Kids today will never understand the ubiquitous accessory that was the attache case, prior to, say, 1987. The pinnacle of business-cool sophistication, carrying an attache case proclaimed to the world that you were an important business person with access to important sensitive information that couldn’t be carried around in just any briefcase – it had to be a briefcase with a combination lock that clicked open importantly when unlocked.
It wasn’t just about looking the part; the attache case was practical. For the likes of insurance brokers visiting clients at their homes, the attache case was the on-the-go equivalent of the filing cabinet at the office, keeping sensitive information under lock and key. There was a danger that your case might get stolen or someone might crack your combination and steal the documents inside. But if you kept your eye on it, it was relatively secure.
Crouching hacker, hidden threat
As the world becomes increasingly digital, the attache case has been replaced with a laptop and these days sensitive information is stored in the Cloud. Digitisation of documents has many perks – it requires far less physical storage space, information is much quicker to retrieve, back-ups mean there’s less risk of information being lost to accidents like fire or water damage and, theoretically, a virtual document should be harder to steal. However, as technology has advanced to make cyber storage more secure, so too have cyberattacks become more cunning.
“The biggest cyber-risk is that the world of financial services has shifted online and into the Cloud – and if something’s online, it’s vulnerable,” says Dr Eugene Wessels, Chief Technology Officer at King Price Insurance. “Financial services providers (FSPs) remain one of the most attractive targets for cybercriminals, simply because of the nature of their business and the type of information they hold.”
When an FSP falls prey to a cyberattack, it’s not just information that is at risk. “Perhaps the biggest threat for FSPs is your reputation,” says Wessels. “Clients trust you to protect their data, so a network security or data privacy breach doesn’t just have a massive impact on your clients – it can also cause serious and lasting damage to your business.”
New-gen attacks
The Covid-19 pandemic forced a rapid adoption of digitalisation within the financial services industry, even among those sceptical of the technology. It was, of course, an acceleration of the inevitable. But while it has allowed businesses to streamline processes and action changes that clients – and staff – may otherwise have been reluctant to accept, it has also exposed non-tech-savvy people to a new world of cyber threats. And criminals have been quick to take advantage of their vulnerability.
“Recently, we have seen more frequent and sophisticated data breaches and phishing attacks,” says Xiáne Francis, Assistant IT Manager at MUA. “Insurance companies are ideal targets for cybercriminals due to the large amount of sensitive data we manage, which includes Personal Identifiable Information (PII).”
Criminals may impersonate someone within the organisation – and an individual who is already under stress, not tech savvy or perhaps just eager to be helpful, could get taken in. “We’ve seen that cybercriminals often try tactics such as posing as a CEO or finance manager and will send fraudulent emails or messages to employees to obtain confidential information or directing employees to click on malicious links,” Francis continues. “These attacks could result in financial loss, damage to our reputation, and even legal repercussions.”
This type of attack, known as phishing or social engineering (see “Types of Cyber Attacks” below), exploits human vulnerability, rather than infiltrating a company’s systems. And South Africans who, by and large, have less experience with doing business and transacting online than those living in more developed countries, may unfortunately be particularly susceptible to these types of scams.
“Cybercrime remains a huge problem for many South Africans, with research suggesting that more than 70% of the country’s citizens have fallen victim to cyberattacks or other risky activity, compared to a 50% global average,” notes Ryan Van de Coolwijk, Product Champion: Cyber, for iTOO Special Risks.
“Currently, the most common drivers from a cyber insurance claims perspective are business email compromise attacks, which have surpassed cyber extortion and ransomware attacks as the vector of choice for cybercriminals,” he adds.
Also more at risk are small businesses. “Some recent reports suggest that small businesses are three times more likely to be targeted by cyber criminals than larger corporations,” notes Discovery Business Insurance Chief Operating Officer, Lana Ross. “One reason is because smaller organisations often don’t have very sophisticated security measures in place. As a result, SMEs can be seen as easy targets by cyber criminals.”
