The growing threat and constantly-evolving risks of cybercrime and security breaches are set to change the face of business and spur ethical dilemmas for company directors, says BDO South Africa.

Speaking at the launch of BDO’s Cyber and Forensic Laboratory in Johannesburg, Graham Croock, director of IT Audit and Risk at BDO, said the constitution of company boards has to change in order to mitigate risk, with engineers and science graduates likely to run companies of the future.

“The old days of having accountants, auditors and lawyers sitting on boards, risk committees and audit committees is going to have to change. What you’re going to have to do is have a lot of younger, tech-smart people on those boards,” he said.

Having chief risk and chief security officers would also go some way in mitigating risk, he added.

Citing data from cybercrime.org.za, the audit tax and advisory services firm said South Africa is losing more than R1bn/year to cybercrime. Over 30% of local companies are targeted or victims of cybercrime, with only 35% of South African companies having incident response protocols. It said the country is expected to be the top target for cybercrime in Africa and third in the world in 2016.

According to David Cohen, an executive overseeing operations in BDO’s Cyber and Forensic Laboratory, businesses can take steps toward cyber readiness by understanding their unique set of risks, penetration testing, putting data recovery systems in place as well as simulating cyberattacks and training employees on how best to respond.

Cohen stressed that such measures should be ongoing, “nobody will sign off today and say that your infrastructure is secure, because really the odds are against each company. They have a CIO (chief information officer) and a group of people working with them, but if a syndicate gets together and wants to get into a system, there are very few that they won’t get into.”

Cyber readiness costs can range from tens of thousands of rands for small business to millions of rands for banks, he said.

Businesses appear particularly vulnerable to data breaches as hackers seek access to intellectual property, confidential project data, information about tenders and strategic and investment-related information. Based on experience, Croock said a common vulnerability to external threats among businesses is the misconfiguration of malware.

“When you have a disgruntled employee in your business, who is a little tech savvy, it is the most dangerous combination you can have because that person is going to attack your business from a cyber point of view and that’s going to end up in blackmail, disruption and delays in processing,” he said of internal risks. He adds that businesses ought to prioritise keeping staff happy and minimising the risk of disgruntled employees.

Although difficult to quantify, businesses that have been hacked also face serious reputational damage, which gives rise to ethical dilemmas for company directors.

“Do you disclose it or do you cover it up?” asked Croock. “You’ve got to do what is in the best interest of the company, so if you are going to do brand damage and you are going to cause bigger damage than the actual fraud, you must make a business decision. As a board you’ve got fiduciary duties to make that call and you’ve got to act in the most responsible way,” he said.