What's Happening?

Facebook Twitter Youtube Linkedin

NEED HELP? QUESTIONS@FIA.ORG.ZA

become A FIA member TODAY
member login

Cyber-crime attacks among smaller and medium-sized companies are on the increase

ARTICLE BY

  • Jenny Jooste

SHARE THIS POST

The views expressed in this article are not necessarily those of the FIA. The article below was supplied by 2018 FIA partner, CHUBB.

Cyber-crime is a real and present danger and attacks are becoming increasingly common and more sophisticated, especially among small to medium-sized businesses (SMEs). It is estimated that 32% of South African businesses have experienced cyber-attacks according to the Global Economic Crime Survey (2016) conducted by PWC – on a par with the global average.

Cyber security is uniquely challenging for SMEs, due to a combination of the frequency with which these threats become bona fide cyber security incidents, the severe business disruption and financial impact, and limited resources to respond and recover in the event of an attack.

Jenny Jooste, Professional Indemnity and Cyber Underwriter at Chubb Insurance South Africa, says: “Our claims data and global research is showing that cyberattacks directed at SMEs are steadily increasing. As a group, SMEs tend to devote inadequate resources, time and funds to cybersecurity with fewer than 3% of all SMEs having cyber insurance. Criminals target these companies because their IT controls are not as sophisticated as large corporate companies, and the skills for dealing with these threats are often not specialised, making them perfect targets.”

According to Jenny, cyber criminals typically look for targets that can be hacked with ease. “They often accomplish this by using software that automatically scans the web and identifies businesses with specific security weaknesses such as outdated or unpatched software, poor password hygiene, open web ports, unencrypted data in transit, lacking endpoint protection and the like. They can also gain entry through a server room break-in or from internal network hacking, which then enables monitoring by criminal third parties. This can often be triggered by something as innocuous as plugging an infected USB drive into a computer or device that is connected to an internal network.”

She also raised the issue of liability relating to cyber exposure, which company directors ignore at their peril.

“Directors and officers can be held liable in their personal capacity for their fiduciary duties should the necessary measures and policies not be in place to mitigate cyber liability exposure for the company. Claiming ignorance about cyber risks is no longer an excuse, and proactive steps must take centre stage to mitigate and prepare for potential cyber threats, no matter the size of your business,” warns Jenny.

How can SMEs protect themselves from cyberattacks?

Although stopping cyber criminals from accessing data may seem like a formidable task, there are simple measures that
companies can use to create their own cyber risk management program and limit their exposure. Chubb Insurance provides the following important tips:

Focus on the basics

  • Ensure that antivirus, firewalls, patches and other security software is always up to date. Also ask a cybersecurity consultant to identify high risk areas and address these. Does IT know at which point you want to be alerted regarding a breach?
  • Do you have a specific person with responsibility for Information Security (IS)?
  • Is there a formal IS policy in place? How often is it reviewed and by who? Are recommendations acted upon?
  • Have you implemented user security awareness training? How often? How relevant is it to your business?
  • Is an audit report done on potential areas of risk on operational (non- financial) systems?
  • Is someone tracking the evolving cyber-regulatory environment?
  • Will someone monitor decisions made by regulators in response to cyber incidents?
  • Do you have an appropriate cyber insurance programme in place and do you know how it will work?
  • Is your data encrypted?
  • Is IT conducting forensic readiness assessments?
  • Are incident response plans being tested?
  • Has the quality of the back-ups been tested?
  • Are effective “real-time” monitoring processes in place?
  • Is the type of data and the impact of breach understood? Have you identified critical information security risks and put in place appropriate monitoring and controls?
  • Have information resources been classified according to sensitivity and criticality? Have corresponding levels of security been implemented?
  • Is dual authentication required for access to critical Information Systems?
  • Are users required to regularly update passwords? Criteria?
  • Are laptops protected by personal firewalls?
  • Is antivirus software installed on ALL systems and are updates monitored

