PwC: Why you should incorporate cybercrime into your risk assessments
Worldwide, digital technology continues to transform and disrupt the world of business, exposing organisations to a multitude of opportunities and threats. Therefore, it is hardly surprising that cybercrime continues to rise rapidly, ranking as the second-most reported crime in this year’s PwC Global Economic Crime Survey and taking fourth place from a South African perspective.
The fast take-up of cloud-based systems to store information by businesses and the growing use of the 'internet of things', where everyday objects are connected to the internet, are particularly more vulnerable to cyberattacks. The rise in cybercrime has caught many businesses off guard with no plans in place to fend off online fraud.
Most organisations are still not adequately prepared for, or even understand the risks faced, with only 35 percent of South African organisations reporting they have a fully operational cyber incident response plan in place.
The 2016 Global Economic Crime Survey interviewed 6,337 participants in 115 countries. In South Africa, 232 organisations from a broad spectrum of industries took part in the survey.
The incidence of reported cybercrime among our respondents is substantially higher this year, with a 23 percent increase reported from the previous survey conducted in 2014. So although cybercrime in the South African context has shifted two places from sixth to fourth position, it is the percentage increase that is more alarming. A third of respondents said they had been affected by cybercrime. Another 16 percent said they didn’t know whether they had or had not been victims of cybercrime.
In terms of financial losses, at least 27 percent of respondents who have experienced cybercrime had losses between $1 and $50,000 while 3 percent had experienced losses greater than $100 million. It is concerning to note that 14 percent of respondents don’t know or were unable to quantify financial losses even though they had been victims of cybercrime.
South African businesses considered financial losses to be the most damaging impact of a cyber breach, followed closely by legal implications and reputational damage. This differed from the global perspective, where reputational, legal and regulatory impacts were considered to be the most significant.
Over the last few years, cybercrime has evolved to a point where it can be classified into two categories: Firstly, the kind that steal money or data that is monetisable and bruise reputations; and secondly, the kind that steal IP and lay waste to an entire business. The latter are usually classified as transfer-of-wealth attacks.
Although the long-term damage to organisations and the economy is far-reaching and far higher for transfer-of-wealth attacks, the damage arising from the theft of credit cards or personally identifiable information can also be damaging. This comes in the wake of the promulgation of privacy legislation such as the Protection of Personal Information (PoPI) Act and the impending Cybercrimes and Cybersecurity Bill. South African organisations will increasingly find themselves having to deal with regulators and other authorities in the event of an incident arising.
According to the survey findings, almost three quarters of organisations (69 percent - a 15percent increase on 2014) see an increased risk of cyber threats. A disparity was noted between the responses of CEOs and CFOs: 83 percent of Chief Executive Officers and only 57 percent of Chief Financial Officers see an increased risk in cyber threats.
Responsibility for redressing cyber vulnerabilities requires input from the board to ensure risks are properly addressed and identified. However, the survey suggests that many boards are still not sufficiently proactive regarding cyber threats and many do not understand their organisation’s digital policies to assess the risks. Only 48 percent of boards are requesting information around cyber-readiness locally; this is slightly higher than the global average of 43 percent. Only 35 percent of respondents have a fully operational incident response plan; 13 percent don’t know if they have one; and 12 percent do not have one nor do they intend implementing one.
Should a cyber crisis arise, only 34 percent of organisations have personnel that are ‘fully trained’ to act as first responders, and 20 percent of organisations indicate that they will make use of outsourced personnel. Through the investigations we have conducted we often find that organisations who make use of outsourced digital forensics providers only start procuring services when an incident occurs – and delays in the procurement process often result in a time lag during which critical evidence is lost or damaged.
On a closer study of incident response teams, we noted that teams are still weighted towards having more IT security personnel (73 percent) and IT staff (62 percent), while only 28 percent of organisations include digital forensic specialists.
Although organisations have made significant strides, in particular regarding the sophistication and preparation around cyber-attacks since 2014, most organisations are still not adequately prepared for them to understand the risks they face or manage the incidents effectively. It is critical that companies incorporate cybercrime into their risk management assessments. Organisations need to understand and plan for cyber threats in the same way as any other potential business threat. This includes drafting a response plan, as well as monitoring and scenario planning.
5 minutes with... Janthana Kaenprakhamroy, CEO, Tapoly
Founder and CEO of award-winning insurtech firm Tapoly, Janthana Kaenprakhamroy heads up Europe’s first on-demand insurance platform for the gig economy, winning industry awards, innovating in the digital insurance space, and leading with inclusivity.
Here, Business Chief talks to Janthana about her leadership style and skills.
What do you do, in a nutshell?
I’m founder and CEO of Tapoly, a digital MGA providing a full stack of commercial lines insurance specifically for SMEs and freelancers, as well as a SaaS solution to connect insurers with their distribution partners. We build bespoke, end-to-end platforms encompassing the whole customer journey, but can also integrate our APIs within existing systems. We were proud to win Insurance Provider of the Year at the British Small Business Awards 2018 and receive silver in the Insurtech category at the Efma & Accenture Innovation in Insurance Awards 2019.
How would you describe your leadership style?
I try to be as inclusive a leader as possible. I’m committed to creating space for everyone to shine. Many of the roles at Tapoly are performed by women and I speak at industry events to encourage more people to get involved in insurance/insurtech. Similarly, I always try to maintain a growth mindset. I think it’s important to retain values to support learning and development, like reliability, working hard and punctuality.
What’s the best leadership advice you’ve received?
Build your network and seek advice. As a leader, you need smart people around you to help you grow your business. It’s not about personally being the best, but being able to find resources and get help where needed.
How do you see leadership changing in a COVID world?
I think the pandemic has proven the importance of inclusive leadership so that everyone feels supported and valued. It’s also shown the importance of being flexible as a leader. We’ve had to remain adaptable to continue delivering high levels of customer service. This flexibility has also been important when supporting employees as everyone has had individual pressures to deal with during this time. Leaders should continue to embed this flexibility within their organisations moving forward.
They say ‘from every crisis comes opportunity’, what opportunities do you see?
The past year has been challenging, but it has also proven the importance of digital transformation in insurance. When working from home was required, it was much harder for insurers to adjust who had not embedded technology within their operating processes because they did not have data stored in the cloud and it caused communication delays with concerned customers at a time when this communication should have been a priority, which ultimately impacts the level of customer satisfaction. This demonstrates the importance of what we are trying to achieve at Tapoly in driving digitalisation in insurance and making communication between insurers and distribution partners seamless.
What advice would you give to your younger self just starting out in the industry?
Start sooner, don’t be afraid to take (calculated) risks and make sure you raise enough money to get you through the initial seed stage.