You know all about the ransomware attack on Transnet last year, where SA’s major ports were shut down by cybercriminals. And you heard about the recent data hack at TransUnion South Africa, which – combined with a previous leak in 2017 – impacted the personal information of 54 million South Africans. You know about those cyberattacks, and dozens more like them, because they hit big businesses and large parastatals. Yet you haven’t heard about the thousands of similar attacks and data breaches at SA’s small businesses … and that’s exactly how cybercriminals want it to be.

The 2022 CyberEdge Cyberthreat Defence report found that, worldwide, businesses with more than 25 000 employees are less likely to be hit by a ransomware attack than smaller businesses – even though larger companies typically can afford to pay higher ransoms. Big attacks on big organisations catch the eye of national governments and law-enforcement agencies, which – as the report points out – is exactly what hackers don’t want.

SMEs are especially vulnerable to cyberattacks because they have limited budgets and limited financial resources for appropriate IT defence mechanisms. But there’s also widespread naivete, as SMEs operate under the false impression that they’re too small to be targeted.

Lior Arbel, co-founder of security visibility platform Encore, believes that’s the biggest mistake small businesses make. ‘It is quite the opposite,’ he says. ‘Attackers will first prey on targets that are easier to attack. If we take it to the commercial world, cyberattackers are looking for return on investment. If they try to attack a large organisation that has large budgets, they will need to work hard to penetrate it, and there is also a question of whether the organisation would be willing to pay, and how much. SMEs are usually easier to target and, in many cases, they will not have the necessary tools and experts to prevent a successful attack. Hackers also know that the chances of them paying is higher, because in many cases the impact to their business can be massive.’

Gilchrist Mushwana, director at BDO advisory services, agrees. ‘Cyberattacks have become headlines, mainly focusing on big businesses,’ he says. ‘This has created an impression that big business is where the focus should be to implement cybersecurity, not SMEs. The reality is that every business has become a technology business, not because it is a core business but out of the reliance on technology to operate.

‘For some SMEs, the subject of cybersecurity can be overwhelmingly complex. The perception may be that their operations are too small, or that their data is not theft-worthy. However, failure to protect a business – big or small – from cyberattacks will expose that business to reputation, financial and legal risks,’ he says.

As Steven Pieterse, founder of Cape Town-based software company Metisware, puts it, ‘bottom line: we all hear that cybersecurity is on the rise, but until it happens to you, it belongs in the “head in the sand” department’. He describes his company as ‘the geeks who sort out the aftermath’ of a ransomware attack or security hack.

‘We’ve seen what the result of a breach is and believe me, it’s not pretty,’ he says. ‘There has been a significant uptick in computer crime over the last few months.’ Between November 2021 and March 2022, his technical support team reported a 30% increase in hacks.

Pieterse adds that many of the clients he talks to are simply overwhelmed by what is required to ensure protection. ‘And with merit, as many antivirus plug-ins are often pushing their own sales “upgrade” agenda,’ he says. ‘This leaves many users apprehensive to keep signing up to the bottomless pit of security measures.’

As small businesses feel the pinch of the pandemic-hit economy, there’s a temptation to cut back on computer-security budgets. But when (as Mushwana emphasises) every company is a tech company, digital security is simply no longer optional.

The widespread surge in cloud adoption only heightens the risk. Brendan Kotze, chief development officer at Midrand-based cybersecurity company Performanta, warns that as businesses switch to cloud systems, they reduce their reliance on carefully engineered security systems.

‘Traditional security operates like a castle,’ he says. ‘It has deep moats, high walls, and access is checked at the gates. You distinguished between what was inside and outside your technology castle. Cloud technologies are decentralised. You might have a server at your premises, backups on a cloud server, and your employees use a remote third-party collaboration service, such as Slack or Teams. You cannot control that in the same way you used to apply security. It’s a very significant risk for companies.’