Educate all employees regularly on cybersecurity vigilance: 

Employees should be aware of the role they play in preventing a cyber breach, especially when company laptops or other devices are used offsite. They should gain access via VPN sign on procedures and never use USBs. Establish positive and secure habits with regularly scheduled training and education by empowering the IT department to send regular “tester emails” to staff to see who can identify phishing emails. This training needs to be ongoing. Some basic clues that indicate phishing:

  • Enticing: Offers that are too good to be true
  • Urgent: Pressure tactics such as threats, rushing or name dropping
  • Unsolicited: Contact is unexpected or not from someone you would expect e.g. CEO.
  • Odd: The tone is off, especially from a colleague or friend.
  • Unknown: Unknown requester, email address doesn’t match the message e.g. someone@gmail from UPS, the URL isn’t correctly ( AmericExpress.com)
  • Sloppy: Spelling or grammatical mistakes, branding is old or unusual.
  • Unusual: Requests are outside normal procedures or break of normal policy

Develop and enforce a formal, written password policy: 

  • Establish a written password policy requiring strong passwords such as a mix of letters, numbers and symbols that are frequently changed. Passwords should also be changed and user portfolios marked as inactive when employees leave the company.

Update IT equipment and deploy security software

  • Outdated operating systems and computers are inherently more vulnerable to more sophisticated hacking techniques and newer forms of malware. It is also important to monitor those who have legitimate access to the network as well as monitoring the network itself to highlight abnormal activities. Basic downloadable software offerings are available to SMEs and can be operational within minutes.

Create a cyber incident response plan

  • Less damaging incidents can be resolved with a dedicated and prepared team of cyber responders that may comprise of employees and outside service providers. It will provide a shorter response time and a quicker resolution to the issue, if it is within the means of the team.

Put a disaster recovery plan in place

  • Typically, disaster recovery planning involves analysis of business processes and continuity needs that are required so that an organisation can continue to operate, even if it is offsite from a different location. Make sure a copy of the plan is printed for staff use because if your system is hacked, you won’t be able to get your plan from your PC.

Purchase cyber insurance

  • After getting all IT control measures in place, ensure that you investigate purchasing a cyber liability insurance policy, which covers first and third-party liability. The cost of this will always be far less than the cost of shutting down a business in the wake of a cyberattack.

    “It is evident that the threat of cyber-crime is not going away anytime soon and the cost of a breach can be crippling to a small business. Businesses that embrace the necessary safeguards, together with other measures outlined by their insurer and broker are putting themselves in a strong reactive position to recover with their bottom line and reputation intact,” concludes Jenny.   

Get in touch: Additional information can be found at: www.chubb.com/za

Subscriber Terms and Conditions

  1. APPLICATION OF TERMS
    • These terms and conditions (“Subscriber Terms”) apply to the subscription by any qualifying member of the South African Underwriting Managers Association NPC (“SAUMA”) to the services and benefits offered by FIA Services (Pty) Ltd (“FIA Services”) under the SAUMA affiliation arrangement (“Subscription”).

  2. NATURE OF SUBSCRIPTION
    • A Subscription under this arrangement:
      • does not constitute membership of FIA NPC;
      • does not confer any voting rights or governance participation in FIA NPC; and
      • is governed solely by the contractual relationship between the Subscriber and FIA Services.

  1. ELIGIBILITY
    • To qualify for the Subscription, the applicant must, at the time of application, be a current paid-up member of SAUMA.
    • FIA Services will verify the applicant’s SAUMA membership status with SAUMA prior to activation, and may re-verify such status periodically.
    • If a Subscriber ceases to be a paid-up member of SAUMA, the Subscription will correspondingly be terminated.
    • Applicants are required to authorise FIA Services to confirm their SAUMA membership status with SAUMA as part of the application process.

