Many organisations are failing to learn about what they are up against from both a data protection and cybersecurity perspective. They might be aware that they need to have strategies in place to protect their business from being disrupted by cybercriminals, but can they get up and running quickly after an attack or breach?
With companies putting more data and services online, business models rely on connectivity and enhanced IT services to meet growing consumer demands for flexibility, ease of access, and convenience. But it is this connectivity desire, to be ‘always-on’, which introduces more vulnerabilities and ‘threat surfaces’ from an increasing number of third-party sources.
Cyber insurance explained
Traditional data protection strategies have centred around the three foundational components of IT: people, process and technology.
Data protection with people begins with education and a continuous focus on making employees aware of the most recent threats in the industry. While this is critical, it is impossible to achieve full organisational protection in this way. It only takes one weak link, or one unknown threat, before the data is compromised.
Read more: The Cybersecurity Bill in South Africa
Focusing on process is also essential. As many have pointed out, recent ransomware attacks would have been mitigated if patches had been applied on a timely basis. And finally, traditional data protection employs technology for network and endpoint protection such as firewalls and anti-virus. All these protections are essential and should not be ignored.
But these are no longer sufficient as evidenced by the explosive growth of cyber insurance.
Cyber insurance is not entirely new, but it has been growing (unsurprisingly) at a similar pace with malware and ransomware. In 2015, PwC set the cyber insurance market at $2.5 billion with a projected market size of $7.5 billion in 2020. Recent incidents have proven that the adverse effect of malware on government agencies, and businesses have made this a board-level topic with a demand for better protection.
Costs of ransomware are not just connected with the ransom demand itself. In fact, the amounts requested are often below R15 000. But this does not factor in the tangible internal costs such as incident response, forensics, customer call centre support increases, legal engagement, and public relations. External costs and insurance coverage are associated with the liability of failing to keep the data secure.
In South Africa, insurers have started offering cyber liability solutions to address the growing concerns around ransomware and other malicious attacks. This is especially important given how the likes of the Personal Information Act (POPI) and the Cybercrimes and Cybersecurity Bill are putting increasingly complex compliance requirements at the door of businesses. Failure to adequately protect data can result in significant financial and reputational damage not including the potential for fines and all those associated costs.
It is especially the Cybercrimes and Cybersecurity Bill, designed to establish a coordinated approach for the country to fight cybercrime that is causing concern for many companies. With the deadline for comments gone, expectations are that government will clarify many of the provisions in the bill as it could have a significant impact on business processes and technology.
Mitigating the ransomware risk
There is another fundamental insurance component that many have ignored — data backup with air-gapped protection (the process of isolating a backup from the live network). Backup and validation of data restore is the cyber insurance that provides the most immediate and tangible benefit to the enterprise when compromised.
With proper technology and process in place, recovery time objectives (RTOs) can be minimised for critical systems, with the added benefit of leveraging the data to set up virtual labs where forensics can be applied to the incident. This insurance not only provides availability for the business, but confidence for the board that they are better prepared.
A second, real and tangible benefit is that employing a viable availability solution can reduce the cyber insurance premiums that are paid by the business. Annual costs for cyber insurance are considerable depending on the revenues, industry, and company size. However, one of the factors that determines the premiums are the existing protections that are implemented, just as is the case with house or car insurance. Ensuring that a business has a comprehensive availability solution can potentially reduce the costs (and premiums) associated with first-party coverage.
When assessing your client’s current data protection situation, it is important to remember the client should not strive to make themselves hack-proof. The speed at which attacks are changing means this is virtually impossible. Rather, your client should make their security as robust as possible and ensure their backups are not solely located on their network, to eliminate the possibility of attack or corruption. With respect to ransomware, it is common for attackers to look at smaller or midsize businesses for a way into bigger enterprises, so don’t be the weakest part of the supply chain, and scrutinise the structure of your client’s partners.
A combined approach of having your client’s processes in place, making them a less attractive target through routinely carrying out updates and backups, and having a data protection insurance policy — inclusive of a cyber insurance plan and an availability solution in place — is smart business practice.
The reality is that a data disaster will happen sooner or later. Decision-makers, therefore, need to continuously evaluate what could go wrong and whether they are able to recover quickly enough to continue normal business operations. Irrespective, an availability solution and cyber insurance policy should be standard elements in the risk management strategy of a company if they are to ensure its ongoing sustainability.