• Editor

Why investors should care about cybersecurity

Investors need to consider cyber preparedness in their investment decisions.

Today, 100% of companies rely on the internet to operate, compared to the one-in-four 10 years ago, according to a study from Accenture. Add to this greater connectivity the increased volume of data being handled by companies and the shift to remote working brought about by Covid-19, and it’s not hard to see why cybercrime represents a significant risk for organisations.

Cybercrime in the headlines

There has been a spate of recent high-profile cyberattacks in which significant companies have been held to ransom. Across the globe, giants such as Colonial Pipeline, the largest fuel pipeline in the United States (US); JBS, the world’s biggest meat processing company, and even Ireland’s National Health Service have all been victims of cyber-attacks.

Locally, there have been a number of cyber breaches across the country, with victims that include key bodies such as the Department of Justice (DOJ) and the South African National Space Agency (Sansa). The DOJ reported that all of its information systems were encrypted, and subsequently internal employees and members of the public were unable to access important data.

These are just a few examples of recent ransomware attacks; a type of cyberattack that involves locking the user out of their own files or systems and demanding a ransom in return for access. In Colonial Pipeline’s case, the ransom was $4.4 million, while JBS was forced to pay the equivalent of $11 million.

Other examples include the foreign exchange company Travelex, which was held to a $6 million ransom in early 2020; the attack on British Airways in 2018 (which resulted in a $26 million fine for the company because it was found not to have sufficient security measures in place) and the 2016 hack into the central bank of Bangladesh’s systems, where criminals made off with $81 million.

Many attacks don’t make the headlines. On a global basis, it’s reported that more than 30 billion data records were stolen in 2020. This is more than in the prior 15 years put together. In the US alone, the FBI received a record nearly 800,000 cybercrime complaints in 2020, a 69% increase on 2019’s total complaints, with reported losses at more than $4.1 billion. In Europe, cyberattacks increased by 75% over 2020 compared to 2019.

Cybercrime prevention: spending surge

The cost of cybercrime globally is expected to hit $6 trillion annually in 2021, and $10.5 trillion by 2025, according to Cybersecurity Ventures, a cyber research company. Cybercrime costs include damage and loss of data, money, productivity, intellectual property, business interruption, the restoration of hacked data and systems and reputational damage.

As a result, spending on protection mechanisms has sky-rocketed. Global spending on cybersecurity products and services is expected to increase at a compound annual growth rate (CAGR) of 7.7 -14.5% between 2020 and 2026. CAGR indicates the growth rate over multiple periods, taking into account the effects of compounding.

Figure 1: Cyberspend is expected to grow at 7.7-14.5% CAGR (USD bn annually)

What does cybercrime look like?

Cybercrime can take various forms and is becoming increasingly sophisticated. Most involve a user unwittingly clicking on dangerous links or opening harmful attachments that install malicious software (known as malware), enable the disclosure of confidential information and prevent legitimate users from accessing to necessary systems and data.

Figure 2: Types of cyberattacks

Weak spots of cybercrime vulnerability

Email is the most common way attackers infiltrate a company’s systems and data. Employees therefore represent the biggest weakness, with the main cause of cybersecurity failures reportedly being human error. This could be an employee failing to install security updates in time, not using a strong enough password to protect sensitive data or falling prey to phishing emails.

On a global basis, 43% of firms view employee naivety about cybersecurity as their most significant organisational weakness, according to the 2021 State of Email Security Report issued by the cybersecurity provider Mimecast. This percentage is notably higher in some countries: in the UK, the Netherlands, South Africa and the United Arab Emirates 50% or more participants view employees’ lack of cyber knowledge as a major threat to their companies’ security, according to its survey.