  1. SERVICES
    • The Subscription entitles the Subscriber to the following benefits:
      • Complimentary access to the FIA CPD Platform;
      • Complimentary access to the FIA Insight Magazine (digital edition);
      • Advertising opportunities on FIA platforms at a discounted rate of 15% (fifteen percent) off the prevailing published rates; and
      • Invitations to attend FIA Technical Webinars annually.
    • FIA Services reserves the right to update, vary or substitute the Services from time to time, provided that the overall value and nature of the benefits remain materially the same.

  1. FEES AND PAYMENT
    • The monthly subscription fee is R260.00 (two hundred and sixty rand) for up to seven registered individuals (Key Individuals and Representatives), and R36.00 (thirty-six rand) per additional registered individual thereafter, excluding VAT.
    • The Subscriber shall provide FIA Services with the required details of each individual to be registered under the Subscription for the purposes of activation and billing.
    • All fees are exclusive of VAT, which shall be charged at the prevailing statutory rate.
    • Subscription fees are reviewed annually in March and may be adjusted with effect from 1 April.
    • Any changes to the Subscription, including but not limited to the number of Representatives and Key Individuals registered under the Subscription, may only be effected once annually during the annual review period in March of each year, with such changes taking effect from 1 April.
    • Subscription fees shall be billed monthly in arrears, unless the Subscriber elects an annual billing cycle at the time of application.
    • The Subscriber shall ensure that all billing information (including contact details, authorised signatories and bank account details) is kept accurate and up to date.
    • Non-payment of subscription fees may result in suspension of access to the Services until such fees are brought up to date.
    • The Subscriber acknowledges and agrees that all subscription fees payable under these Subscriber Terms may be collected by way of debit order, which shall be processed by the holding company, FIA NPC (The Financial Intermediary Association of South Africa), on behalf of FIA Services. Payment to FIA NPC shall be deemed to constitute valid and sufficient discharge of the Subscriber’s payment obligations to FIA Services under these Subscriber Terms.

  1. ONBOARDING
    • Onboarding will be conducted as a Subscription with FIA Services under the SAUMA affiliation arrangement.
    • Onboarding will not confer FIA NPC membership status or any associated rights.
    • Onboarding is conditional on confirmation of the Subscriber’s current SAUMA membership at the time of application

  1. DATA PROTECTION
    • FIA Services will process all personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) as set out in our POPIA policies.
    • By subscribing, the Subscriber authorises FIA Services to confirm their SAUMA membership status with SAUMA and to process personal information for the purposes of fulfilling the Subscription.

  1. TERMINATION
    • The Subscriber may terminate the Subscription by giving FIA Services one calendar month’s written notice.
    • FIA Services may terminate the Subscription on one calendar month’s written notice, or immediately if the Subscriber breaches these Subscriber Terms and fails to remedy such breach within 14 (fourteen) days of receiving written notice.
    • Termination of the SAUMA–FIA Services affiliation agreement shall not automatically terminate these Subscriber Terms.
    • Termination by the Subscriber shall not relieve the Subscriber of liability for any subscription fees accrued up to the effective date of termination.
    • FIA Services may suspend or terminate the Subscription with immediate effect in the event of non-payment of fees by the Subscriber.

  1. GENERAL
    • These Subscriber Terms are governed by the laws of the Republic of South Africa.
    • Any disputes arising under these Subscriber Terms shall be dealt with in accordance with the dispute resolution provisions contained in the FIA NPC membership terms and conditions, as modified to reflect that the contractual relationship is with FIA Services.
    • Any notices required under these Subscriber Terms may be validly delivered by email to the addresses provided in the Subscriber’s application form, and such notices shall be deemed received on the day of transmission if sent during business hours.
    • The Subscriber may not assign, cede or transfer any of its rights or obligations under these Subscriber Terms without the prior written consent of FIA Services.
    • No variation of these Subscriber Terms shall be of any force or effect unless reduced to writing and signed by both FIA Services and the Subscriber.