Sure enough, Santho Mohapeloa, Senior Cyber Underwriter at Allianz has noticed an uptick of certain types of cyberattacks targeting SMEs. “Commercialisation of ransomware as a service, the continuance of the double/triple extortion attacks as well as sophisticated social engineering scams, like phishing remain a major cause of concern for the SME sector,” he says. “The increased ransomware attacks within the SME sector can be attributed to the lack of financial and employee resources.”
Compromised smaller businesses can also sometimes act as a kind of “back door” into bigger businesses that are harder to crack from the outside. “It’s also worth mentioning that many small businesses work alongside or partner with bigger organisations or are part of a bigger supply chain network. So, catching the smaller fish makes a bigger one easier to target, too,” says Ross.
She says small businesses are often targets of automated attacks. “Cyber criminals can easily target hundreds, even thousands of small businesses at once through automation.”
Of course, cybercriminals don’t only focus on small businesses and their attacks are getting more sophisticated. Gone are the days of the “Nigerian princes” who would promise you thousands of dollars if you could just wire a few hundred bucks to help them out of whatever unlikely predicament they had supposedly found themselves in.
“Cyber extortion threats have seen a fair amount of evolution over the past few years and are no longer limited to relatively simplistic email attacks that attempt to lure a user to click on a link or open an attachment with malicious content,” says Van de Coolwijk.
“Modern cyber extortion attacks and data theft typically involve hackers gaining access to a client environment, escalating their privileges and then trying to encrypt as much of the environment as possible. Along with the increase in sophistication of these attacks, ransom demands have also escalated as hackers often gain access to companies’ back-ups and encrypt those too, leaving the company with nothing to recover from.
“With the evolution of back-up technology and solutions, hackers will often – prior to encrypting an organisation’s data – steal it out of the environment first and then hold clients to double extortion. This means demanding a ransom for not releasing sensitive information publicly and also a second ransom demand for keys to decrypt the data within the company’s environment.”
Hazard zone
With cybercriminals constantly evolving their modus operandi, your chances of falling prey to a cyberattack are, unfortunately, pretty high – whether your business is big or small. So, it’s important to stay up to date with trending threats, so that you can make informed decisions when it comes to putting risk management measures in place.
“Recent incidents like the Uber data breach in September 2022 have shown that even the most established and well-funded organisations can be vulnerable to such attacks, which is why companies must prioritise cybersecurity and provide regular awareness training to their employees on staying vigilant online,” says Francis.
“The biggest lesson we can all take is that it’s not a question of ‘if’, but ‘when’,” cautions Wessels. He notes that 2021 was a record year for data breaches worldwide, according to the Identity Theft Resource Center. “But many companies still think it will never happen to them,” he adds. “Interpol estimates that nine out of every 10 African businesses are operating without the necessary cybersecurity protocols in place, putting themselves and their clients at risk of massive financial loss.”
Even when local businesses do fall victim to cyberattacks, it would seem they’re slow to learn from their mistakes. “IBM’s 2022 Cost of a Data Breach Report shows South Africa has the highest global probability of a repeat breach: 83% of organisations experienced more than one breach in the last 12 months,” says Wessels.
Just like the financial services industry looks at trends and historical data to mitigate risk in other areas of the business, they can do the same with cybercrime – and there’s no shortage of data available. Looking at the most common type of cyberattacks, it’s clear where risk management systems to be put in place. “The most common initial attack vectors are stolen or compromised credentials, phishing, cloud misconfigurations, and vulnerabilities in third party software. We should focus our efforts on securing these risk areas first,” says Wessels.
High stakes operations
The costs of falling victim to cybercrime can be far-reaching and varied. “The consequences can be costly and include serious financial losses with the disruption to business operations such activity causes,” says Ross. “Then there’s reputational damage which can cost businesses their customers. Breaches can cause all sorts of complicated legal issues too.”
