The rapid expansion of everyday technology in recent years has given rise to a new set of threats for small businesses to contend with – but many are still playing catch-up. Today the threat of cyber attack is as real as anything else that your business must be prepared for, and more than half of UK businesses reported falling victim to some form of breach in 2019 alone, a 40% increase on the previous year. This looks set to have increased further during the 2020 Covid-19 pandemic, with Britain’s National Cyber Security Centre dealing with hundreds of serious attacks over the last few months.
With traditional working practices so widely disrupted this year, and many companies now operating on an either partly or wholly remote basis for the first time, it’s more important than ever to ensure that your business’s IT infrastructure is secure, and to protect against any eventualities with the right cyber liability insurance policy.
What does cyber liability insurance cover?
Cyber crime can lead to devastating financial losses for a business, as well as reputational damage. Most policies are focused on covering losses but many of them can also assist with managing the aftermath of the attack itself – bringing in experts to rebuild infrastructure and repair damaged data. Having the right protection ready to go if the worst happens can make all the difference in preventing damage to the reputation of your business or regulatory enforcement under the GDPR.
All cyber insurance policies differ, but among the things that a policy can cover are:
- Business interruption due to downtime
- Forensic eDiscoveries of the systems by specialists
- Assistance with notification to the Information Commissioner’s Office (ICO)
- Legal advice
- Lost or damaged data or software
- Notifying customers of a breach where this is required
- Cyber extortion costs
- Loss of customers due to reputational harm
- Direct theft by hacking
- Customer data loss and compensation payments
- The costs of investigations, regulatory proceedings and civil damages
- Multimedia liability where data is published
What cyber threats do small businesses need to be prepared for?
Cyber crime is a constantly evolving threat – it is not enough to identify a set of threats and put protection in place against them. Company policies must be constantly updated and monitored, and your insurance provider should reflect this in what they offer you.
While cyber attacks are becoming ever more sophisticated and difficult to predict, one of the most common threats to small businesses remains straightforward data threats. Confidential data continues to be an easy target for cyber criminals, especially amid the increased data portability that we have seen in 2020. In addition, the stricter rules introduced under the GDPR in 2018 make data theft an occurrence with more serious consequences for businesses than ever before.
Data is always more vulnerable when it is taken outside the regular confines of your business premises, and remote working makes this problem an everyday reality for the majority of small businesses in the UK. This vulnerability can be divided into two categories:
- Data in motion: This is data on the move, for example being sent in an email or during a card payment transaction. There are various points where a hacker can intercept this process.
- Data at rest: This is data which is stored on laptops or other devices. Many data thefts occur while data at rest is carried around, where a screen is left unlocked or a device is left on a train.
Even data which is ostensibly secure can be more at risk than businesses might realise. Employees will routinely use company devices on insecure public Wi-Fi or access company networks from their personal devices.
Additionally, weak passwords are one of the biggest causes of security breaches for small businesses, with millions of people using passwords like 123456. Simply adding a mixture of cases, letters, numbers and symbols to a password can make it infinitely more difficult to crack.
There are several steps that small businesses can take to ensure that data is more robustly protected:
- Encryption: This is simply disguising data behind an algorithm which requires a key to unlock it. It is especially effective for protecting data in motion or data at rest, and can often be enough to deter would-be hackers.
- Multi-factor authentication: This is requiring additional information at login such as a passcode sent to a separate device, and immediately re-locking data where a period of inactivity takes place.
- Staff awareness: Many people simply do not realise the extent to which data can be under threat. Reiterating the importance of secure passwords and discouraging the use of personal devices for work purposes can make a big difference.
Many small businesses deal not just with client companies but various third-party providers that form part of their supply chain. It can be difficult to know whether these external companies are taking as much care over cyber security as you are – and third-party exploitation attacks (or supply chain attacks) seek to take advantage of this fact. They seek any weaknesses in these complex supply chains, especially where data is in motion, and hackers are frequently evolving their techniques to find new methods of infiltration.
Under the GDPR the companies in your supply chain are considered responsible for any data that you share with them, so it’s vital to treat all of them as if they were departments of your own business. Knowing the risks and vulnerabilities of the businesses, and including them in your own contingency plans for a cyber attack, is a crucial aspect of staying protected.
It is important to be able to differentiate between spam emails and junk emails. While the former can be relatively easy to spot, a spam email is usually disguised as something familiar or even beneficial to the business in question. They pose a significant threat which all too often can prove a stumbling block for employees. The UK Government’s Cyber Security Breaches Survey 2020 saw 86% of companies reporting phishing attacks.
There are several types of spam email that can appear in your inbox:
- Phishing emails: These tend to use fake credentials such as well-known brands to lure the recipient to a website which appears on the surface to be legitimate. Here, they are tricked into entering card details or other data that could compromise security.
- Whaling emails: This is where an email purports to be from a trusted executive or other senior person within the organisation in question. It requests payments to an unknown account, ostensibly on behalf of the trusted individual.
- Bombing emails: These fill up an inbox or server with thousands of emails, disguising data theft or causing the system to go offline and interrupt the business.
There are a number of ways that you can protect your business from spam emails. Having a robust spam filter in place should protect employee inboxes from the majority of dangerous emails, but ensuring staff know how to handle them is key:
- Not opening any email that looks suspicious, and remaining vigilant on opening an email – watching for impersonal language or obvious grammatical errors
- Never clicking any links or opening attachments in an email without being certain they are safe
- Looking at the sender’s email address rather than the display name
- Trusting only websites with a https:// (as opposed to a http://) or a padlock symbol in the address bar
Inadequate disaster recovery plans
Many small businesses make the mistake of focusing too much on prevention, and neglecting the fact that the chances of an attack remain high even with protective measures in place. According to the Federation of Small Businesses, small companies were suffering up to 10,000 attacks per day in 2019.
It is therefore important to consider whether your business could continue functioning if your existing protections failed to prevent a cyber attack. Having a disaster recovery plan in place is a critical element of your overall cyber security strategy, and it should include:
- Securely backing up all crucial company data
- Having detailed response plans to different types of attack, such as ransomware (where a victim is forced to pay in order to have access to their data restored)
- Risk assessments for all the other security measures currently in place
- Clear guidelines for all employees to follow in the event of an attack
- An up-to-date list of the people responsible for responding if an attack takes place
Speak to us about cyber liability insurance
For many small businesses, having the right insurance plan in place has meant the difference between recovering from a cyber attack and being damaged beyond repair.
At Heath Crawford we can help your business to find exactly the right policy to protect its future if a major breach takes place. If you have any questions about cyber liability insurance, don’t hesitate to call our friendly team on 0208 421 7030 or email email@example.com.
If you’re interested in Cyber Liability Insurance, please fill in the form below with your contact details and we’ll get back to you as soon as we can.