Cyber Risks

Although big names including the BBC, Boots and British Airways are currently deciding how to react to ransom demands from Russian hacker group “Clop”¹ (who have stolen personal data of more than 100,000 members of staff), the announcement that a recent ransomware attack pushed KNP Logistics into administration is a reminder that the cyber threat exists for businesses across the financial spectrum.

Cyber security company Proofpoint released its annual “State of the Phish” report in February 2023, revealing the impact of phishing attacks in 2022. According to its findings, eight out of ten UK organisations (82%) experienced an attempted ransomware attack in 2022, with 62% suffering a successful infection. Of those infected, just 33% of organisations were able to regain access to data after paying an initial ransom².  

Ransomware is the biggest cyber threat facing UK organisations, both large and small, and phishing is a common vector for cyber criminals to infect networks.

We know that phishing emails are getting harder to spot, but there is guidance available on what to look out for, and how to improve your organisation’s resilience. Raising staff awareness of the threat is also vital.

We’d encourage all organisations to familiarise themselves with the NCSC advice on mitigating malware and ransomware attacks.

In a survey by the SANS Institute, around 40% of ethical hackers said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness³.

So, with the post COVID world still adjusting to hybrid working, a surge in online crime and the potential spill over from attacks on the UK’s schools⁴, the Electoral Commission⁵ and the Royal Mail⁶, there’s never been a more important time for SMEs to have the right cybersecurity strategy in place.

So what can UK SME’s do to protect themselves?

For many small to medium-sized businesses, it’s just not feasible to spend a significant proportion of their profit on a Cyber protection strategy that could withstand attempted breaches from hacker collectives or a rogue nation state.

However, you can:

• Educate your employees about cybersecurity; creating an environment where they take responsibility for safeguarding the company data and the integrity of the system.  This includes only using secure systems for communicating with colleagues wherever possible, and not sharing information via personal email, as well as the obvious avoidance of clicking on links you’re not 100% certain about.

• Minimise the threats posed by malicious employees – from restricting access to sensitive data, banning the use of removable memory hardware and limiting bring your own device (BYOD) use.

• Keep your security software and operating systems up to date

What about Cyber Insurance?

According to the UK Government’s 2022 Cyber Security Breaches Survey, under 4 in 10 (37%) of businesses reported being insured against cyber insurance risks. This is despite 32% of businesses suffering a breach in the last 12 months, which is also much higher for medium business (59%) and large businesses (69%). The average (mean) annual cost of cyber crime for businesses is estimated at approximately £15,300 per victim⁷.

Here’s a sample of some of the reasons businesses don’t believe they need Cyber Insurance:

• We’ve never been hacked before
• We’re compliant with GDPR, PCI DSS and other regulations, so we’re secure
• We’ve invested in IT Security, so we don’t need Cyber Insurance
• We outsource IT, so we won’t be exposed to an attack
• We don’t collect or store any sensitive data, so Cyber Insurance isn’t necessary
• We’re too small to have a Cyber attack
• We’re already covered under other insurance policies

However, for many businesses, the reality is that they were targeted; their systems weren’t robust enough to prevent a breach, and there was no insurance cover in place to help cover the costs.

Cyber insurance is valuable tool to consider in your Cyber strategy; many policies can be tailored to provide cover for the areas that most businesses are concerned about – social engineering, phishing, and ransomware.  Some of the policies can also provide access to specialist support in the event of a system breach, help identify why and how the breach occurred, as well as advice on preventing further breaches.

For more information get in touch with the OAMPS team today. 

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Pen Underwriting Limited  and OAMPS Hazardous Industries (part of Pen Underwriting Limited) accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

OAMPS Hazardous Indsutries is part of Pen Underwriting Limited which is authorised and regulated by the Financial Conduct Authority (FCA number 314493). Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 5172311.


1 UK Cyber Security & Data Breach Stats 2023 - Databasix UK (dbxuk.com)
2 https://www.proofpoint.com/uk/newsroom/press-releases/proofpoints-2023-state-phish-report-reveals-email-based-attacks-dominated 
3 SANS in partnership with Bishop Fox (2022), Inside the mind of modern adversaries
4 Schools Across the UK Crippled by Ransomware - GDPR for schools blog
5 https://www.electoralcommission.org.uk/privacy-policy/public-notification-cyber-attack-electoral-commission-systems/information-about-cyber-attack
6 https://www.bbc.co.uk/news/business-64718824
7 Cyber security breaches survey 2023 - GOV.UK (www.gov.uk) - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021