Focusing on cyber security in this time of crisis. Can you afford not to?
Cyber-attacks and data breaches have been cited as among the top risks in most risk reports and publications issued over the last few years. Over the last couple of weeks, numerous articles have noted the increase in the likelihood of cyber-attacks as a result of many companies’ employees working from home.
The global cybersecurity firm, Kaspersky, reported that network attacks in South Africa increased to 10 times the average during 15-21 March 2020. During that week, hackers attacked up to 310 000 devices, compared to the previous weekly average of 20 000 to 30 000.
If we agree with the fact that these were already among the top risks companies faced pre-COVID-19, and we can see that the likelihood of the risks materialising have now increased, surely we should give it some attention?
Terms such as malware, denial of service attack, patching and phishing are all terms that I’m sure makes a lot of sense to the IT people out there but as an accountant and risk professional, I set out to understand how it all fits together and what it is that could really go wrong if a company falls victim to a cyber-attack.
My partner and co-founder of Tiisa Group (Pearl Hlabangana) is the cyber security specialist, and after many debates on the risk of cyber, I have concluded that a cyber-attack ultimately results in one of two things – (1) Loss of Data and or (2) Interruption of Service.
Loss of data
There could be several reasons a hacker is after your data. It could be a competitor, an individual or company that on sells data, and or someone with ill intent looking to exploit personally identifiable data.
A data breach could have detrimental financial consequences. In addition to the reputational damage and lack of customers’ trust, large fines could be enforced by data privacy regulators – if not in SA (yet), most certainly in Europe (if you are required to comply to GDPR (EU General Data Protection Regulation)). The IBM 2019 Cost of a Data Study report estimates the cost of a data breach in South Africa at R42m, with lost business being the biggest contributor to data breach costs globally. In addition to fines and lost business, the report lists several contributors to the cost of a breach. Some of which have been highlighted below:
- Conducting investigations and forensics to determine the root cause of the data breach
- Determining the probable victims of the data breach
- Organising the incident response team
- Conducting communication and public relations outreach
- Preparing notice documents and other required disclosures to data breach victims and regulators
- Audit, consulting and legal services
In addition to these, management time and effort is required, taking their focus off the real business.
Interruption of Service
There are a number of technical ways that a cyber-attack could interrupt business. Some examples of these are:
- Launching ransomware to encrypt an organisation’s data, requiring ransom to be paid in exchange for the decryption code.
- Distributed denial of service attacks (DDoS) happen when attackers send high volumes of data or traffic through the network/website until the network/website becomes overloaded and can no longer function.
- Malware intentionally designed to cause damage to a computer, server or network. This could include spyware, ransomware, viruses, and worms. Malware is used to facilitate several different types of cyber-attacks.
Irrespective of the technical manner that a hacker uses in the attack, the outcome would be interrupted service impacting an organisation’s ability to operate and generate revenue. The direct costs to recover and indirect costs of downtime would depend on the nature and consequences of the attack as well as how prepared you are to restore operations.
It is important to protect the organisation against these threats. There are specific preventative and or detective controls that organisations can implement. I’m not going to explain these in this article, but you are welcome to contact us if you require more information. These do not have to be expensive or complicated.
I understand that management teams have more important things to worry about than cyber security. I guess one could argue that – given the current focus areas of rethinking strategies, navigating supply chain issues and dealing with possible employee retrenchments – and surviving the storm. However, if we weigh up the increased likelihood of falling victim to a cyber-attack or data breach, the resulting consequences and the organisation’s ability to withstand the consequences of an attack, I’m afraid the question I’m left with is “Can you afford not to?”.