Today, it’s estimated that SMEs make up 90% of formal businesses and contribute around 34% to GDP. Yet the majority of these businesses are vulnerable to what has been labeled one of the greatest threats to businesses: cyber attacks.
When looking at the World Economic Forum’s Global Risks Report 2019, ‘technological instability’ was a highlighted risk, with “massive data fraud and theft” ranked the number four global risk (over a 10-year horizon) and “cyber attacks” coming in at number five. Moreover, within the annual report’s Global Risks Landscape quadrant, cyber-risks were positioned alongside environmental risks in the high- impact, high-likelihood quadrant. In other words, this is one of the primary risks to every modern business today, regardless of its size, industry or sector.
Locally, many analysts assert that the threat has never been this serious, with businesses at risk of being compromised by increasingly savvy cyber criminals. According to the South African Banking Risk Information Centre (SABRIC), South Africa currently has the third highest number of cybercrime victims worldwide – with the country losing an estimated R2.2 billion a year to cyber attacks. Between January and August 2018, SABRIC reported that cyber and digital banking crimes resulted in over R183 million in losses, with mobile banking losses increasing by 100%. Online banking scams resulted in the biggest loss (R89.3 million) during that period, the organization said.
SMEs an easy target
For SMEs, the prevailing sentiment has been that they are too small to be targeted and are therefore somewhat immune to the attacks being leveled at larger companies. Yet nothing could be further from the truth. SMEs are actually a prime target for cyber criminals, precisely because they do not have the sophisticated IT security systems and IT teams that bigger corporates have. Added to this, many employees within SMEs have little to no awareness and training around cyber security, making them easy entry points for hackers.
A global report by the Ponemon Institute found that around 61 percent of small businesses experienced a cyber-attack in 2017.
Currently, the threats to local SMEs come largely in the form of phishing, whereby criminals attempt to lure employees into clicking on a malicious URL or e-mail attachment to steal their login details, which they can then use to gain unauthorized access to the victims’ financial accounts or internal company networks.
According to recent reports, businesses with less than 500 employees are substantially more affected by a range of cyber attack techniques including email malware, ransom-ware and simple phishing than their larger counterparts.
Worryingly, today’s phishing attacks incorporate some form of social engineering, whereby hackers glean personal information from social media accounts such as LinkedIn and Facebook to lend some ‘credibility’ to the attack. Simply by scanning your social media accounts, hackers will obtain details such as your birthday, your friends’ names, your company and position, your location, etc.
Cyber Insurance key to business continuity
With the above in mind, it is absolutely critical that SMEs begin to explore cyber insurance. Unlike in previous years, today’s cyber insurance offerings are accessible to SMEs and offer comprehensive cover. Arguably, without cyber insurance, SMEs can be crippled by data breaches and cyber fraud, landing in situations they cannot recover from.
When exploring the various cyber insurance options, you should look for policies that cover an SME’s cyber, privacy and reputational risks and liabilities. Just as businesses insure against fire damage and theft, so too do they need to insure against cyber threats. As a foundation, SMEs should look for policies that cover their liabilities and legal costs following a breach. Moreover, the cost of restoring data, as well as the costs associated with hiring specialists, loss of business income and crisis management should also be covered within the cyber insurance policy.
Education acts as insurance
In addition to investing in cyber insurance and business continuity strategies, SMEs should invest in professional bi-annual cyber awareness training (at minimum) for their teams that is geared towards each user group – managers, marketing teams, social media people, HR, etc. This is critical to ensure that everyone is aware of the latest attacks and methods. Additionally, employees (and leaders) should undertake regular ‘testing’ by having an outside firm conduct a social engineering hack. These kinds of tests help significantly to keep employees and teams vigilant, alert and aware.
To supplement these targeted and professional training methods, employees need to be made aware that what they post online might compromise or endanger the business – and their own online wellbeing. With this in mind, establishing and implementing a comprehensive social sharing policy with clear rules and guidelines is important.
By taking a proactive approach, business leaders can combat the risks and enable employees to focus on what they do best: delivering high quality products and services to customers.