand our significance and value to these criminals. I believe that we need to change the mindset, not the technology. Once we get that right, we can focus on the aspects of technology, training, resources, etc.”
There have been several high-profile hacks on South African institutions in recent times, including on the Deeds Office, the South African arm of Hetzner and, most recently, Liberty. But these prominent attacks represent the tip of the iceberg.
According to the article, South Africans fell victim to 15-million ransomware attacks in 2017. Cybersecurity firm Trend Micro detected over 10 000 incidents of mobile malware and online banking malware last year; TrendLabs, Trend Micro’s research and development arm, has found that over 133-million incidents of malicious code were detected in South Africa.
Despite this alarming situation, the article continues, over 40% of South African companies do not have cyber risk procedures in place – nor are they ready to implement the Protection of Personal Information (POPI) Act.
It notes that demand for cyber insurance will likely increase following the introduction of legislation such as the POPI Act in South Africa and the General Data Protection Regulation (GDPR) in the European Union, and given the cost of cybercrime attacks.
“Both the GDPR and POPI Act look at the integrity and confidentiality of data that requires a level of security, fitting to the risk characterised by the data and its use or need. The sensible thing would be to say yes, the demand for cyber security insurance will increase. This will ensure that businesses remain responsible for the data under their care/storage,” says Van Rooyen.
“However, the POPI Act and GDPR legislation will make businesses directly accountable, with hefty fines that should make us think twice. But true to our nature, we will need a court case before we wake up and understand the implications – a true test of the Act, sadly to say.”
He concludes: “Cyber insurance will evolve because cybercrime, like any other crime, is here to stay. We can, however, put measures in place to minimise the potential damage or financial impact due to loss. Like owning a car, it would be silly not to insure a business against these threats.
“We can create awareness, continuity plans and conduct disaster recovery tests to make our cyber footprint as small as possible, to reduce our attack surface.”