By Kondi Nkosi
Today, 100% of companies rely on the internet to operate, compared to the one-in-four 10 years ago, according to a study from Accenture. Add to this greater connectivity the increased volume of data being handled by companies and the shift to remote working brought about by Covid-19, and itâs not hard to see why cybercrime represents a significant risk for organisations.
Cybercrime in the headlines
There has been a spate of recent high-profile cyber attacks in which significant companies have been held to ransom. Across the globe, giants such as Colonial Pipeline, the largest fuel pipeline in the United States (US); JBS, the worldâs biggest meat processing company, and even Irelandâs National Health Service have all been victims of cyber-attacks.
Locally, there have been a number of cyber breaches across the country, with victims that include key bodies such as the Department of Justice (DOJ) and the South African National Space Agency. The DOJ reported that all of its information systems were encrypted, and subsequently internal employees and members of the public were unable to access important data.
These are just a few examples of recent ransomware attacks; a type of cyber attack that involves locking the user out of their own files or systems and demanding a ransom in return for access. In Colonial Pipelineâs case, the ransom was $4.4 million, while JBS was forced to pay the equivalent of $11 million.
Other examples include the foreign exchange company Travelex, which was held to a $6 million ransom in early 2020; the attack on British Airways in 2018 (which resulted in a $26 million fine for the company because it was found not to have sufficient security measures in place) and the 2016 hack into the central bank of Bangladeshâs systems, where criminals made off with $81 million.
Many attacks donât make the headlines. On a global basis, itâs reported that more than 30 billion data records were stolen in 2020. This is more than in the prior 15 years put together. In the US alone, the FBI received a record nearly 800 000 cybercrime complaints in 2020, a 69% increase on 2019âs total complaints, with reported losses at more than $4.1 billion. In Europe, cyber-attacks increased by 75% over 2020 compared to 2019.
Cybercrime prevention: spending surge
The cost of cybercrime globally is expected to hit $6 trillion annually in 2021, and $10.5 trillion by 2025, according to Cybersecurity Ventures, a cyber research company. Cybercrime costs include damage and loss of data, money, productivity, intellectual property, business interruption, the restoration of hacked data and systems and reputational damage.
As a result, spending on protection mechanisms has sky-rocketed. Global spending on cybersecurity products and services is expected to increase at a compound annual growth rate (CAGR) of 7.7 -14.5% between 2020 and 2026. CAGR indicates the growth rate over multiple periods, taking into account the effects of compounding.
Figure 1: Cyberspend is expected to grow at 7.7-14.5% CAGR (USD bn annually)
What does cybercrime look like?
Cybercrime can take various forms and is becoming increasingly sophisticated. Most involve a user unwittingly clicking on dangerous links or opening harmful attachments that install malicious software (known as malware), enable the disclosure of confidential information and prevent legitimate users from accessing to necessary systems and data.
Figure 2: Types of cyberattacks
Weak spots of cybercrime vulnerability
Email is the most common way attackers infiltrate a companyâs systems and data. Employees therefore represent the biggest weakness, with the main cause of cybersecurity failures reportedly being human error. This could be an employee failing to install security updates in time, not using a strong enough password to protect sensitive data or falling prey to phishing emails.
On a global basis, 43% of firms view employee naivety about cybersecurity as their most significant organisational weakness, according to the 2021 State of Email Security Report issued by the cybersecurity provider Mimecast. This percentage is notably higher in some countries: in the UK, the Netherlands, South Africa and the United Arab Emirates 50% or more participants view employeesâ lack of cyber knowledge as a major threat to their companiesâ security, according to its survey.
Rob Hyde, Schrodersâ chief information security officer and head of enterprise technology, said: âTraining our employees is our best defence against cyber attacks. While we have high-security products to provide protection, ensuring our employees are educated as to how to spot a suspicious email or link is key to our ability to effectively guard our systems and data.
âCorporations have four key adversaries that we try to protect ourselves from. The âmalicious outsiderâ is someone external to the organisation that tries to penetrate our defences to access sensitive or proprietary information. The âmalicious insiderâ is similar but is an employee that weâve trusted with access to such information. The âaccidental insiderâ is an employee who has unwittingly become part of an attempted attack by clicking on a harmful link or opening a harmful email. We also have the âsupplierâ, which refers to the risk we take on when engaging the services of third-party providers.
âWe have measures in place to guard against all four of these and are constantly improving our protection as attackers are becoming increasingly sophisticated in how they try to penetrate our defences. The advent of cryptocurrencies, for example, is creating a means for attackers to profit from their actions in ways that the traditional financial services system would make very difficult,â he said.
Cybercrime can have a considerable impact on financial companies
Any firm that uses the internet is a potential target for cyber criminals and a cyber attack can have a significant impact on a company, whether thatâs financially or operationally.
There is also the reputational damage associated with having security defence breaches. On average, it takes two years for a business's reputation to recover after a data breach is revealed, according to research by HSBC. Meanwhile share prices of companies affected tend to underperform by 15.6% in the following three years.
Figure 3 & 4: Effects of data breaches on reputation and share price
The finance sector tends to be the worst affected: it experienced the greatest decline in stock prices, of -16.7% on average against the Nasdaq, in comparison with the technology sector, which averaged -2.9%.
Figure 5: The finance sector tends to fare worst
Assessing a companyâs cyber preparedness
A companyâs cyber preparedness should be a crucial consideration in an investorâs investment decision. It is a business risk that investors canât afford to ignore, according to Samuel Thomas, a sustainable investment analyst at Schroders.
âWe use our proprietary ESG tool, Context, to help us measure how well a company is managing cyber risk. This involves assessing whether companies have a cyber security certification and ranking companies on how well they protect their customersâ data.
âWe gain further insights through direct company engagement, focusing on how well a company can answer the questions such as:
1) Is there responsibility for cyber security and data privacy at the board and management level?
2) How is the companyâs technical expertise organised?
3) What training and monitoring of employees and suppliers is in place?
4) To what extent does the company work with external cyber security specialists?â
Fund managers Katherine Davidson and Charles Somers use the above approach to assess the cyber-preparedness of the companies they invest in.
Katherine says: âIdeally, weâd like to see more cyber security and data privacy expertise at the board and management level of the companies we invest in. Typically, this would include a chief information security officer or data protection officer in charge of cyber matters.â
Research by accounting firms Deloitte and Grant Thornton finds only 8% of FTSE 100 boards had a chief information security officer in 2018. Meanwhile more than one-third of FTSE 350 companies that reported technology and cyber security as a key business risk in 2019 did not have directors with relevant expertise on their boards. In the oil and gas, consumer goods and financial sectors, this figure was 50% or more.
âWe also want to see adequate protective systems and controls in place, rigorous and systematic testing of these systems and controls, and regular updates of security software,â says Charles.
âItâs important to us too that thereâs appropriate training of employees and suppliers and that the security team use external specialists to keep up-to-date with industry trends and best practice.â
Kondi Nkosi is the Country Head, Schroders South Africa
BUSINESS REPORT