Mohapeloa confirms that losses following a cyber attack go far beyond the expenses related to data breaches. “Cyber business interruption is the largest loss driver in respect of cyber insurance claims – business-interruption-related expenses have surpassed data-breach-related expenses as the largest driver of costs incurred after a cyber incident,” he says.
And for smaller businesses, the fall-out can be disastrous. “A breach can have a nasty impact on any business,” says Ross. “More than half of all small businesses impacted by cyberattacks end up closing their doors within six months.”
Keeping hackers out
“In response to the constant increase in sophistication of cyberthreats, several cybersecurity technologies and controls have recently emerged, aimed at reducing the likelihood of individuals and organisations falling victim to hackers,” observes Van de Coolwijk. “These include five key controls: The rise of multi-factor authentication, massive advancements in endpoint protection solutions, patching, back-up resiliency and end user awareness and training.”
Businesses that didn’t already have these protocols in place have had to play catch-up in order to remain compliant.
“At the same time, many South African financial service providers have had to start tightening their security infrastructure to comply with the requirements of the draft Joint Standard published by the Financial Sector Conduct Authority and the Prudential Authority, which will be implemented soon,” Van de Coolwijk continues. “The draft Joint Standard sets out the minimum requirements and principles for sound practices and processes of cybersecurity and cyber resilience for financial institutions.”
With threats constantly evolving and criminals becoming more wily, it’s not just about what you have in place, you need to understand why you need it – and that means understanding the nature of cyberthreats and where security breaches might arise.
“AGCS promotes a holistic approach concerning cyber risk management. Prepare, Practise and Prevent is the risk-based approach that we have adopted as an entity,” says Mohapeloa. “Monitoring, analysing and responding to threats is of key importance for any entity in the current cyber landscape; the use of cyber threat intelligence improves a company’s cyber posture.”
Mohapeloa stresses that cyberthreats are not only broad concerns – it’s important that businesses take a comprehensive look at their specific risks as well. “In establishing the resiliency requirements, a business must consider compliance with legislation, specific business requirements and best practice,” he says. “Best practice includes paying particular focus to security controls around network security, business continuity plans, disaster recovery plans, incident response plans, network segmentation, end-point security, anti-phishing exercises, user awareness training, robust backup policy, patch management and a vulnerability management policy.”
And these things all need to be put in place in advance – waiting until you’ve been attacked to figure out a response plan is a risk in itself. “These policies are effective when tested, practised and regularly reviewed by an independent third-party service provider,” says Mohapeloa. “With the rise of ransomware attacks, a pre-agreed IT forensics firm / anti-ransomware service provider arrangement being in place improves the cyber readiness of a company.”
“Due to the PII that financial services and other businesses handle, they are particularly vulnerable to various cyber threats, including malware, phishing, and ransomware attacks. To be cyber resilient, companies must have a robust cybersecurity strategy,” agrees Francis. “This should involve conducting regular risk assessments to identify potential vulnerabilities, evaluating current controls in place to mitigate any potential risks within your business, and ensuring that software and systems are regularly updated with the latest patches. It is also crucial to have backup and disaster recovery plans to minimise cyber incidents’ impact.”
Under virtual lock and key
The most obvious aspect of your cybersecurity strategy is making sure the information is safely and securely stored. But in a landscape of ever-evolving threats, what that safety and security looks like may be far from obvious – and is constantly changing.
Van de Coolwijk notes that there have been some good advancements in cyber resilience when it comes to having measures in place to be able to recover from ransomware attacks and data recovery breaches. “Many companies are moving to back-ups that are either disconnected, offline or immutable, meaning that they cannot be encrypted by cybercriminals,” he says.
However, that’s just one part of the solution. “The key to storing sensitive information securely is a proper data management strategy, which must be underpinned by a solid understanding of where this data is stored so that it can be secured,” says Van de Coolwijk. “Encouragingly, more companies are starting to conduct analyses to see where their data is stored, whether it must be stored in separate locations or whether it can be centralised. Knowing where sensitive data resides and managing its protection also makes it easier for organisations to report any breaches to the Information Regulator, in line with the requirements of the Protection of Personal Information Act.”
