• The Business Owner

Cyber Risks and Insurance Solutions to SME UK businesses

In case you weren’t aware, the risks to businesses from cyber criminals in 2021 is large, the problem is growing and only going to get worse. E-criminals have exploited staff working from home, with weaker endpoint security over the past 12 months, increasing their activities and putting hacking at an all-time high. There has never been a more crucial time to review your cyber security protocols, take any necessary steps to strengthen them and get some robust cyber insurance in place, to ensure continuity of your business should the worst happen.

Caveat: It is very important that companies understand that even the most robust cyber defence doesn’t guarantee 100% security, so having cyber insurance is an important backstop, augmenting the steps the business should already be taking to defend itself. Strong security protocols together with a bespoke insurance policy can make sure you are appropriately covered.

In its report, ‘Cyber Security Breaches Survey 2020’, the Government’s Department for Digital, Culture, Media and Sport presents some sobering facts: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020

  • Fact: Almost 46% of businesses report having cyber security breaches or attacks in the past 12 months

  • Fact: 32% of those businesses hacked said they were experiencing issues every week in 2020

  • Fact: Phishing attacks rose from 72% to 86% in 2020 (Viruses and Malware dropped from 33% to 16%)

  • Fact: Amongst businesses attacked, one in five experienced a material outcome, losing money or data. Two in five were negatively impacted eg: requiring new measures, having staff time diverted or causing wider business disruption.

  • Fact: The average cost to businesses that experienced hacks was £3,230 rising to £5,220 for medium to large firms.

  • Fact: Only 32% of businesses report being insured against cyber risk

  • Fact: Insurers ‘often played a major role in guiding organisations on cyber security’

Basic information security protocols for any business

If you own a business, chances are you have laptops, mobile phones, staff, customers, products, payments, etc. Cyber criminals are after your data, money, intellectual property, or they’ll simply hijack your digital systems and hold you to ransom until you pay for the release (ransomware).

What is the bare minimum you should be doing?

- Backing up your data

- Protecting your organisation from malware by installing the right software

- Keeping your smartphones (and tablets) safe through password protection

- Using complex passwords to protect your data

- Avoiding phishing attacks by ensuring your people are aware of what to look for

If you aren’t sure that you are doing enough, run through this really useful guide from the National Cyber Security Centre. https://www.ncsc.gov.uk/collection/small-business-guide

If you think you are already well protected, why not go through their ‘Exercise In a Box’? https://exerciseinabox.service.ncsc.gov.uk/ It is completely free of charge and their website describes it as a tool to:

‘…. help you to find out how resilient your organisation is to a cyber attack, and to practise your response to critical cyber incidents in a safe environment.’

What kinds of attacks should you look out for?

We could be here all day writing about different cyber attacks, but the Phishing Attack is one of the most common that you and crucially, your staff, should be aware of. Phishing attacks are a form of social engineering, somebody manipulating you, a human, not a computer, to do something for them.

How does it work? Generally, you will receive an email or a text from an organisation or individual you may know which, without closer inspection, looks genuine. In reality, they are trying to get you to click on a link or provide information which could allow them unfettered access to your entire business.

With phishing attack, one click is all it takes.

A donation diversion – A phishing attack

The Phish

The financial controller of a medical research company received an email purporting to be from Microsoft Office 365 Support Service. They said they had received some emails which they’d quarantined for safety, but he could access them by clicking on the link below. Naturally he wanted to see the emails he’d been sent, so he clicked on the link and entered his Microsoft log in details when requested to view them. He’d just been socially engineered.

They’re in

Now the hacker had full access to the financial controller’s computer. They accessed his inbox and set up a forwarding rule, that all emails arriving from a specific charity, who paid the research company large, regular amounts of money, be sent to a dormant folder and immediately marked as ‘read’.

The diversion

The fraudster then emailed the charity’s accounts department, asking them to send all future payments to a new bank account. No suspicions were raised at the charity as it came from a verified, known to them account. The next payment sent was £76,328 but of course it never arrived. It was only when the financial controller of the research company rang the charity to chase payment that the hack was uncovered.

The recovery

Thankfully, one of the banks involved was able to claw back £27,653 and the charity claimed for the remaining £48,675 under the cybercrime section of their insurance policy with one of our trusted brokers CFC. Without cover the charity would have suffered an unthinkably large loss.

How could this have been avoided?

2 Step Authorisation - Aside from recognising the bogus email in the first place, this attack could have been avoided by the research company having 2-step authorisation set up on their email account ie every time the account is logged into, it requires a 2nd form of identification (sometimes a code sent by text) to ensure the person trying to access the account is genuine.

Call Back Procedure - If the charity had ‘call back’ procedure in place, whereby all requests to change accounts or anything similar were double checked by a physical phone call, then this would have been stopped before the damage had been done.

Help is at hand

We understand that this can be rather daunting and that you may feel you need help to navigate this potential minefield, what are your risks? are you doing enough? what more do you need to do? etc, so we’ve created an industry-leading cyber proposition package to help our clients to identify, manage, insure and respond to cyber-attacks.

The Partners& cyber proposition is:

  • Risk insights – a library of documents that we share with clients, informing them about cyber risk:

- What it is and how it affects them

- What cyber risk looks like in their industry/sector

  • Cyber case studies by industry/sector

  • Kynd Reports – (via our ecosystem partner Kynd) we provide a free analysis of the external cyber threats facing the client’s organisation, presented in a Red-Amber-Green format, as a PDF document. These reports include a section that compares the client’s level of cyber security against its industry/sector peers.

  • Tailored Cyber Insurance Quotes:

- Fully configurable cover/limit options

  • Benchmarking data – coverage - showing how much coverage organisations in each sector usually buy (something clients often ask,” How much cover do we need?”)

  • Benchmarking data – types - to show the types of cyber claims prevalent in each sector, and ranking them by the level of financial impact they have on the organization

  • Breach Response smartphone app, with ‘ask us anything’ technical service, instant reporting of cyber events, and always-on threat detection for a client’s network.

  • Cyber Security Services – (via our ecosystem partner Mitigate Cyber) we can offer clients:

- ‘Mitilearn’ - cyber security awareness training for a client’s staff

- ‘Mitihack’ - simulated phishing and hacking (penetration testing) to help

clients stress-test their cyber security and identify vulnerabilities

- ‘Miticert’ - Cyber Essentials certification so our clients can demonstrate their

commitment to excellence in cyber security

- ‘Miticomply’ - centralised policy template library and policy management

tool, helping clients achieve and maintain GDPR compliance.

The good news is that with robust information security procedures, good staff training and specialist cyber insurance you will be covered for any eventuality and you can rest safe knowing your information security is being protected.

For more information, please visit https://www.partnersand.com/businesses/insurance-types/cyber-2/ or call Matthew Clark on 07775 537387