According to our recent report – The Hiscox Cyber Readiness Report 2017 – it would appear that for the majority of businesses it’s a ‘not’. Over half (53%) of the 3,000 small to large businesses we researched in the UK, US and Germany are ill-prepared to deal with cyber-attacks while only a third of businesses (30%) qualified as ‘expert’ in their overall cyber readiness. And that’s not all; a worryingly high percentage (in the UK it was 35%) changed nothing following a cyber security incident. Such high levels of complacency could be a real issue for businesses given the financial and reputational damage that a successful cyber-attack can inflict.
From the perspective of an insurer offering cover for the cyber risk, the types of claims we are increasingly seeing also chime with those cyber incidents most commonly reported in our survey. For example, companies are increasingly vulnerable to cyber incidents involving their suppliers. Cyber criminals have realised that suppliers such as data hosting companies can be a rich information seam to mine. Malware attacks including ransomware are also becoming more prevalent particularly in areas like healthcare.
Don’t be short sighted
Take this example. An employee from a chain of opticians we insure received an email to say that she had been caught speeding and clicked the button which offered to show a photograph of her being caught in the act.
Shortly afterwards our client received an email to say that their systems had been infected with the Cryptolocker virus and that all the files on its servers were encrypted. The encrypted files included sensitive patient records and the software used to run the business.
The criminals requested bitcoins for the decryption key. We approved the client’s payment for the key providing reimbursement of the costs. But it didn’t end there. Unfortunately the decryption key only recovered 90% of the files and they needed an IT contractor to help them recover the remainder.
Prevent a cyber loss
Fortunately, their Hiscox Cyber and Data insurance policy covered them for business interruption as well as the costs of being unable to trade for a couple of days and not being fully up-to-speed for a couple of weeks. But there are some key steps that every business should take to help make incidents like this less likely and to significantly improve their readiness when it comes to the cyber threat. These steps include:
- Involve top management The overall responsibility for cyber risk should sit at board level and not with the IT team who need to ensure there is a consistent transfer of cyber security related knowledge up to senior management.
- Formalise your strategy Your cyber security strategy should have defined structures, processes and criteria to ensure decisions are based around the needs of the business.
- Training and resource Stepping up training can be a quick win. HR has a major role to play ensuring cyber security competencies are reviewed regularly.
- Document process Recording, tracking, documentation – these are areas where firms have scope for improvement at only moderate cost to the organisation. Make sure you have a core source of cyber security guidelines.
- Tighten up the technology Companies need to up their technology deployment, to use internal and external message encryption with the integration of strong authentication throughout the organisation.
- Transfer risk Consider transferring the risk to an insurer that specialises in cyber risks insurance. We found that 64% of companies that were expert in their approach to cyber risk had taken out cyber insurance.