Access control
It’s not just about where information is stored, however. Another, major aspect of cybersecurity is controlling who has access to the information – and how they access it.
“Besides having security basics in place, businesses must also be able to control who is able to access their information. That means ensuring robust verification of everyone who wants to access company systems and networks, and keeping a log of who accesses the system and when,” says Wessels. “If your people work remotely, or use their personal devices for work, virtual private networks (VPNs) are a critical tool. A VPN provides a secure, reliable connection to your company’s computer systems, even if your people are logging on from public Wi-Fi. All your internet traffic is then routed through an encrypted virtual ‘tunnel’ that is secure and private.”
Also consider that access does not have to be all or nothing – it can be limited. “This includes not only restricting who has access, but also whether they need access to it all the time or only for a limited period,” says Van de Coolwijk. “Furthermore, individuals with access to sensitive data should be identified through multi-factor authentication and companies should encrypt their data where possible.”
Signature required
A new potential risk peculiar to the financial services industry that has arisen out of the move towards digitalisation is around signing of documents. What was once a fairly straightforward procedure involving a pen and an ID document has become more complicated since business has moved online.
To create more secure transactions and document signing, Francis says a business could consider implementing:
- “Digital signing, by using tools like DocuSign, Adobe Sign, or Sign Easy
- Enabling email encryption across your environment ensures that every email containing personal information is sent securely – tools like Microsoft Azure Information Protection, Mimecast Secure Messaging, or Cisco Secure Email Encryption Services
- Implementing multi factor authentication by use of a password, pin code, or authentication app before accessing a system or document
- Password protecting documents with a unique password.”
Mohapeloa adds that businesses can also use watermarking, document expiry and self-destruct to further bolster document security.
Crowd control
There’s a reason why social engineering style cyberattacks are so successful and that’s because even the most robust systems are only as secure as the people using them. “It’s no use spending millions on security solutions if you don’t educate your people,” says Wessels. “When it comes to cybersecurity, your people are the weakest link. They click on dodgy links. They use weak passwords. They let other people use their devices at home. Your best defence is to create an active cybersecurity culture that gets everyone in the business following basic security habits.”
According to Francis, this starts by taking cybersecurity out of the IT department and into the corridors. “We can create a cybersecurity-savvy mindset by making cybersecurity awareness a part of your company’s overall culture, not just something the IT Department handles,” she says. “The support of the executive committee, marketing department, and all other non-technical departments creates an environment that encourages everyone to be part of it. By working together, your company can build a strong and proactive approach that will ensure its success in mitigating cyber risks.”
Van de Coolwijk agrees, adding that staff who are cybersecurity-savvy are a key front-line defence. “One of the best defences that a company has against cyberattacks is its staff,” he says. “Employees must be trained in security dos and don’ts and best practices. Ultimately staff, backed by cyber specialists, must be the front line of security instead of the weak link that hackers look to exploit.”
In practice, that could look like regular training and testing exercises. “At MUA, we have implemented a cybersecurity awareness training platform that offers engaging awareness training videos followed by short assessments to keep our employees up-to-date on the latest cyber threats. The training covers important topics such as phishing attacks, password protection, and data protection,” says MUA’s Marike Van Niekerk. “In addition, we conduct phishing simulations to identify potential vulnerabilities in our systems and employees’ awareness. Creating awareness and preparing employees for potential cyber threats in this era of increasing digitalisation and connectivity is essential.”
Always be testing
Putting cybersecurity protocols in place is not a once-off exercise. “Regular security updates and patching should be applied, and data retention policies should be implemented to delete data that is no longer needed,” says Francis. She also stresses the importance of conducting regular security audits and risk assessments. “And most importantly, employees must be trained regularly on data privacy and security practices.”
