The cost of South Africa’s COVID-19 security scramble
South African corporates lagged behind more developed markets in terms of the level at which their security infrastructure was prepared to handle the shift to work-from-home infrastructure during COVID-19 lockdowns.
This is according to a new global report released by cyber security firm McAfee, titled “The Hidden Costs of Cybercrime,” which focuses on the significant financial and unseen impacts that cybercrime has worldwide.
The report, conducted in partnership with the Centre for Strategic and International Studies (CSIS), concludes that cybercrime costs the world economy more than US$1-trillion, or just more than 1% of global GDP, which is up more than 50% from a 2018 study that put global losses at close to US$600-billion.
Beyond the global figure, the report also explored the damage reported beyond financial losses, finding 92% of companies felt effects beyond monetary losses.
“The severity and frequency of cyberattacks on businesses continues to rise as techniques evolve, new technologies broaden the threat surface, and the nature of work expands into home and remote environments” said Steve Grobman, SVP and CTO at McAfee. “While industry and government are aware of the financial and national security implications of cyber-attacks, unplanned downtime, the cost of investigating breaches and disruption to productivity represent less appreciated high impact costs. We need a greater understanding of the comprehensive impact of cyber risk and effective plans in place to respond and prevent cyber incidents given the 100s of billions of dollars of global financial impact.”
Carlo Bolzonello, country manager for McAfee in South Africa, outlined the situation from a local South African perspective.
“In South Africa, businesses were forced to scramble to establish work-from-home infrastructure for their employees to ensure business continuity through the COVID-19 lockdown imposed by the South African government in late March 2020 – but, compared to more developed markets, few corporates’ security infrastructure was geared for this shift,” said Bolzonello.
“While many managed the shift, they were unwittingly vulnerable to security breaches, whether they were accidental data leaks, private data being maliciously shared by disgruntled employees, or targeted hacks from global crime syndicates. Organisations equipped with a cloud-based advanced threat management solution that offers complete coverage across the attack lifecycle, would have helped security operations centres prioritise issues to protect what matters, easily and efficiently,” he added.
The hidden costs of cybercrime
The theft of intellectual property and monetary assets is damaging, but some of the most overlooked costs of cybercrime come from the damage to company performance. The survey revealed 92% of businesses felt there were other negative effects on their business beyond financial costs and lost work hours after a cyber incident.
The report further explored the hidden costs and the lasting impact and damage cybercrime can have on an organisation, including:
· System Downtime – Downtime is a common experience for around two thirds of respondents’ organisations. The average cost to organisations from their longest amount of downtime in 2019 was US$762,231. Thirty-three percent of survey respondents stated IT security incident resulting in system downtime cost them between US$100,000 and US$500,000.
· Reduced Efficiency – As a result of system downtime, organisations lost, on average, nine working hours a week leading to reduced efficiency. The average interruption to operations was 18 hours.
· Incidence Response Costs – According to the report, it took an average of 19 hours for most organisations to move from the discovery of an incident to remediation. Many security incidents can be managed in-house, but major incidents can often require outside consults with high rates that form a significant portion of the cost of a large-scale incident.
· Brand and reputation damage – The cost of rehabilitating the external image of the brand, working with outside consultancies to mitigate brand damage, or hiring new employees to prevent against future incidents is part of the cost of cybercrime. 26% of the respondents identified damage to brand from the downtime experienced because of a cyber-attack.
Companies unprepared for cyber incidents
Through the research and analysis, the report found a lack of organisation-wide understanding of cyber risk.
According to McAfee this makes companies and agencies vulnerable to sophisticated social engineering tactics and, once a user is hacked, not recognising the problem in time to stop the spread.
According to the report, 56% of surveyed organisations said they do not have a plan to both prevent and respond to a cyber-incident. Out of the 951 organisations that actually had a response plan, only 32% said the plan was effective.
The report concludes with key ways for businesses to deal with cybercrime. These include uniform implementation of basic security measures, increased transparency by organisations and governments, standardisation and coordination of cybersecurity requirements, providing cybersecurity awareness training for employees, and developing prevention and response plans.