In this article, we hear from Karl Jones of downstream fuel industry insurance specialist Oamps, who discusses the actions that can be taken to both avert cyber risks and to minimise business impacts of any such attacks.
Although big names including the BBC, Boots and British Airways are currently deciding how to react to ransom demands from Russian hacker group “Clop”1 (who have stolen personal data of more than 100,000 members of staff), the announcement that a recent ransomware attack pushed KNP Logistics into administration is a reminder that the cyber threat exists for businesses across the financial spectrum.
Business owners barely need a reminder that cyber security matters when high-profile attacks on critical infrastructure have rippled across the globe in recent years, leaving communities, corporations and countries without access to resources like gas, power and more. So, it is now more important than ever that steps are taken to improve cyber resilience in the event of an attack.
Cyber security company Proofpoint released its annual “State of the Phish” report in February 2023, revealing the impact of phishing attacks in 2022. According to its findings, eight out of ten UK organisations (82%) experienced an attempted ransomware attack in 2022, with 62% suffering a successful infection. Of those infected, just 33% of organisations were able to regain access to data after paying an initial ransom.
Improving resilience
Ransomware is the biggest cyber threat facing UK organisations, both large and small, and phishing is a common vector for cyber criminals to infect networks.
We know that phishing emails are getting harder to spot, but there is guidance available on what to look out for, and how to improve your organisation’s resilience. Raising staff awareness of the threat is also vital.
We’d encourage all organisations to familiarise themselves with the NCSC advice on mitigating malware and ransomware attacks.
In a survey by the SANS Institute, around 40% of ethical hackers said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness.
The SANS ethical hacking survey, in partnership with security firm Bishop Fox, was the first of its kind and collected responses from over 300 ethical hackers working inside organisations in different areas and experience levels of information security. The survey also revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.
So, with the post COVID world still adjusting to hybrid working, a surge in online crime and the potential spill over from attacks on the UK’s schools4, the Electoral Commission5 and the Royal Mail, there’s never been a more important time for SMEs to have the right cybersecurity strategy in place.
So what can UK SMEs do to protect themselves?
For many small to medium-sized businesses, it’s just not feasible to spend a significant proportion of their profit on a cyber protection strategy that could withstand attempted breaches from hacker collectives or a rogue nation state.
However, you can:
• Educate your employees about cybersecurity; creating an environment where they take responsibility for safeguarding the company data and the integrity of the system. This includes only using secure systems for communicating with colleagues wherever possible, and not sharing information via personal email, as well as the obvious avoidance of clicking on links you’re not 100% certain about.
• Minimise the threats posed by malicious employees – from restricting access to sensitive data, banning the use of removable memory hardware and limiting bring your own device (BYOD) use.
• Keep your security software and operating systems up to date
What about cyber insurance?
According to the UK Government’s 2022 Cyber Security Breaches Survey, under 4 in 10 (37%) of businesses reported being insured against cyber insurance risks. This is despite 32% of businesses suffering a breach in the last 12 months, which is also much higher for medium business (59%) and large businesses (69%). The average (mean) annual cost of cyber crime for businesses is estimated at approximately £15,300 per victim.
Here’s a sample of some of the reasons businesses don’t believe they need cyber insurance:
• We’ve never been hacked before
• We’re compliant with GDPR, PCI DSS and other regulations, so we’re secure
• We’ve invested in IT Security, so we don’t need cyber insurance
• We outsource IT, so we won’t be exposed to an attack
• We don’t collect or store any sensitive data, so it isn’t necessary
• We’re too small to have a cyber attack
• We’re already covered under other insurance policies
However, for many businesses, the reality is that they were targeted; their systems weren’t robust enough to prevent a breach, and there was no insurance cover in place to help cover the costs.
Cyber insurance is a valuable tool to consider in your cyber strategy; many policies can be tailored to provide cover for the areas that most businesses are concerned about – social engineering, phishing, and ransomware. Some of the policies can also provide access to specialist support in the event of a system breach, help identify why and how the breach occurred, as well as advice on preventing further breaches.
The OAMPS team are happy to provide further information on this important issue and can be contacted via: http://https/www.oamps.co.uk/contact
The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Pen Underwriting Limited and OAMPS Hazardous Industries (part of Pen Underwriting Limited) accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.
OAMPS Hazardous Industries is part of Pen Underwriting Limited which is authorised and regulated by the Financial Conduct Authority (FCA number 314493). Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 5172311.
Image credit: Dreamstime