Following Russia’s invasion of Ukraine, the National Cyber Security Centre (NCSC) used its weekly threat report to call on UK organisations to bolster their online defences.
While the NCSC is unaware of any current threats to UK organisations, it is important that steps are taken to improve cyber resilience in the event of an attack.
Historically, cyber-attacks on Ukraine have had wider international consequences, and the NCSC’s guidance sets out some actions which will help reduce the risk of falling victim to an attack.
The actions to take when the cyber threat is heightened is available to read on the NCSC website https://www.ncsc.gov.uk/report/weekly- threat-report-25th-february-2022
State of the Phish
Cyber security company Proofpoint released its annual “State of the Phish” report in February 2022, revealing the impact of phishing attacks in 2021.
According to its findings, 91% of UK companies surveyed experienced at least one successful email-based phishing attack last year – with 84% reporting email-based ransomware attacks. Almost 60% of those infected with ransomware paid a ransom.
Ransomware is the biggest cyber threat facing UK organisations, both large and small, and phishing is a common vector for cyber criminals to infect networks.
We know that phishing emails are getting harder to spot, but there is guidance available on what to look out for, and how to improve your organisation’s resilience. Raising staff awareness of the threat is also vital.
We’d also encourage all organisations to familiarise themselves with the NCSC advice on mitigating malware and ransomware attacks.
So, with the post COVID world still adjusting to hybrid working, a surge in online crime and the potential spill over from Russia’s cyber-attacks on Ukraine, there’s never been a more important time for SMEs to have the right cybersecurity strategy in place.
So what can UK SME’s do to protect themselves?
For many small to medium-sized businesses, it’s just not feasible to spend a significant proportion of profit on a cyber protection strategy that could withstand attempted breaches from hacker collectives or a rogue nation state.
However, you can:
- Educate your employees about cybersecurity; creating an environment where they take responsibility for safeguarding the company data and the integrity of the system. This includes only using secure systems for communicating with colleagues wherever possible, and not sharing information via personal email, as well as the obvious avoidance of clicking on links you’re not 100% certain about.
- Minimise the threats posed by malicious employees – from restricting access to sensitive data, banning the use of removable memory hardware and limiting bring your own device (BYOD) use.
- Keep your security software and operating systems up to date
What about cyber insurance?
According to the UK Government’s 2021 Cyber Security Breaches Survey, less than half – around 43% – of UK businesses currently buy cyber insurance1. This is despite 27% of the businesses surveyed stating they suffered an attack at least once a week, with the average cost of a system breach being £8,460.
Here’s a sample of some of the reasons businesses don’t believe they need cyber insurance:
- We’ve never been hacked before
- We’re compliant with GDPR, PCI DSS and other regulations, so we’re secure
- We’ve invested in IT security, so we don’t need cyber Insurance
- We outsource IT, so we won’t be exposed to an attack
- We don’t collect or store any sensitive data, so cyber Insurance isn’t necessary
- We’re too small to have a cyber attack
- We’re already covered under other insurance policies
However, for many businesses, the reality is that they were targeted; their systems weren’t robust enough to prevent a breach, and there was no insurance cover in place to help cover the costs.
Cyber insurance is a valuable tool to consider in your cyber strategy; many policies can be tailored to provide cover for the areas that most businesses are concerned about – social engineering, phishing, and ransomware. Some of the policies can also provide access to specialist support in the event of a system breach, help identify why and how the breach occurred, as well as offer advice on preventing further breaches.
Insurers also actually pay claims – also according to the same ABI report, 99% of claims made on their members policies were settled in 20182.
Given that your IT system is probably vital in keeping your business trading, can you really afford not to have access to specialist advice and a financial safety net should that life- support get interrupted?
Notes:
https://www.ncsc.gov.uk/report/weekly-threat-report-4th- march-2022
https://www.gov.uk/government/statistics/cyber- security-breaches-survey-2021/cyber-security-breaches- survey-2021
The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Pen Underwriting Limited and OAMPS, part of Pen Underwriting Limited, accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.
OAMPS is part of Pen Underwriting Limited which is authorised and regulated by the Financial Conduct Authority (FCA number 314493). Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 5172311.
