Chief Underwriting Officer
It feels like barely a week goes by without news of another high profile cyber-attack or data breach, affecting millions or even billions of people. Attacks happen so often that we may be desensitised to the numbers, but the cost to individuals and businesses is staggering, with cyber attacks costing businesses $2 trillion in 2019.
We all hear about it when big businesses are hit - Tesco Bank, Talk Talk, and Three Mobile are prime examples - and it's easy to think that start-ups and small businesses are less of a target. But no business, big or small, is 100% safe in this era of cyber warfare. In fact, IDC found that 71% of data breaches are now targeted at small businesses - so it's time to sit up and take notice.
We're often asked by founders of small businesses why they should be concerned about cyber security. Sometimes they believe their operations are either too small or their data is not theft-worthy. Unfortunately, this couldn't be further from the truth.
What makes your business vulnerable?
You're busy - and hackers know it
Running a startup or small business can be stressful. With long days and sleepless nights, who has time to think about data security? Let's face it, you have a lot on your plate and you haven't spent much time making sure you're protected.
Lack of cyber security expertise
Small businesses often don't allocate enough resource to deploy strong firewalls and updated security patches, resulting in loss of important information if faced with an attack. Cyber security is a complex and multi-faceted issue, that requires the right technology and the right policies and processes in place.
Lack of specialist legal expertise
Unlike large organisations, who have the budget to hire an entire law and compliance department, you probably don't have any dedicated expertise internally. As a result, you may be overlooking your responsibilities around handling data.
Your data grows with you
It can be easy to lose track of the amount of data you've generated over time. Your customer database may be small in the early stages but it can grow to a thousand or more pretty quickly. Mishandling this data could leave you exposed to attacks and fines from the Information Commissioner's Office (ICO).
Unsecure internet connections
Many startups and small businesses have freelancers or remote workers accessing their systems from local coffee shops or coworking spaces. If that's the case and there's no secure Wi-Fi connection, hackers can easily steal your data.
Your data is an entry point to the big guys
It's a common misconception that hackers won't be interested in attacking a business with little money or data. And while they may not care about the £80 order you took yesterday, your unprotected systems could give them a 'back door' into larger clients or suppliers, which is exactly what they're after.
What are the biggest cyber threats for small businesses?
Cyber-attacks and data breaches are often clumped together, when in fact there are various culprits, that access and attack your systems in different ways. What's more, they're constantly evolving, so it's important to stay vigilant to new threats.
In the spirit of 'knowing your enemy', here's a rundown of some of the major cyber risks facing start-ups and small businesses:
Phishing, Spear-phishing and whaling
One of the most common modes of attack, phishing involves the attacker sending out emails to multiple recipients, posing as a reputable company. The email will either contain malware in a link or attachment, or will prompt the recipient to enter sensitive account or password details, enabling cyber criminals to hack into their PC or accounts. While many of these emails may look and seem suspicious, some are surprisingly convincing, and when sent on mass, usually catch someone unawares eventually.
Varieties on phishing include spear-phishing, whereby attackers target a specific company or individual, and whaling, where senior executives are specifically targeted. Both can be hugely damaging if successful.
As the name suggests, ransomware infects your computer and holds your data to ransom, demanding significant sums for its release.
Ransomware usually accesses your computer through a phishing email sent to unsuspecting employees, although new tactics have seen ransomware hijack adverts on popular news sites, with the New York Times, BBC and AOL hit last year. One click on an infected link or attachment and it's in your system, almost impossible to get rid of it without paying up.
The crime rings that perpetrate these attacks are growing more intelligent and sophisticated by the minute and small businesses are often a soft target, with less protection and cyber awareness than larger companies.
A type of malware, worms have been around for a many years, with the first one famously created in 1988 as an innocent way of testing computer networks. They have since been used to devastating effect, penetrating vulnerable computers, before replicating and spreading within a network. One of the most famous worm attacks was on MySpace in 2005, which spread to over one million computers in 20 hours.
