Latest news of the hacking group/individual Lizard Squad which has taken down multiple online gaming sites, such as Sony PlayStation Network, and also grounded the American Airlines flight on which Sony Online Entertainment President was travelling due to a bomb threat Tweet, is yet another example of the power of cybercrime.
The month of August alone has seen two of the most significant cases of cybercrime including the world’s largest cybercrime hack to date, whereby a Russian crime ring hacked over 1,2 billion usernames and passwords, as well as 500 million email addresses. Following this, the theft of the names, Social Security numbers, physical addresses, birthdays and telephone numbers of 4.5 million patients was stolen from US-based Community Health Systems on 18 August, compromising the privacy of the patients and putting them at great risk for identity fraud.
With the frequency and severity of data security breaches increasing, it is imperative that all businesses identify ways to mitigate this threat and protect themselves against the financial damage and reputational harm, says Candice Sutherland, Cyber Liability Specialist at Stalker Hutchison Admiral (SHA) – the largest niche underwriting management agency (UMA) in Southern Africa. “Businesses can ensure they are financially covered against the reputational damage and costs associated with cybercrime attacks and data breaches.”
These cases of cyber hacks demonstrate that no company is immune to having its customers’ personal details hacked and must have appropriate cover in place to pay for restoring or replacing data, loss of business income, notification expenses as well as legal costs brought against the company in the event of such a breach, says Sutherland.
She notes that recent research conducted by Ponemon Institute and IBM revealed the average total cost of a data breach to a company increased by 15% from $3,1 million last year to $3,5 million in 2014, adding that locally the current cost of cybercrime in South Africa is estimated at R3,42 billion according to Symantec’s 2013 Norton report.
South Africa is rated third in the world in terms of computer virus and malware crimes with 84% of adults having fallen victim to cybercrime, says Sutherland. “Furthermore, it takes on average 200 days for an organisation to identify a breach – local businesses can accumulate major financial losses in this period.”
Sutherland says when it comes to cybercrime, South African business face a number of risks, including: systemunavailability and downtime; having to start from scratch by rebuilding the entire website; business being held to ransom; loss of revenue; loss of data; reputational damage and costs associated with looking to reduce the impact of a breach; loss of competitive advantage; industry and regulatory fines and penalties (e.g. Protection of Personal Information Bill); and litigation arising from compromised data. “As a result, it is imperative that all businesses have protection against the financial costs to rectify these events should they occur.”
She explains that effective cyber liability insurance covers the following costs in the event of a cybercrime attack:
· First Party Expenses, including: the actual costs to restore, re-collect or replace data; expenses of specialists, investigators, forensic auditors or loss adjusters; costs for the use of rented, leased or hired external equipment, services, labour, premises; or additional operating costs, including staff overtime.
· Loss of Business Income such as the net income that would have been earned had the breach not occurred.
· Notification Expenses, for example, the expenses incurred to comply with privacy legislation such as the legal costs as well as the communication expenses including email, call centres, website and customer support expenses.
· Crisis Management Expenses, including the services of a public relations consultant, related advertising or communication expenses.
· Associated regulatory fines and penalties to the extent insurable by law.
“In light of the increasing risk of cybercrime facing local businesses, it is imperative that businesses take the necessary precautionary measures to best mitigate the risk of falling victim.” Sutherland provides the following steps as precautionary measures South African businesses should take to protect against cybercrime:
· Ensure all devices on company networks have adequate security protection;
· Be aggressive in updating and patching security protection;
· Enforce an effective password policy (8-10 characters);
· Ensure regular backups are conducted;
· Restrict email attachments;
· Update Antivirus regularly
· Beware of email scams – if it’s too good to be true, it’s too good to be true;
· Guard the company’s and employees’ personal data;
· Ensure adequate security for wi-fi hotspots/dropbox/cloud; and
· Safeguard the business with a cyber insurance policy.
“It is vital that all businesses have comprehensive liability cover in place to cover the financial costs of recovering from a cybercrime event otherwise they could face hefty financial repercussions or, in the worst case scenario, even liquidation,” concludes Sutherland.