Why Cyber Insurance should be part of your risk management programme
As our reliance on the digital world increases it is no real wonder that cybercrime is on the increase and this has been clearly evident in the last twelve months.
For the opportunistic cybercriminal, it’s been a good time to commit cybercrime, as we have moved away from our usual routines and reliable systems. More of us have been working from home and online, which left an exploitable gap in our security as we quickly adapted to new ways of working.
According to Police data analysed by cyber security company Nexor, there was a 31% increase in cyber related cases over May and June last summer, as the UK wrestled with the first large wave of the pandemic.
The data highlighted that the most common attack in the UK occurred through email or social media, and accounted for 53% of all attacks on businesses, leading to substantial multi-million pound losses.
Scamming was found to be the second most common approach for attack and have included targeting businesses with fraudulent email communications that appear to be from the government in relation to the grant scheme. These have stolen company money or have downloaded ransomware, infecting systems, and allowing criminals to take control of files in order to extort large sums of money in exchange for their release. Globally, cyber threats have taken all manner of forms including fake investment opportunities in the development of Covid solutions.
The Cyber Security Breaches Survey 2020, released by the Department for Digital, Culture, Media & Sport (DCMS) revealed that nearly half of all businesses in the UK had reported cyber security breaches or attacks in the last 12 months but only 32% have insurance against such events.
Whether a big or small-scale event, a cyber-attack is likely to have serious consequences for any business – shutting systems, deleting data, preventing data access or stopping them from trading altogether. Dealing with the fall out of a cyber-attack can be complicated and stressful, not to mention time-consuming and potentially expensive.
We’ve taken a look at some of the cyber threats that your business may face and what you can do to protect yourself against them.
Understanding Cyber Threats
Understanding the types of cyber threats that your business may face, will help you to manage the risk and be as prepared as possible. This will include a comprehensive risk assessment, a business continuity plan and the right level of insurance for your needs.
Firstly, let’s look at types of cyber-attack – what they are and how they occur:
Phishing is the fraudulent attempt to acquire sensitive information or data, such as log in data, passwords, credit card numbers, or other sensitive details by masquerading as a trusted entity. Communications appear to be legitimate and trick their victim into opening an email, a web page, or instant/text message.
These are any type of malicious software designed to harm or exploit a programmable device, service or network and includes trojans, worms, ransomware and viruses.
This is a specific type of malware that infects your system, holding all data and systems to ransom until a fee has been paid.
Sources of Cyber Threat
It’s common to think that cyber threats against businesses come from unrelated hackers, cyber-attacks or ransomware and are big events, but sometimes they can be more subtle and come from sources a little closer to home.
There are four categories that cyber threats against a business typically fall into:
- Insider Threats
- Human error/negligence
- External threats and Hacking
- Third party systems and vendor threats
Let's take a closer look
Let’s bring these cyber exposures to life by taking a closer look at how they can occur.
Although it’s hard to think that your trusted employees would ever do something to harm your business, it does happen. A rogue or ex-employee could steal personal and business data, causing a negative impact on your business and a huge data breach.
Here are just a few examples of how this could occur:
If an employee is leaving your business, they may take contact details and sales data to use when they move to their new role. Or they could download your client email address lists and sell them online. A developer could create a ‘back door’ in your systems, so that it can be access by someone outside the company to extract data or drop in a virus or malware.
Any of the above activities could leave you open to prosecution for data breaches, and you may incur costs to get your systems back up and running again.
By far the largest cause of data breaches occurs because of human error, making it clear that negligence is a huge threat when it comes to cyber security.
It’s easily done and typically happens without knowledge or intent. It is relatively easy to mistype and receive information on the wrong person or company or send an email to the wrong recipient outside the company. You could click on a link in an email that looked to be from a safe sender or visit a website that looked legitimate but exposes you to a virus. An employee may accidentally leave their laptop on the train which isn’t password protected or a folder full of data. These are realistic occurrences that could result in legal action if data breaches occur.
We can also include weak passwords in this category. With so many systems to log into at work and at home, it’s easy to use the same passwords for all and not to change them on a regular basis.
These are what we typically think of when we consider cyber security. These are threats from outside your organisation and include hacking cyber-attacks created to leave malware on your systems to negatively affect your business. These may include viruses to wreak havoc in your systems and data, ransomware to hold data and files to ransom, or spyware to keep track of what you’re doing.
These actions can result in a loss of data, theft, access to your business systems or website or a complete shutdown of everything.
Third Party Threats
These potential threats come from third party systems, software, companies or individuals that have access to your data such as your cloud-based storage facilities, your data systems and even your website. They can include software or web developers, integrated external email marketing systems, or cloud server facilities such as Amazon or Dropbox.
If the cloud that holds your data is stored is hacked, you could lose access to it. Files could be lost completely or held to ransom, or a virus that gets into your cloud provider could infiltrate your systems too.
Your email marketing software could be hacked and expose client email addresses, or your web developer may accidentally publish confidential information on your website or add malicious code to your search box forcing the server to reveal information that it would normally not.
These are all scenarios that you don’t imagine will ever happen to your business, but the potential is there, and very real.