Worms are often used to steal confidential information or turn computers into remote-controlled 'zombies' or 'bots', which are then used to attack more systems. It's estimated that at any moment there are several million 'zombie' computers on the internet.
New types of worms are emerging all the time, including 'headless worms', which target so-called 'headless' devices like smartphones, smart watches and medical hardware.
With driverless cars, smart entertainment systems and connected cameras, the Internet of Things, or IoT, is growing bigger and more complex. Yet these devices are often overlooked when it comes to cyber security, leaving them especially vulnerable to attacks and being used as a part of a botnet to attack other systems. As the Internet of Things grows more prolific, this is a potential 'back door' route to accessing valuable data deeper in the system, and whole networks could be affected this way in the future.
As scary as it sounds, ghostware is a type of malware designed to penetrate networks without detection, steal confidential data, then cover its tracks before it leaves. That means you may not realise your business has been compromised until it's too late, and it's impossible to find the source of the breach.
Similar to ghostware, but this time the malware completes its task and then destroys the system it has infected. It can potentially be much more damaging for this reason, however you will at least know that your system has been compromised.
The type of attack that took down various major websites last year, including Twitter, Netflix, Reddit, and Airbnb, DDOS (Denial of Service) attacks are on the rise, with DDoS for hire services making it easier and cheaper for cyber criminals to strike, bringing down websites and affecting businesses across the world. They work by flooding a company's servers with requests, so they are unable to cope and shut down. That leaves the business unable to trade for minutes, hours or even days, with potentially catastrophic long-term impacts. And it's not just big businesses that are affected - small firms are often more vulnerable due to their website architecture.
Again, the clue's in the name, as this type of malware is like a Trojan Horse which enters your system under the guise of a legitimate piece of software. Once there, it can perform a number of functions, including deleting, modifying or stealing data. Unlike worms and viruses, they cannot replicate themselves, but they can be just as damaging.
Malicious or not, human error is the most common reason for cyber-attacks and data breaches, with studies showing it's responsible for as many as 95 per cent of incidents. A breach can be caused by anything from employees accidentally sending sensitive information to the wrong email, losing their company smartphone, using default passwords or occasionally with criminal intent. Yet despite the risks, many small companies don't have the necessary controls, training and communication in place to mitigate against breaches of this kind.
How to keep your business cyber-safe
Carry out a risk assessment
First things first, a cyber risk assessment helps you understand the areas you need to protect and those where you could be most vulnerable. Start by auditing the data and information you hold that is most valuable. This will give you a good idea of where you need protection. Then look at how you store this data, who has access to it and how it's protected, to understand where you could be most at risk.
If you're not confident carrying out a risk assessment, then you might want to consider hiring an expert to do this for you.
Implement strong network and workstation controls
Once you've identified your most valuable data assets, cover all the bases to secure it with the appropriate technology, including firewalls, anti-malware and anti-virus software on all your computers and devices.
Here are some of the controls that will make a big difference to your cyber security:
- Install security software on your company website and keep all its scripts up to date
- Implement a properly configured firewall through a dedicated resource
- Apply current and up-to-date patches on everything, including the gadgets owned by employees
- Implement SaaS-based security services, which are often less expensive than traditional software
- Use secure cloud-based applications
- Implement solutions like VPN (virtual private network) so remote access is secure
- Implementing a disaster recovery site that can take over in case of a DDoS attack
- Have a static page to keep customers informed if your order page goes offline
- Access controls, so that employees only have access to information they need
If you don't have any dedicated IT expertise in house, it's probably best to consult a cyber security expert.
Communication and training
The right technology is of course important, but getting your people and processes up to speed perhaps even more so. Yet this is an area that is often overlooked.
