Graham Wedgbury, cyber insurance specialist at Lycetts
Cyber security is experiencing an expeditious climb up the business agenda, thanks chiefly to more stringent data protection laws and in response to the omnipresent and ever-evolving threat of attack.
Despite an increase in awareness and a general shift from reactive to proactive security measures, many businesses are still playing catch-up when it comes to protection.
The somewhat ‘invisible’ threat of cyber breaches or attack is still a relatively new concept for businesses, so traditional business risks may still take precedence and priority – resulting in a reticence to redirect resources and invest in defences.
But as technology continues to develop at an exponential rate, so too do the opportunities to exploit vulnerabilities, extort funds and expose businesses. In essence, the more we take advantage of the growing technologies to make our business run smoothly, the more vulnerable we become to over-reliance on those very systems should they fail.
According to the Mandiant M-Trends 2020 report, cyber criminals are becoming more innovative and varied in their approach, with 41% of the malware families observed in 2019 identified as new.
The report also found that the discovery time – the duration between the start of a cyber intrusion and it being identified – was 56 days. Though an improvement, thanks largely to law changes in Europe, 12% of investigations continue to have discovery times of greater than 700 days.
The report also highlighted the need for vigilance, particularly in the case of businesses who have been previously attacked, with one third (31%) of victims experiencing another attack within 12 months.
In this digital age, businesses can ill-afford to take a fragmented, disjointed or lacklustre approach to cyber security and should remember that fulfilling legal requirements and having a holistic cyber security strategy are not one and the same.
The rise in remote working, cloud computing and BYOD, along with more sophisticated and less easily detectable methods of attack, from phishing to malware, further compounds businesses’ exposure to cyber risk and underlines the need for more robust measures to prevent a breach and a plan of action should it occur.
SMEs don’t ‘fly under the radar’
A common misconception when it comes to cyber security is that some businesses are too small or insignificant to suffer an attack or be a target.
Almost one quarter, (23%) of UK businesses have no governance measures, such as cyber security policies, an external cyber security provider, staff members covering information security or governance, or a business continuity plan, according to the UK government’s Cyber Security Breaches Survey.
The most common reason given is that they consider themselves too small or insignificant to warrant such measures (35%), followed by cyber security not considered being enough of a priority (21%), and not considering cyber-attacks to be a significant risk (19%).
However, being a small operation has no bearing on vulnerability.
Most companies are in the same situation, with SMEs making up 90% of businesses worldwide (World Bank).
The very fact that smaller businesses are less likely to take cyber security seriously could make them an attractive target.
It would also be remiss to dismiss cyber security on the basis that it is not relevant – be it on size or nature of the business.
Companies may see themselves as ‘offline’ but, according to a study commissioned by Deloitte, 99% of SMEs say they use at least one digital tool in their day-to-day operations.
From using a computer to operate, and having a company website, to storing data in the cloud, or using employee email addresses, there are a great number of seemingly ‘innocuous’ cyber risks that leave businesses exposed and vulnerable.
Businesses should remember that an attack can not only be costly, but can negatively impact on the business’ reputation, brand, employee morale and relationships with investors – it has the potential to cause irreparable damage.
Calling out for clarity
It takes more than a recognition of a problem to effect change.
One of the stumbling blocks for businesses is a lack of knowledge or direction when it comes to becoming more cyber-secure.
For others, they may not have quite grasped the severity of the impact of attacks, due to the relative infancy of cybercrime, making security an afterthought or low on their priority list.
According to the Cyber Security Breaches Survey, around three in ten businesses (32%) say they are not sure how to act on the advice they have seen or heard around cyber security, whilst just seven per cent of businesses have sought out government or public-sector information.
This perceived lack of clarity on what businesses should be doing, or uncertainty of what is relevant to individual businesses, is reflected in the low number of businesses investing in specific cyber security insurance.
Just one in ten (11%) of businesses say that they have a specific cyber security insurance policy, and a further 15% of businesses said they have previously considered but ruled out having cyber insurance.
Top reasons for not having cyber insurance include a lack of awareness of cyber insurance (23%) and considering themselves to have too low a risk to warrant it (22%).
For those who did have specific cyber policies, motivation went far beyond potential loss, with access to breach management team and forensic teams, proof of diligence and peace of mind key drivers.
Whilst basic crime policies cover fraudulent online attacks, they have limitations. Often selected as ‘bolt-ons’ to conventional policies, they do not address the full range of exposure, leaving gaps.
Only specialist cyber policies provide the comprehensive protection needed in the events of attacks, including data breach, cyber extortion, the cost of professional assistance in mitigating loss, the costs of fines, and in some cases, ransom payments.
The cyber insurance market is becoming more dynamic, in response to evolving need and demands, with many insurers and brokers now helping customers with contingency planning, establishing an understanding of the implications of cyber breaches, evaluation of risk, and putting security measures and crisis action plans in place, should the worst happen.
Many cyber security insurance policies also provide swift legal and public relations advice post-breach, to help companies decide how and when to communicate an incident to their customers.
With active groups on the increase and methods becoming more aggressive, one thing is clear; complacency when it comes to cyber security is not an option for businesses – all organisations are vulnerable to attack, no matter how large or small, and should take steps to protect themselves.