What do these threats mean for your business?
In real terms the first issue that you may face is the ability to continue to operate. Have you thought about how you would continue to run your business if you lost access to all your data? You could lose access to client and supplier data, order information, diary appointments, financial data, your website and more.
Aside from the financial loss that you could encounter from an immediate loss of sales, longer term sales could be affected by reputational damage. If clients or suppliers don’t trust that you will look after their data, they may choose to take their business elsewhere.
Then there’s the cost of rebuilding and replacing lost systems or creating a new website. Whatever problem, the attack created will need to be fixed quickly.
Additionally, if a data breach occurred you are likely to face significant fines from the Information Commissioner’s Office.
All of the above will require money, time and resources and need to be addressed in a timely manner to help you retain customers, employees, your reputation and may ultimately affect the future of your business.
Having a comprehensive contingency and business interruption plan in place along with adequate insurance will help you to address and quickly overcome any fallout from a cyber-attack. A robust plan is vital to make sure you meet your legal obligations regarding data breaches and to reassure your customers.
The benefits of Cyber Insurance
Cyber liability insurance is a must for any business because it provides you with protection and peace of mind, should the worst happen.
It will help against denial of service, which may occur with ransomware, the recovery from computer virus damage, which may have resulted in a significant loss of data, and other data breaches such as the loss, or employee theft, of a memory stick or laptop.
Getting assistance quickly and from reputable, knowledgeable and reliable sources will be key in ensuring your business can continue to operate with minimal disruption.
If your business holds data on a computer system, even with anti-virus software in place, you can still be vulnerable to a breach.
Cyber Liability insurance will help with:
- Data recovery
- Business interruption
- Legal costs and potential compensation claims
- Meeting ransom demands
- Costs around informing clients of the breach
- Restoring equipment
We can help protect your business
At Barnes Commercial, we have partnered with leading A rated insurers who have extensive knowledge in the cyber-crime arena and can provide comprehensive and invaluable cover for organisations of any size. Our insurance programmes will ensure you have the support and guidance that you need to recover quickly and with minimal disruption from a cyber event.
If you think that cyber liability insurance will be far too costly, think again. The cover is relatively inexpensive and will provide you and your business with complete reassurance in the face of a data breach crisis.
If your business has a turnover of £5M or less, we can arrange an essential ‘Cyber Recovery Insurance’ package. This policy is only activated when a valid data breach is reported to the provider but can be highly effective in a time of crisis.
We recognise that every business is different and will have specific needs – our expert advisers will tailor their advice to your situation and requirements, arriving at an insurance programme that’s right for you.
You can contact us on 01480 272727 to speak to one of our expert advisers about your cyber liability requirements or read on for our cyber risk management advice.
Our advice on how to be best prepared
We recommend putting a robust cybersecurity strategy in place to sit alongside your insurance programme. You should create a cyber risk assessment and action preventative measures including a best practice guide. This will help to reassure your employees, customers, suppliers and any third parties, that you are as ready as possible in the event of a cyber threat.
To identify areas of weakness or vulnerability, you should assess the security of your information or data. Prevention is always better than cure, so review your current security strategy to ensure that you have the proper policies and best practices in place to meet any required standards or obligatory regulations. This should include a review of your security operations, network and data security to check that you are protected from exploitation and have prevention and monitoring procedures in place.
Carry out a cyber security assessment to identify the types of attack that you may be vulnerable to and assess how prepared your business is to respond to an incident. Consider your ability to detect malicious activity, the procedures you have in place to contain an attack and what your incident response process is.
Create a best practice guide to help prevent your exposure to cyber threats and share with all employees. This should include the use of strong passwords which are updated regularly. Software and systems should also be checked regularly, and updates actioned when due. The use of two-factor authentication, when available, should also be implemented.
Ensure you are following the most up to date guidance on GDPR and that your data protection officer has all the latest information. It’s a legal obligation of any business to ensure appropriate and proportionate security is in place to protect any personal data held, to safeguard the rights of individuals. You must also report any data breaches to the ICO within 72 hours of discovery.
Provide your staff with Cyber Security Awareness Training so they can spot suspicious looking communications, understand how hackers get in and the importance of strong passwords. Educating your entire organisation helps to minimise potential attacks and can also help to reduce internal security incidents. It’s also a good idea to create a robust reporting procedure to ensure that all employees are aware of any potential or recent cyber-attacks.
With more of us working from home, you should make sure your remote working methods are protected and procedures are adhered to by all.
Put together a business continuity plan and share with key employees for a coordinated, calm and fast reaction to an unexpected cyber event. Your immediate response to an event will be key to the overall impact on your business. Consider how you will contact everyone that may have been affected as a result of a data breach to help retain your customer database, customer confidence, brand reputation and trust.
Don’t wait until you have experienced a cyber attack to put measures in place, be proactive and help protect your business now. We can help you to develop a robust cyber security strategy as part of your complete insurance programme, managing your exposure to cyber risks.
Speak to us about arranging cyber liability insurance or carrying out a cyber risk assessment by calling us on 01480 272727 or emailing firstname.lastname@example.org
Find out more about cyber liability insurance here.