Throughout our Cyber Awareness Week 2020, we have been demonstrating how the new way of working for many businesses is creating opportunity for cybercriminals.
Whether it’s having a more permanent remote workforce, having to collate and store personal information for track and trace purposes or needing to implement new payment processes, it opens up the door for cyber attacks which perhaps were not there before.
The impact an attack can have has the potential to be catastrophic, even more so in the challenging financial times businesses currently find themselves in.
There are things that you can do to reduce the risk of suffering a cyber-attack, which we explore here.
The National Cyber Security Centre (NCSC)
10 Steps to Cyber Security
The NCSC recommends businesses review their Information Risk Regime, as it’s essential to their overall cyber security strategy. To support with this, they have produced their 10 steps to cyber security document highlighting important security areas including:
- Setting up your Risk Management Regime
- Network Security
- User education and awareness
- Malware prevention
- Removable media controls
- Secure configuration
- Managing user privileges
- Incident management
- Home and mobile working
For more detail, visit The National Cyber Security Centre's website, www.ncsc.gov.uk.
Additional steps you can take
There are some simple things you can do to protect yourself and your business from a cyber-attack:
- Ensure all devices and documents where personal information is stored are password protected with a password that contains a mix of upper- and lower-case letters, numbers and symbols and is not something that is easy to guess
- Never share passwords or write them down
- Ensure your devices have up-to-date malware
- Be cautious about opening emails, attachments or clicking links from people you don’t recognise or are not expecting
- Give employees full, robust training on all processes and procedures, including any new software introduced to minimise mistakes
- Consider how long you need to keep personal information for and destroy it in an efficient and secure manner quickly after this time expires
Ransomware – what you need to know
One particular area of cybercrime prevention is malware (an umbrella term for dangerous software, including viruses, trojans, worms and ransomware) and having in place the right protection for your business. The latest UK government research shows that 20% of businesses have suffered a malware attack in the last 12 months*.
Our Commercial Director, Mark Brannon, shares his thoughts on malware and more specifically ransomware, a form of attack becoming commonplace.
“Ransomware holds parts (or all) of a network or computer files to ransom by encrypting a company’s data and applications, causing
severe business interruption and shutdown until the ransom is paid.
Cyber-attacks on large companies grab the headlines, however SMEs are increasingly seen as a primary target for cybercrime. SMEs
cannot afford to assume that they are too small to be noticed; like many crimes, ransomware is often one of opportunism with victims
targeted because they are among the most vulnerable, not the most valuable.
SMEs are also seen as a gateway to larger organisations with many electronically connected to the IT systems of larger partners. If found to be the flaw and reason for a breach, small businesses could suffer catastrophic reputational and financial damage.
According to Beazley, 71% of ransomware attacks target SMEs and the average ransom demand is around £90,000**. Despite this,
only 36% of the companies surveyed use security protocols, e.g. two-factor authentication, while just 14% regularly update their passwords. Just 21% of SMEs regularly create backups; this is a vital part of the protocols needed to recover from a ransomware attack.
It is crucial to develop in-house expertise or use a third-party partner to help manage security. This may initially look expensive but must be considered against the cost of dealing with the after-effects of a ransomware attack, potential penalties for GDPR breaches and/or the loss of customer trust and reputational damage.
The good news is that effective IT security doesn’t have to be hugely expensive. It is often far more important to apply realistic, informed, joined-up thinking and to maintain an awareness of current threats and the trends in cybercrime so that security can be updated as appropriate.
It’s also crucial not to underestimate that people remain the greatest security asset... or greatest weakness; human error plays a major role in incidents. Investment in ongoing training and education on the evolving threat landscape is a solid investment in your company’s future and the wellbeing of your workforce.
Awareness: an essential tool to tackle malware
Employees’ actions are often the first line of defence against a cyber-attack, my top tips people can take to avoid malware incidents are;
• Never open attachments from unknown senders. 92% of the malware in the world arrives via email.
• Don’t plug in an unknown USB device. It may contain malware.
• Update passwords regularly and ensure they differ significantly (don’t just add a number!) If a password is leaked in a data breach and has been updated since, it won’t become a security risk.”
Preventative measures won’t stop all Cybercrime
Even if you take all appropriate measures and consider everything mentioned above, you can never be 100% safe from the threat of a cyber-attack. It is not only the incident itself that causes issues, it’s also the inevitable disruption to your business and the impact that can have in the short and medium term.
This is why we are urging all our clients during our Cyber Awareness Week 2020 to consider their exposure and think about whether an insurance policy would give them additional peace of mind.
We know that with the measures in place to support the easing of lockdown across the UK, there will be many businesses that never considered they have a cyber risk exposure before now, that are suddenly finding themselves in need of support. Our advisors are on hand to offer advice and specialist knowledge to help you.
The information contained in this bulletin is based on sources that we believe are reliable and should be understood as general risk management and insurance information only. It is not intended to be taken as advice with respect to any specific or individual situation and cannot be relied upon as such. If you wish to discuss your specific requirements, please do not hesitate to contact your usual Towergate Insurance Brokers adviser.