4 minute read
Cyber risks and insurance solutions for SME UK businesses
In case you weren’t aware, the risks to businesses from cyber criminals is large; the problem is growing and only going to get worse.
E-criminals have exploited staff working from home, with weaker endpoint security over the past 12 months, increasing their activities and putting hacking at an all-time high.
Advertisement
There has never been a more crucial time to review your cyber security protocols, take any necessary steps to strengthen them and get some robust cyber insurance in place, to ensure continuity of your business should the worst happen.
Caveat: It is very important that companies understand that even the most robust cyber defence doesn’t guarantee 100% security, so having cyber insurance is an important backstop, augmenting the steps the business should already be taking to defend itself. Strong security protocols together with a bespoke insurance policy can make sure you are appropriately covered.
In its report, ‘Cyber Security Breaches Survey 2020’, the Government’s Department for Digital, Culture, Media and Sport presents some sobering facts:
www.gov.uk/government/statistics/cyber-security-breaches-survey-2020
Basic information security protocols for any business
If you own a business, chances are you have laptops, mobile phones, staff, customers, products, payments, etc. Cyber criminals are after your data, money, intellectual property, or they’ll simply hijack your digital systems and hold you to ransom until you pay for the release (ransomware).
What is the bare minimum you should be doing?
- Backing up your data.
- Protecting your organisation from malware by installing the right software
- Keeping your smartphones (and tablets) safe through password protection
- Using complex passwords to protect your data
- Avoiding phishing attacks by ensuring your people are aware of what to look for
If you aren’t sure that you are doing enough, run through this really useful guide from the National Cyber Security Centre.
www.ncsc.gov.uk/collection/small-business-guide
If you think you are already well protected, why not go through their ‘Exercise In a Box’?
www.exerciseinabox.service.ncsc.gov.uk
What kinds of attacks should you look out for?
We could be here all day writing about different cyber attacks, but the Phishing Attack is one of the most common that you and crucially, your staff, should be aware of. Phishing attacks are a form of social engineering; somebody manipulating you, a human, not a computer, to do something for them.
How does it work?
Generally, you will receive an email or a text from an organisation or individual you may know which, without closer inspection, looks genuine. In reality, they are trying to get you to click on a link or provide information which could allow them unfettered access to your entire business.
With phishing attacks, one click is all it takes.
A donation diversion – A phishing attack
The Phish: The financial controller of a medical research company received an email purporting to be from Microsoft Office 365 Support Service. They said they had received some emails which they’d quarantined for safety, but he could access them by clicking on the link below. Naturally he wanted to see the emails he’d been sent, so he clicked on the link and entered his Microsoft log in details when requested to view them. He’d just been socially engineered.
They’re in: Now the hacker had full access to the financial controller’s computer. They accessed his inbox and set up a forwarding rule, that all emails arriving from a specific charity, who paid the research company large, regular amounts of money, be sent to a dormant folder and immediately marked as ‘read’.
The diversion: The fraudster then emailed the charity’s accounts department, asking them to send all future payments to a new bank account. No suspicions were raised at the charity as it came from a verified, known to them account. The next payment sent was £76,328 but of course it never arrived. It was only when the financial controller of the research company rang the charity to chase payment that the hack was uncovered.
The recovery: Thankfully, one of the banks involved was able to claw back £27,653 and the charity claimed for the remaining £48,675 under the cybercrime section of their insurance policy with one of our trusted brokers, CFC. Without cover the charity would have suffered an unthinkably large loss.
How could this have been avoided?
2 Step Authorisation: Aside from recognising the bogus email in the first place, this attack could have been avoided by the research company having 2-step authorisation set up on their email account, ie. Every time the account is logged into, it requires a 2nd form of identification (sometimes a code sent by text) to ensure the person trying to access the account is genuine.
Call Back Procedure: If the charity had a 'call-back' procedure in place, whereby all requests to change accounts or anything similar were double checked by a physical phone call, then this would have been stopped before the damage had been done.
Help is at hand: We understand that this can be rather daunting and that you may need help to navigate this potential minefield; What are your risks? Are you doing enough? What more do you need to do?, etc, so we’ve created an industry-leading cyber proposition package to help our clients to identify, manage, insure and respond to cyber-attacks.
The good news is that with robust information security procedures, good staff training and specialist cyber insurance you will be covered for any eventuality and you can rest safe knowing your information security is being protected.
