During last year, various high level attacks on large companies - such as Sony and Ashley Madison – made headlines across the world, costing these organisations millions of dollars. However, the most popular anti-virus and firewall software only protects you from 17% of cyber threats. As we tumble toward a digital economy/world, we ask if SA businesses are prepared?
As of June 2015, South Africa was one of only 28 countries in the world with a cybersecurity policy in place. Albeit a heavily criticised policy, it shows that Government recognises the dangers of cybercrime.
“We are living in an age where information travels everywhere, where anyone can access anything, and where the collective intelligence of humanity drives innovation in every direction while enabling new threats. Adding to this, the cyber landscape today presents a relatively open and interoperable global digital infrastructure, which connects entities such as organisations, businesses, governments and individuals,” says Graham Croock, Director of IT Audit and Risk at BDO. Based on this, cyber risk is now a major threat to businesses.
Responding to client concerns, BDO’s Risk Advisory division announced a strategic partnership with FIDS and Goldn’Links Cyber to launch a flagship Cyber and Forensic Laboratory, specifically aimed at assisting companies ensure they are adequately prepared for any cyber-attack.
The development of the lab stems from the realisation that there is a shortage of available expertise in the data space, worldwide, and the growing need for a specialised lab to serve the entire African continent. The lab will offer specialised services relating to Advanced Analytics, Cyber Practice, Forensic and Digital Forensic Auditing.
Companies continually face new exposures, including first- and third-party damage, business interruption and regulatory consequences. “This is evidenced by the staggering 4.8 billion records exposed as a result of data breaches in the past five years. Not only that, but currently there is a total of US$3 trillion recorded loss as a result of cybercrimes worldwide,” explains Roi Shaposhnik, CEO of Goldn’Links Cyber.
Shaposhnik also highlights that of these figures, the most commonly targeted industries include the financial and healthcare sectors, noting that attack vectors remain mostly traditional: web browsers, email, and social engineering (spear phishing).
A point of departure for any business is to understand that today’s dynamic environment requires a systematic approach to managing cyber risk. The model developed by BDO and its partners seeks to effectively manage these risks through a number of defined processes. This model outlines a six-step process, which includes identifying and defining the risk; monitoring the control variables; followed by the detection of any abnormalities using the analytics tools; determining a course of prevention that leads to a decision to allow some of the risk to exist in a controlled environment and, lastly, transferring the risk using insurance products.
Croock explains, “The BDO methodology of managing risk can be easily broken down into four strategic actions. One can either choose to tolerate the risk, accepting it for what it is, or treat it by adding controls. It is important to note that the more controls are added, the more costs are added to the equation. However, there comes a limit where you can’t add any more control to the risk. When the returns are no longer aligned to the risk taken, then one can choose to terminate that risky part of the business. The last available option would be to transfer some of the risk, giving way to explore specialist cyber insurance options.”
“In today’s world, there are only two types of companies - those that have been hacked, and those that will be. Now, more than ever, they are even converging into one category: companies that have been hacked and will be hacked again,” says Shay Simkin (ACII), Managing Director of global insurance provider, Howden. “When looking at transferring risk, businesses should consider cyber insurance as an effective component of its cyber risk management strategy. What risk insurance does is to help business managers select and implement improved risk avoidance and mitigation techniques.”
BDO has gone to great lengths to develop sophisticated databases used to identify and prioritise the exposures and decide on the appropriate course of action. The capabilities of the BDO Cyber and Forensic Lab incorporate the ability to do real-time operational monitoring of systems as well as active machine learning and modelling to pick up on variances in transactions. Additionally, BDO has developed an efficient way to install software into business systems without any operational interruptions.
“We are living in a digital world, a world where data is king. But we still fail to understand it. Our partnerships in this regard ensures that we not only have the best in the business, but that we have the best analysts available to assist in the various types of forensic investigations. Both BDO and FIDS are well positioned to deal with advanced analytics, having built enormous platforms with specialist services to help interrogate data and bring back to data managers information that is critical to manage their businesses,” concludes David Cohen from FIDS.
Cyber Crime and South Africa: What are the Risks?