Simeon Tassev, MD of IT consultancy Galix, shares the frustrations of many in the industry about cybersecurity complacency. ‘Many small business owners underestimate the threat,’ he says. ‘The attitude, unfortunately, is often to say, “we know what’s best for us, and we don’t need cybersecurity protection”. There are all sorts of internal justifications around that. They’ll typically say, “I’m a small business. Who’s going to target me?”, but it has nothing to do with size or targeting.’

Tassev adds that cyberattacks on small organisations typically succeed because systems have not been patched or basic controls such as firewalls or antivirus software are not in place. ‘Weak passwords are also quite common,’ he says. ‘And a weak password can be cracked in a matter of seconds.’

That’s not to say that small-business owners are the only ones using laughably weak passwords such as ‘123456’ or (oh dear) ‘password’. A recent report by password manager NordPass looked at 290 million cybersecurity data breaches around the globe and found that CEOs and other top executives have the same (typically poor) password choices as the general public. As tech site PC Gamer muses, ‘imagine entrusting the livelihood of hundreds, even thousands of employees to someone who uses “123456” or “qwerty” as a password’.

The point is, though, that many small-business owners invest their entire financial future in their start-up or their SME. The thought of losing all of that to a lazy password or an ineffective antivirus programme should give those entrepreneurs sleepless nights.

‘We know it’s challenging for small organisations,’ says Tassev. ‘They don’t have the people or the resources to monitor for threats, but that only makes it more important to prioritise cybersecurity, to do a basic assessment of your potential risks, and to put the appropriate protection in place. Far too many businesses have been put out of business because they just didn’t understand what “appropriate protection” means for them.’

That protection will, inevitably, come at a cost. But it’s a cost that has to be paid. ‘By working with cybersecurity firms, SMEs can get better protection and better coverage at a much lower cost than trying to do it on their own,’ says Arbel.

‘Remember that attackers can come from all over the world, so they work across different time zones, and therefore organisations need to make sure their protection is also around the clock running 24/7. A managed security service can provide that.’

Mushwana agrees. ‘Engaging specialists in cybersecurity would be a wise move to assure that business operations are protected from cyberattacks that may expose your business to reputational, financial and legal risks. Any organisation must have visibility of its IT and digital assets, evaluate risks and establish maturity, and develop a security plan to address vulnerabilities and achieve the desired security posture. The budget must be prioritised based on the impact and probability of the cyber risk.’

The cost-benefit analysis is fairly simple. According to Mimecasts’ State of Ransomware Readiness report, the average ransom demanded from SA cybercrime targets is $213 884. That’s higher than what attackers are demanding from Australian ($59 066) and German ($197 727) targets. (Organisations in the US and Canada, incidentally, were hit hardest, with ransom demands in those markets averaging around $6.3 million and $5.3 million respectively.)

In SA, 78% of survey respondents claimed that they could retrieve all their data without paying the ransom. Yet more than half (52%) admitted to paying the ransom in full. Given that just 47% reported having file back-ups that would allow them to avoid having to pay the ransom, it makes sense that the numbers don’t add up, and why so many local companies ended up paying the ransom.

‘Ransomware is a good example,’ says Tassev. ‘Cybercriminals will attack you, ask for an exorbitant ransom, and then you have a choice to pay or not to pay. And even if you do pay, you don’t know if your data has been compromised. That could be the end of your business. That’s why, for smaller organisations, it’s even more important to understand the risks and to put the controls in place.’

Back-up files, firewalls, strong passwords and up-to-date antivirus programmes are basic cybersecurity steps; yet it’s astounding how few of SA’s small businesses have them in place.

Security experts such as Arbel, Mushwana, Pieterse, Kotze and Tassev have seen the disastrous effects of poor cybersecurity. Perhaps that’s why Tassev is so candid about the need for SMEs to spend money on cyberprotection.

‘If that’s what you need to do, that’s what you need to do,’ he says. ‘It’s not a choice. And there is a lot of security awareness out there, so you can’t say you didn’t know about phishing or ransomware either. Sorry, it’s no longer an acceptable excuse. Your organisation must be mature enough to understand the risk, and put whatever controls and processes are needed in place to protect it.’

By Mark van Dijk
Image: Gallo/Getty Images