Your communication should begin with a cyber security framework, outlining key processes and procedures, what staff should and shouldn't do, and the potential repercussions if the guidelines aren't followed. The exact issues covered will vary from business to business but potential topics could include:
- Guidance on handling sensitive information
- Stipulations regarding password security
- A policy covering remote working and the use of personal devices
- How to look out for, report and respond to a security issue
- Required checks on suppliers to ensure they are complying with security best practice
You should ensure the cyber policy is easily accessible to all employees, is updated regularly, and that staff are also given training around the issues at least every 12 months.
Build a security centric culture
It's easy to overlook the fact that sensitive information accompanies your employees inside and outside the office premises, and that it needs to be protected at all times. Here's some mandatory rules that will keep your data safe when your employees are on the move:
- Make employees use complex passwords – see 5 password tips for better SME security
- Introduce passwords that automatically expire and need to be renewed
- Block access to certain websites that pose risks to the security of your data.
- Encrypt all smartphones used for business purposes.
Monitor your vendors
Many small businesses aren't aware of the amount of information that their vendors have access to and this can also pose a serious security risk. Checking a vendor's security controls should form part of the vetting and onboarding process. Things to look for include:
- How your data will be stored
- Access controls for the vendor's employees
- Frequency of vendor risk assessment
- Compliance with General Data Protection Regulations
An insider threat can be a current or former employee, service provider, supplier, contractor, or anybody else that may be able to gain access to your confidential data. These individuals are likely to have access to sensitive information, often with the responsibility to protect it, leading to severe consequences if it turns out they can't be trusted. We've outlined some simple steps your business can take to prevent employee misuse of data.
Periodic assessment of vulnerabilities
Finally, periodic testing should be carried out to identify impending security risks to your network. In this scenario, third parties can be hired to do the stress testing to identify any loopholes in the system, so they can be plugged before it's too late.
What happens if you're hit by a cyber attack?
Even with the best technology and security measures, sometimes you're powerless to stop a breach. This is where an effective response plan comes in, enabling you to control the situation as quickly as possible, with minimum impact to you and your customers.
Yet, despite its importance, only 30 per cent of organisations have a breach response plan in place, potentially leaving them floundering in the event of an attack.
An effective response plan should include the following elements:
- Your legal response: You need to outline how you'll handle the legal aspects of the breach, for example informing the Information Commissioners Office (ICO) of the issue and defending your business against any claims of negligence.
- Handling media queries: Your business could be the focus of media attention following a breach, so be ready to handle all external communications about what happened and how you're handling it. You are likely to need professional PR expertise to do this effectively.
- Finding out what happened: You'll also need to have IT forensics experts on hand to find out what caused the breach, with a view to rectifying the problem quickly and ensure it doesn't happen again.
- Informing customers: Depending on your customer-base and the scale of the breach, you could have a lot of unpleasant phone calls to make! You'll need to be ready with a way to handle this communication efficiently.
How can cyber insurance help?
If the worst does happen and you're facing the repercussions of a data breach, your final line of defence is a watertight cyber insurance policy. Covering you for breach of data protection laws (where insurable by law) and your liability for handling data, it can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime.
Some key aspects to look out for include:
- The Information Commissioners Office (ICO) can impose two distinct levels of fines based on breaches of the General Data Protection Regulations (GDPR). The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation. The Superscript cyber insurance policy will cover notification costs, legal fees defending regulatory action, and in some cases the penalty itself (where this can legally be insured).
- Cover for your out-of-pocket expenses, which could include system repair costs, lost income while the system is down, or even ransom payments to hackers.
- Cover for your website, blogs and social media, for copyright or trademark infringement, or defamation etc.
With cyber-crime and data leaks on the rise, it's not a case of 'if' your business will be hit, but more a case of 'when'. Getting up to speed on the scale of the threat and how best to protect your systems, will put you into "prepared mode" and keep your business out of the cyber spotlight.
For more cyber security and insurance advice, check out our cyber insurance guide, drop us a line at firstname.lastname@example.org or give us a call on 0333 772 0759 to discuss how cyber insurance can help your business.