How do I protect my small business from cyber crime?

What you need to know about your online risks and how to ensure that your business is covered

High-profile cyber attacks have been hitting the headlines with increasing frequency over the past year, putting security risks firmly in the spotlight. With celebrities, big businesses and small enterprises all coming under attack, it seems that no one is safe – which is why it’s important to be aware of the risks around us.

The scale of the problem

According to a recent survey, 74% of small organisations experienced a security breach last year, with the average cost of a breach rising sharply from £75,000 in 2014 to £311,000 last year.

The survey also found that “nearly 9 out of 10 large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty”.

Did you know?

The view from professionals is that anyone who thinks they haven’t been breached simply hasn’t discovered it yet.

Recent examples

A number of big international businesses were targeted in cyber attacks last year, costing them millions in compensation, fines and lost business.

Renowned retailers such as Amazon and M&S were among the victims of cyber crime. A glitch that allowed online customers to view each others’ details forced M&S to take its website offline for a few hours, while Amazon

When you are forced to change your password

 a number of customers’ passwords, leading many to speculate that the retail giant had been hacked. 

And telecommunications company TalkTalk was hit hard when nearly 157,000 of their customers had their data breached, and over 15,000 had their financial details hacked. Fortunately, most of the credit and debit card codes obtained could not be used for payments, but the incident still left TalkTalk out of pocket – the attack cost the company a total of £60 million and led to the loss of over 100,000 customers.

 

The cost of the October 2015 cyber attack on TalkTalk

  • 156,959

    customers had their data breached

  • 15,656

    customers had their financial details hacked

  • 100,000+

    customers left the business

  • £60m

    total cost to the company

Who’s at risk?

Don’t let the recent string of high-profile attacks on larger organisations fool you; every organisation, large or small, that uses IT in any form is potentially at risk.

“Every company has an exposure to cyber risks,” said Helen Trantum, the Portfolio Lead for Liability Underwriting & Pricing Commercial at RSA. “Cyber exposure falls into two main areas: data liability and cyber attacks. Virtually every company holds customer data and has a heavy reliance on computers, so every business has an exposure.”

According to Trantum, smaller companies tend to be more vulnerable to generic attacks, such as spear-phishing emails sent to a wide range of people, as opposed to larger companies that are more susceptible to targeted, co-ordinated attacks.

It’s a warning that many agree with. The latest Government Security Breaches Survey revealed that 74% of small organisations reported a security breach in the last year – an increase from both 2013 and 2014. As such, industry experts believe that small to medium enterprises are now being specifically targeted by cyber criminals.

Virtually every company holds customer data and has a heavy reliance on computers, so every business – large or small – has an exposure to cyber risks.

Helen Trantum Portfolio Lead – Liability Underwriting and Pricing Commercial at RSA

How could it impact you?

One of the most daunting aspects of cyber risks is the wide range of impacts an attack can have, and the damage can fall into as many as 11 categories, including theft of intellectual property, business disruption, regulatory actions and direct financial losses such as funds being stolen.

“The potential impacts of malicious cyber attacks vary widely, from a company’s website being offline for days – which could have serious consequences if you sell online – to companies not being able to access their own computers, data being corrupted, or even the entire computer system being broken,” said Trantum.

“There is also a new generation of attacks which can be even more concerning as they can be much harder to detect. Instead of deleting or stealing data, attackers can now also change information in the system, such as bank details to siphon off funds, to appear genuine.”

The good news is…

Around 80% of cyber attacks can be prevented if businesses put basic security measures in place.

How can you protect your small business?

Even large organisations with strong security systems in place have been shown to be susceptible to hacks. Therefore it’s important for organisations of every size to be aware of the risks – so they can prepare for them accordingly.

 As the risks of inadvertent staff errors are high, it’s important to ensure that employees are well-trained, with comprehensive processes put in place for issues such as handling data, using strong passwords and encrypting portable media.

10 Steps to Cyber Security

This guide has grown in popularity since its launch in 2012, and is now used by around two-thirds of the FTSE 350. 5

RSA supports the Government’s 10 Steps and Cyber Essentials schemes, and Trantum believes that these are positive developments: “We are always looking for customers who are taking all reasonable precautions as, ultimately, insurance is not a substitute for good risk management. If a business is accredited with something like Cyber Essentials it demonstrates a level of concern within the business, which we look very favourably on.”

Do you need cyber insurance?

Proactively managing your cyber risks is a great first step, but companies – large or small – should have appropriate cyber insurance in place too.

Unfortunately, many organisations don’t have the right policy – and those who do tend to overestimate the extent to which they are covered. Surveys showed that 52% of CEOs believe that they have cover, when in fact less than 10% do,6 while another survey revealed that only 27% of small businesses admit to having cyber insurance that would cover them in the event of a breach – a number that’s much smaller than expected.

Cyber cover

  • 52%

    of CEOs believe they have cyber insurance

  • <10%

    actually have cyber insurance6

  • 27%

    of small businesses are covered in the event of a breach

And although some more traditional insurances such as liability, crime or business interruption policies include elements of cyber cover, they are likely to fall short of what modern businesses need.

“Companies should be very careful about relying on policies that were never intended to cover a certain risk,” advised Trantum. “If you try to put a cyber claim through a traditional insurance such as a liability policy, not only will you have a lack of certainty about whether you are covered, but it could take a long time to find out.”

Giving peace of mind and certainty is one of the purposes of insurance. If you are relying on traditional insurance that may or may not cover that risk, you are not achieving the very goal of that insurance.

Helen Trantum Portfolio Lead – Liability Underwriting and Pricing Commercial at RSA

What’s the right cyber cover for your small business?

Cyber policies have really improved in recent years. Previous offerings tended to focus on either the data liability or malicious cyber attack aspects of cyber risks, but recent products now offer coverage for the much broader range of risks that companies face.

What’s more, many recent cyber offerings now include a crucial ‘breach response’ element, which provides a number to call in case of an incident. Your insurer will then guide you through the whole process.

“An individual business may not know who to call or what services to appoint in the event of an incident. Insurers have a role to play in supporting businesses here because they see more scenarios across their portfolio than an individual company is likely to experience, which means they have more tools and services at their fingertips to help them respond quickly,” said Trantum. “This is because speed of response can make all the difference when it comes to cyber events.”

Now more than ever, insurance is not just about protection. It is about having an effective strategy in place in case something does go wrong – and that’s where the right cyber insurance comes in.

References

  1. According to Helen
  2. https://www.gov.uk/government/news/cyber-security-boost-for-uk-firms
  3. https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
  4. https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility/10-steps-summary
  5. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/415354/UK_Cyber_Security_Report_Final.pdf