It’s the call that every CEO fears – the IT system has been encrypted by cyber criminals. This is a very real threat. So much so, that the Minister for Communications Denis Naughten has brought a memorandum to Cabinet to allow for the formal establishment of a National Cyber Security Centre, whilst in the UK, Chancellor Philip Hammond has just launched a £1.9bn cyber strategy to try and reduce the risk of cyber-crime and raise awareness of the risk. With so many high-profile data breach stories recently, the potential damage a cyber-attack can wreak is now obvious for all to see. The full extent of the damage – both on the bottom line and on a company’s reputation– is sometimes hard to establish. What is becoming crystal clear is that how a company responds to an attack will be critical to its future success – and maybe its very survival.
The scale of the problem
According to a survey of IT security professionals carried out by the Irish Computer Society in December 2015, one-third of respondents had experienced a data breach in the last 12 months. Employee negligence was the biggest threat for 45% of respondents, however, attacks from external hackers and the increasing number of end user devices storing sensitive data were also a major concern. In a poll we recently undertook with European clients, 45% cited data privacy as the biggest risk to their company’s reputation.
The cyber battlefield is focused not only on the big corporates but also on the SME sector. Attacks on SMEs are not new, however their consequences are having greater impact on small firms who are quite often unprepared for the impact of a cyber-attack. Cyber-criminals , having recognised that ‘blue chips’ have improved their cyber defences – and with pursuit and prosecution more likely for large attacks – are increasingly targeting small businesses using ransomware.
In this type of attack, once the company’s systems have been infected, rogue software encrypts data, locks down access and sends a demand for a ransom payment. Employee behaviour is a major factor in any business’s cyber security. It can be difficult to train employees to recognise fake links or phishing emails that can enable malware to bypass expensive and sophisticated cyber security systems. In many instances, an employee will be completely unaware they have done something wrong. Once installed, malware can sit on the system undetected, taking on average 170–220 days before it is discovered.
Supplier systems also open up another cyber-attack front. In today’s networked global marketplace, many businesses cannot function without synchronising systems with suppliers, distributors or service providers. These relationships are vulnerable to attacks and may represent an open back door into an otherwise well-protected business.
Preparing for an attack
As the scale and sophistication of attacks increases, businesses should have detailed cyber risk management plans in place. These plans should consider what the ‘crown jewels’ of the business are, what data and systems are essential for it to continue to trade, and develop protection systems accordingly. To do this effectively, management needs to think about how it would respond to various scenarios. For example, if ransomware caused a complete shutdown of IT systems, or critical sensitive personal data was stolen, how would the company handle the damage caused? Who would need to be informed? What mitigation steps would need to be taken and when?
Critical considerations include:
- IT links to supplier systems
- Where critical data is stored and by whom
- How long the business could survive without access to critical data and IT systems
- How an outage would impact suppliers, external suppliers and customers
- The risk of shareholder action if the company was unable to fulfil its pre-contracted services or deliver goods
- How the business could handle a backlog of work if its employees could not access systems for a couple of days or weeks
- How is data backed-up and protected against malware
- How is business-critical information kept separate, up to date and accessible
- What cyber coverage their existing insurance programme provides
Insurance interest rising
Awareness of the value of cyber insurance is finally on the up. Many businesses were initially unconvinced of the need to buy specialist cover. They felt the risk was either covered by other classes of insurance such as business interruption or general liability, or, to put it simply, that their business would not be a target of such an attack. As the scale of threats has increased, so more businesses are seeing the need for specialist cover and are in need of advice on the complex range of options available. Earlier this year, a survey by security firm Malwarebytes found that one-third of businesses had lost money due to ransomware attacks, with the cost ranging from a few hundred to tens of thousands of euros. To confront this challenge loss mitigation is critical. That is why at Chubb, for example, we have created a cyber risk engineering team of loss prevention specialists that work with brokers and clients prior to underwriting their business, to test the strength of their cyber management, governance and resilience. This information is then fed back to us the underwriter, and shared with all the parties involved to help identify steps to reduce the client’s risk profile. This detailed risk assessment helps the insured and their broker understand the core risk areas and where the insured may be vulnerable or could improve their procedures or defences to mitigate a loss. Once the risk picture is clear, we tailor the cyber cover to suit the company’s specific risk profile. We will never reduce cyber risk to zero. Hopefully thorough preparation can ensure that income loss, business interruption and damage to business reputation is minimised. Risk engineering is key in that effort.