Information and cyber security. I provide information security consultancy services within Allianz. This includes making sure that security is built into any projects by design and default, reviewing products and leading on incident response.
Before joining Allianz in March 2018, I worked in the police force, most recently as a detective in the Surrey Sussex Collaborated Cyber Crime team. In this role, I led investigations into cyber attacks against individuals and SMEs.
Cyber crime is a significant risk for UK businesses. It’s the most commonly experienced form of fraud, overtaking asset theft in 2018, with government estimates suggesting it costs the UK as much as £27 billion a year.
For an individual business, cyber crime can be devastating. As well as a potentially significant fine from the Information Commissioner’s Office (ICO) in the event of a data breach, a company risks long-lasting reputational damage. Even without this, the business interruption caused when computer systems are down can bring a business to its knees.
Given this, it’s little wonder that cyber took joint top spot in the Allianz Risk Barometer 2019, alongside business interruption.
Global cyber attacks such as WannaCry and NotPetya grab the headlines, but the biggest threat to a business comes from insiders. A disgruntled member of staff can cause significant damage by stealing data or introducing malware into an organisation’s systems.
While that may be the biggest risk, companies do also need to vigilant about external cyber-attacks. How much of a risk this is depends on the business model, although any company with an online presence is potentially at risk of an attack.
What trends are you seeing in cyber crime?
Ransomware, where access is blocked or stolen data published unless a ransom is paid, is a huge issue. This type of attack first grabbed the public’s attention in May 2017 when WannaCry shut down hundreds of thousands of computers around the world, including many within the NHS.
It’s become increasingly common in the US, where ransomware attacks have crippled city networks. As an example, in August 2019, 22 cities in Texas were effectively shut down when they were faced with demands for millions of dollars as part of a coordinated ransomware attack.
Phishing campaigns remain common too. These take many different forms, seeking to steal banking details or credentials by impersonating a legitimate company; harvest data; or infect a company’s exchange server to take control of its address book and spread itself further.
Some sectors, especially those where a lot of large payments take place over email such as solicitors, are also exposed to mandate fraud. With this, the fraudster might pretend to be a legitimate supplier to trick an employee into changing payment details. Alternatively, they might divert all email traffic, accessing it and amending details so any payments are made into their own account.
What can brokers do to protect their businesses and those of their clients?
A robust approach to cyber security is essential. Start by conducting a risk assessment to identify where there are potential issues that could leave the business exposed to a cyber threat. These will tend to fall into one of three areas – people, processes and technology. Building a cyber security approach around these three areas significantly reduces the risk of becoming a victim of cyber crime.
The people element is essential. People are usually the weakest link and cyber criminals rely on someone inadvertently clicking on a link or authorising a payment. Educating employees, and anyone else who accesses the organisation’s IT systems, will reduce the risk of being caught out.
Processes are also important. Keeping systems up-to-date with any updates and patches gets rid of around 90% of vulnerabilities straightaway. Software vendors tend to react quickly, releasing emergency patching when any new cyber threat emerges.
It’s also prudent to have processes in place to ensure IT passwords are changed regularly too. These should be at least eight characters in length and contain a combination of alpha, numeric and special characters.
Businesses need to take into consideration how employees access the organisation’s systems, especially where they’re working remotely, and have processes in place to ensure access rights are promptly deleted when an employee leaves the business or a connected device is lost or stolen.
Similarly, with ransomware becoming increasingly common, companies should ensure they have a contingency plan in place. Having a proper back-up enables them to restore their systems quickly, without having to pay a penny to the cyber criminals.
Companies also need to have robust governance in place to reduce the risk of insider action. This could include strict access control, strong passwords and USB lock down. It’s also prudent to encrypt data. That way, if it is lost, it’ll be of no value to the cyber criminal.
The third pillar is technology. Decent anti-virus protection will help to protect a company from cyber attacks. It may also be worth investing in more advanced controls, especially where a company holds a lot of customer data or is reliant on internet access.
And, although the focus is on cyber risks, organisations should also consider the physical risks such as burglary, accidental misplacement and fire. These could all result in data corruption, loss or theft, so it’s important to address these risks too.
What role does cyber insurance play in protecting businesses?
Cyber insurance can be an important part of the mix. This can provide both first and third party cover, offering companies considerable peace of mind from a financial perspective.
Data breaches are the largest exposure for businesses, whether resulting from a cyber attack, negligence or an accident. However a breach occurs, it can result in surface costs such as customer breach notifications and regulatory compliance fines. The organisation may also find itself being taken to court and having to pay damages to individuals or companies for failing to protect their private data.
There can also be more hidden costs, including lost contract revenue and loss of intellectual property
Even where data isn’t lost or stolen, a cyber attack can result in losses such as damaged IT systems and business interruption if employees are unable to access the network or data.
Whatever the cause of the loss, a comprehensive cyber insurance policy will also include valuable crisis management support. This gives a company access to a team of specialists including forensics experts, legal and regulatory advisers, as well as reputation and communication professionals.
They can help a company minimise the damage and recover quickly after an incident. For example, forensic experts can identify, contain and remove a threat to prevent a recurrence.
Having cyber insurance can also help to reassure third parties. Knowing a company takes cyber risk seriously can give considerable peace of mind to customers and suppliers.
Most large businesses have sensible cyber security rules in place, especially the larger ones where it’s the norm to meet ISO standards (ISO/IEC 27000 family of standards).
At the smaller end of the market, the government’s Cyber Essentials is a good starting point. This provides advice on how to protect an organisation against cyber attack.
While there’s a lot a company can do itself, these firms may also want to have their cyber security independently assessed by a certification body. This costs a couple of hundred pounds, but should be regarded as a valuable investment, especially given the potential size of an ICO fine if there is a data breach.