Is your firm aware of the dangers of cyber crime?

28 Apr 2017

Cyber related losses are now the largest recorded offence in the UK1 with data now being more valuable to criminals than physical assets. The total cost of cyber related crime is now estimated to be in the region of £27bn per year2. SME’s are at particular risk because quite simply they tend to think they are too small to be valuable to criminals and so tend not to invest in cyber security and/or cyber awareness training.

Simply understanding how cyber crime is committed can be confusing but the five most common threats to SMEs are:

  • Ransomware: A piece of malicious software that encrypts all of the data on a company’s network and that can only be decrypted after paying cyber criminals a ransom—generally between £500 and £1,000.
  • Hacking: A cyber criminal will exploit an unpatched vulnerability within a company’s security software to access its data. Generally, the criminals are interested in personally identifiable information (PII) on a company’s customers—especially credit card information.
  • Denial-of-service attack: A company’s website is maliciously overwhelmed by a high volume of data pushed to its servers, which temporarily or indefinitely interrupts services.
  • Human error: Information lost or distributed to the wrong person (accounted for 50 per cent of the worst breaches last year).
  • CEO fraud: A cyber criminal poses as a senior person within a company, either by hacking or ‘spoofing’ an email account, and convinces someone with financial authority to transfer money.

According to Government research, the average cost to an SME in the event of a security breach is between £75,000 and £311,0003; that said these figures don’t factor in related costs like the rebuilding of a damaged reputation. Moreover, when the EU’s new GDPR comes into force in 2018, not only will the enforcement of data protection obligations be tightened up but the maximum potential fine that the ICO will be able to levy against ‘controllers’ and ‘processors’ of data will be increased from £500,000 to €20,000,000 (or up to 4% of the total worldwide annual turnover of the organisation, whichever is higher).

The good news is that nearly 80 per cent of breaches can be stopped by implementing basic cyber security. Albeit not an exhaustive list, a company’s risk management should mean that anti malware software is up-to-date, staff are familiar with the need to be wary of unusual activity on invoices or accounts, staff being wary of opening unexpected or unusual emails containing attachments and/or suspicious links, staff ensuring that emails containing sensitive data enclosed are encrypted, there being policies on the ability of employees to access company data through their own smartphones or tablets and on the use of company social media.

Insurance should also play an important part of any firm’s risk management program but in my experience. The following aims to offer a basic guide of the options available:

Cyber Insurance: A simple, cost effective policy which covers direct and indirect costs resulting from cyber crime including:

  • Loss or damage to digital assets : If you suffer loss or damage to data or software programmes, costs will be incurred in restoring, updating, recreating or replacing them.
  • Non-physical business interruption and extra expense: A cyber attack that prevents your company from trading would inevitably result in a loss of income whilst you cannot carry out business as usual.
  • Reputational damage: Years of good work could be damaged by just one incident that sours your customers view of you as a business, meaning a loss of customers and subsequently income.
  • Civil damages: If you suffer a security breach on your network, transmit any malicious code, or if you breach any third party or employee privacy rights or confidentiality, you may be subject to defence costs and/or civil damages.
  • Regulation defence: If you are investigated by any regulator as a result of the above, you will face investigation and defence costs, as well as potential fines. In the majority of cases, responsibility is on the data owner (you), rather than any data processor you may outsource to.
  • Customer care: There is sometimes a legal or regulatory requirement for you to notify the individuals affected by the security or privacy breach, in which case you may be subject to legal, postage and advertising expenses.

Crime Insurance It is important to recognise that Cyber Insurance does not cover direct financial loss. Crime Insurance is a type of policy which will cover financial losses incurred in the event theft, fraud or dishonesty (whether committed by an employee or a third party). Such a policy can be extended to include impersonation fraud (i.e. where the victim is duped into voluntarily giving money or assets to a third party).

Key:

1 Crime Survey of England and Wales, Office of National Statistics (ONS), ending March 2015

2 The Cost of Cyber Crime report, Office of Cyber Security & Information Assurance, 17 February 2011

3 2015 Information Security Breaches Survey, HM Government & PWC

Please contact Chris Buxton if you would like to discuss this article further chrisbuxton@bfpa.co.uk

Author