Ross also emphasises the need for constant evaluation and updates for both systems and the people who use them. “Ongoing and updated cyber training should be mandatory and should consistently include how to protect mobile devices and proper password protocol,” she says. “Regular risk assessments assess potential risks that could be easy targets for a business’s systems, networks, and information. Knowing which loopholes can be compromised allows businesses the opportunity to put protective measures in place to patch or strengthen possible security gaps. Part of this is protecting both where (such as the Cloud) and how data is stored, accessed, used, and even disposed of.”
She also includes software. “Keep all software up to date. Whatever is used to keep a business running smoothly (including firmware that may need manual updating), keep it up to date to prevent security gaps that make the business and devices vulnerable. Antivirus software needs to protect all your devices against cyber threats. It must also be frequently updated. Software can also offer technology that enables device clean-up if something happens and can reset them to a pre-infected state.
“Keep your Wi-Fi network secure. Use up-to-date versions with upgraded infrastructure to ensure you’re best protected from hackers. You can use WPA2 (Wi-Fi Protected Access 2) networks instead of WEP (Wired Equivalent Privacy). WPA2 protects internet traffic, as well as to ensure your SSID (service set identifier) is securely set or use a complex PSK (pre-shared key) for additional protection.”
Cover your bases
Ideally, cybersecurity measures should prevent a breach, but as the financial services industry knows better than most, it’s also important to prepare for the worst-case scenario.
“It’s smart business to get cyber insurance,” says Wessels. “It can’t save your business from attacks – but it’s an important way to protect you from the after-effects of a breach by covering expenses for data breaches, including hiring legal and forensic IT professionals to help you recover your data; damage to computer systems and data; disruption that brings your business to a halt and results in loss of income; and any financial losses resulting from fraudulent inputs into insured computer systems.”
Ross says cyber insurance is something small businesses should prioritise. “It is important to us that our business insurance clients have comprehensive cyber insurance as well as access to technologies that help them adapt to new ways of working, especially now that working environments have changed,” she says. “We give our clients cyber protection against losses to their business and losses to third parties following an insured cyber event.”
She says that having cyber insurance in place gives businesses the benefit of recovering quicker following an attack. “Small businesses need cyber insurance cover precisely because cyber-attacks can and do happen, even if the business has cyber security in place.”
Cybercrime is, unfortunately, not going to go away and criminals will keep looking for new ways to exploit weaknesses and vulnerabilities. The key to managing this risk is never to be complacent. “Get some of the IT basics right and half your battle is won, so to speak,” says Ross. “That’s not to say you’ll never be vulnerable. Your level of risk largely depends on how well and how often you sharpen your tools. You must keep on top of cybercrime tactics to keep your risk profile low.”
Types of Cyber Attacks
These are the kinds of cybercrime activities that are most threatening to businesses, according to Discovery Business Insurance Chief Operating Officer, Lana Ross.
Phishing or social engineering
Common tactics involve attackers posing as trusted contacts and deploying malicious links or downloadable files. Attackers prey on human weaknesses rather than technological flaws. Strong email security gateways, multi-factor authentication (MFA) and biometric security barriers (like fingerprint or Face ID) can be helpful.
Malware
This involves threats whereby viruses and trojans (destructive code) are deployed. Malicious code is typically hidden in website downloads or spam emails. It is designed to infect devices to gain access to data and steal information. Personal devices like mobile phones are easy targets for this.
Ransomware
Highly lucrative, this common attack method encrypts a business’s data so that users who should have access to the data cannot access or use it. Businesses are then forced to pay a ransom to gain back their access. Security software and secure cloud backups are useful for detecting and mitigating against attacks to recover quickly before any damage is done.
Weak passwords
When passwords are weak, used multiple times for different accounts or can be easily guessed, it’s like leaving a door closed but unlocked. Training is the best way to ensure that employees set strong passwords for optimal protection. Multi-factor authentication is also useful, as are password management systems.