Published On : 03 Nov 2023
Business owners barely need a reminder that cyber security matters when high-profile attacks on critical infrastructure have rippled across the globe in recent years, leaving communities, corporations and countries without access to resources like gas, power and more. So it is now more important than ever that steps are taken to improve cyber resilience in the event of an attack.
Ransomware is the biggest cyber threat facing UK organisations, both large and small, and phishing is a common vector for cyber criminals to infect networks.
We know that phishing emails are getting harder to spot, but there is guidance available on what to look out for, and how to improve your organisation’s resilience. Raising staff awareness of the threat is also vital.
We’d encourage all organisations to familiarise themselves with the NCSC advice on mitigating malware and ransomware attacks.
In a survey by the SANS Institute, around 40% of ethical hackers said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness3.
The SANS ethical hacking survey, in partnership with security firm Bishop Fox, was the first of its kind and collected responses from over 300 ethical hackers working inside organisations in different areas and experience levels of information security. The survey also revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours 3.
For many small to medium-sized businesses, it’s just not feasible to spend a significant proportion of their profit on a Cyber protection strategy that could withstand attempted breaches from hacker collectives or a rogue nation state.
However, you can:
• Educate your employees about cybersecurity; creating an environment where they take responsibility for safeguarding the company data and the integrity of the system. This includes only using secure systems for communicating with colleagues wherever possible, and not sharing information via personal email, as well as the obvious avoidance of clicking on links you’re not 100% certain about.
• Minimise the threats posed by malicious employees – from restricting access to sensitive data, banning the use of removable memory hardware and limiting bring your own device (BYOD) use.
• Keep your security software and operating systems up to date
What about Cyber Insurance?
According to the UK Government’s 2022 Cyber Security Breaches Survey, under 4 in 10 (37%) of businesses reported being insured against cyber insurance risks. This is despite 32% of businesses suffering a breach in the last 12 months, which is also much higher for medium business (59%) and large businesses (69%). The average (mean) annual cost of cyber crime for businesses is estimated at approximately £15,300 per victim7.
Here’s a sample of some of the reasons businesses don’t believe they need Cyber Insurance:
• We’ve never been hacked before
• We’re compliant with GDPR, PCI DSS and other regulations, so we’re secure
• We’ve invested in IT Security, so we don’t need Cyber Insurance
• We outsource IT, so we won’t be exposed to an attack
• We don’t collect or store any sensitive data, so Cyber Insurance isn’t necessary
• We’re too small to have a Cyber attack
• We’re already covered under other insurance policies
However, for many businesses, the reality is that they were targeted; their systems weren’t robust enough to prevent a breach, and there was no insurance cover in place to help cover the costs.
Cyber insurance is valuable tool to consider in your Cyber strategy; many policies can be tailored to provide cover for the areas that most businesses are concerned about – social engineering, phishing, and ransomware. Some of the policies can also provide access to specialist support in the event of a system breach, help identify why and how the breach occurred, as well as advice on preventing further breaches.
For more information get in touch with the OAMPS team today.
The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Pen Underwriting Limited and OAMPS Hazardous Industries (part of Pen Underwriting Limited) accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.
OAMPS Hazardous Indsutries is part of Pen Underwriting Limited which is authorised and regulated by the Financial Conduct Authority (FCA number 314493). Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 5172311.
1 UK Cyber Security & Data Breach Stats 2023 - Databasix UK (dbxuk.com)
3 SANS in partnership with Bishop Fox (2022), Inside the mind of modern adversaries
4 Schools Across the UK Crippled by Ransomware - GDPR for schools blog
7 Cyber security breaches survey 2023 - GOV.UK (www.gov.uk) - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021
This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Pen Underwriting Limited and OAMPS Hazardous Industries, part of Pen Underwriting Limited, accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.