Is your business at risk?
As business online increases so does cybercrime, and it is now widely accepted that it’s no longer a question of if your organisation will suffer a cyber attack, but more a question of when. As the cold war continues between hackers and those trying to keep them out, it seems only a matter of time before every business will be affected in some way by cybercrime.
In fact a new law was passed this year which requires mandatory notifications for businesses experiencing a data breach. Failure to comply can attract fines of up to $360,000 for individuals and $1.8 million for organisations.
In the light of this trend, a new form of risk mitigation is emerging. Cyber insurance offers a business the assurance that if it can’t prevent a cyber attack, it can at least insure itself against some of the repercussions, and it is a message that an increasing number of businesses are beginning to heed.
What is cybercrime?
Cybercrime is any type of criminal activity that takes place online or involves the use of a computer. New risks are emerging all the time and current threats include:
- Hacking—unauthorised intrusion into a computer system to steal data or alter the system to accomplish some other goal
- Phishing—sending fraudulent emails to trick individuals and employees into revealing sensitive information
Did you know that on average 18% of people still open and respond to phishing emails? And of these, 24% will give a complete stranger their password?
- Identity theft—stealing someone’s identity to fraudulently obtain money or credit in their name
- Viruses and malware—malicious software distributed with the intention of damaging or compromising computer systems
- Ransomware—malicious software designed to block access to a computer system until a ransom is paid
- DoS (Denial of Service) attack—flooding a network with messages to overload its resources and deny access to legitimate traffic.
As more IoT (Internet of Things) devices are deployed, it is also predicted that cyber criminals will find new ways to infiltrate networks and work their way into their infrastructures via devices connected to the internet.
What is cyber insurance?
Cyber insurance provides an organisation with a degree of protection from the risks associated with conducting some or all of its business online. It can cover a variety of costs that can be incurred as a result of a cyber attack, such as:
- Sales losses caused by business interruption
- The cost of notifying customers
- The cost of restoring data
- The cost of investigating the cause
- PR costs to repair brand damage
- The cost of guarding against further breaches
- Fines, court fees and settlements resulting from the breach.
As cybercrime increases, more traditional insurers are looking at adding some form of cyber insurance to their portfolio of insurances and more standalone cyber insurers are emerging in the marketplace. In fact, one commentator predicts that the number of cyber insurers will double in the next two years, making now the best time for businesses to purchase their cyber insurance.
And it is thought that cyber insurance will also become more sought after as a personal insurance product, with ransomware and extortion threats being increasingly aimed at individuals as well as businesses.
Who needs cyber insurance?
Big business is obviously a target for cybercrime because the rewards are more lucrative at the big end of town. Corporations often hold huge stockpiles of sensitive data, which can be sold on the black market for vast sums of money. Large organisations will also pay much bigger ransoms to protect their data, but they will also spend more money on cyber security, making the risk greater and the task much harder for many cyber criminals.
Which means SMEs are also a target for cybercrime. They often have inadequate or even non-existent security in place and while the pickings may not be as good for a cyber criminal, small to medium businesses are easier and less risky to attack.
And the repercussions for small business can be devastating and often fatal. Once your customer base learns of your security breach, most clients will abandon you (up to 85%) and take their business elsewhere, fearing for their own personal information. And the speed at which a business can go under after a cyber attack was proven recently by the case of a small Melbourne IT company which was attacked on 11th of June, 2012, and was placed in the hands of the receivers by 20th of June, 2012.
So regardless of the size of your business, you are vulnerable to cyber attack and would benefit from cyber insurance if:
- You rely on computers to run your business and they are connected to the Internet
- You don’t have a risk management team (most small to medium businesses can’t afford this)
- You are responsible for other people’s personal data, even if you don’t host it (i.e. even if it is stored in a hosted Cloud database).
What if I already have general liability cover?
Unfortunately, losses incurred on the internet are typically not covered by general business liability insurance. A general liability policy covers you against third party property damage and personal injury. But to make a claim, some type of physical damage needs to have occurred and because electronic data is not considered to be physical property, no such claim can be recognised.
What about cyber security?
While a cyber attack is virtually inevitable for every business with an online presence, the speed with which it can be countered and the degree of damage it does can be controlled through cyber security and risk management procedures.
Cyber insurance should therefore not be seen as an alternative to cyber security, but as an additional layer of protection against cybercrime. Risk management practices are still vital for every business and indeed, will be required to be in place before most cyber insurers will cover you.
And there are a large number of things a business can do to minimise the likelihood and severity of a cyber attack, including:
- Installing and maintaining malware and antivirus programs
- Backing up data regularly and storing it securely to facilitate fast recovery following an attack
- Having the latest firewall technology and Intrusion Prevention Systems (IPS) in place to detect and prevent system intrusions
- Using the latest encryption on all incoming and outgoing data traffic
- Enforcing strong passwords and authentication procedures
Did you know that Kiandra engagement statistics identified that 45% of passwords used within an organisation are ‘high risk’?
Common passwords to avoid include:
- Days of the week
- Months of the year
- Seasons (eg. Autumn, Winter etc.)
- The name of the company or its services/products
- Securing BYOD devices both on and off the premises
- Having online security policies and providing regular security training for employees
- Employing a security firm to do regular penetration tests on your system to discover and fix any weaknesses.
Governments are also tightening up online security measures. The Australian Government’s new Cyber Security policy has earmarked $230 million towards the fight against cybercrime. New legislation is also soon likely to require businesses to undergo regular risk assessments, have online security policies in place, and inform their customers of any security breaches in a timely manner. Stricter security standards for online credit card payments are also likely to be introduced.
How much cyber insurance will you need?
There’s little doubt that cyber insurance is here to stay and will continue to grow in popularity as more businesses realise the need for additional protection from cybercrime. How much cyber insurance a business needs will depend on how much of their business is conducted online. But given that even a single email is capable of letting a hacker into your network, it would be fair to say that a cyber insurance policy of some description will soon be a standard inclusion in most business insurance portfolios.