Knowledge

Cyber Awareness Month: Prepare for the when, not if, of a cyber attack

In our October issue, we explored the vital importance of business continuity planning – how organisations can maintain operations when digital systems go down, and the practical steps needed to stay resilient during disruption.

4 min read
Internet crime concept. Display with message YOU HAVE BEEN HACKED

As we move on from October – the month dedicated to Cyber Security Awareness – we turn our focus to prevention. In this issue, Karl Jones of OAMPS examines how businesses can strengthen their cyber defences to avoid an outage in the first place, and why proactive cyber resilience is now an essential part of every continuity plan.

With so many big brands falling victim to crippling cyber attacks in the past few months alone, 2025’s Cyber Awareness Month arrived at a time when cyber security was a more prominent issue than perhaps ever before.

Britain’s largest automotive employer, major manufacturer Jaguar Land Rover, may have dominated those headlines for the past month, ever since it halted production back on 1 September, but the retail giants of M&S, Harrods and Co-op, as well as numerous aviation-related incidents, have all received widespread media attention too.

Whatever the motivation for these attacks, or the specific tactics used, the most important thing to remember is that it’s not just these well-known names that are being targeted. SMEs are also in the firing line. Statistics show cyber attacks are fast becoming more a question of when not if, and yet levels of cyber insurance take-up remain relatively low.

Research earlier this year by cyber insurance specialist Pen Underwriting, found that firms in the UK and Ireland are five times more likely to be the target of a cyber-attack than suffer flood damage, and yet less than half (47%) have dedicated cyber cover. Of those targeted in the past five years, 81% said the attack posed a serious threat to their business, 74% had suffered disruption and financial loss – and 80% had been targeted more than once.

The picture is starker for SMEs. UK Cyber security statistics also show that 43% of cyber-attacks target SME businesses, and 60% of these SMEs that fall victim to a cyber-attack, go out of business within six months.

Business owners barely need a reminder that cyber security matters when high-profile attacks on critical infrastructure have rippled across the globe in recent years, leaving communities, corporations and countries without access to resources like gas, goods, transportation and more.  It’s more important than ever that steps are taken to improve cyber resilience in the event of an attack.

Ransomware is the biggest cyber threat that UK organisations face, and phishing is a common route for cyber criminals to infect networks. We know that phishing emails are getting harder to spot, but there is guidance available on what to look out for, and how to improve your organisation’s resilience. The UK government’s Cyber Security Breaches Survey 2025 found that phishing accounted for 93% of all cyber-crime in the UK.

We’d encourage all organisations to familiarise themselves with the National Cyber Security Centre (NCSC) advice on mitigating malware and ransomware attacks.

So, how can SMEs protect themselves?

For many small- to medium-sized businesses, it’s just not feasible to spend a significant proportion of their profit on a Cyber protection strategy. However, here are some things they can do:

  • Educate your employees about their role in your organisation’s cybersecurity
  • Use Multi-Factor Authentication (MFA)
  • Ensure regular software/security updates are carried out
  • Sign up to Cyber Essentials (https://www.ncsc.gov.uk/cyberessentials/)
  • Implement a strong password management system (including hardware/firmware system-set passwords)
  • Control access to sensitive data or systems
  • Take daily backups that are kept off-site

What about Cyber insurance?

According to the UK Government’s 2025 Cyber Security Breaches Survey, around 43% of UK businesses currently buy Cyber insurance, although the number that have a specific Cyber insurance policy is only around 18% for SMEs. This is despite 43% of the businesses surveyed stating they suffered an attack in the previous 12 months.

Here’s a sample of some of the reasons businesses don’t believe they need Cyber Insurance:

  • We’ve never been hacked before
  • We’re compliant with GDPR, PCI DSS and other regulations, so we’re secure
  • We’ve invested in IT Security, so we don’t need Cyber insurance
  • We outsource IT, so our provider will cover any costs if they’re hacked
  • We don’t collect or store any sensitive data, so Cyber insurance isn’t necessary
  • We’re too small to have a Cyber attack
  • We’re already covered under other insurance policies

For many businesses, the reality is that they were targeted; their systems weren’t robust enough to prevent a breach, and there was no insurance cover in place to help cover the costs.

It’s important to remember that specialist cyber insurance policies offer much more than simple indemnification of costs incurred. They can offer firms not only the proactive risk management tools and training to maximise their resilience, but also immediate access to a range of breach response expert services should the worst happen.

This post-incident provision will seek to maximise speed of data and systems restoration and thus minimise any downtime. Typically, both risk management and breach response services are provided at no additional cost.

Cyber insurance is therefore a valuable tool to consider in your Cyber strategy; the better policies now include:

  • Vulnerability scans and ongoing monitoring
  • Browser firewall
  • Inbox protection
  • Phishing simulations
  • Tailored training for employees
  • Access to specialist support in the event of a system breach

These policies can be also tailored to provide cover for the areas that most businesses are concerned about – social engineering, phishing, and ransomware.

For more information get in touch with the OAMPS team: www.oamps.co.uk/contact

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Pen Underwriting Limited and OAMPS Hazardous Industries (part of Pen Underwriting Limited) accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

Image credit: iStock/Smederevac

Fuel Oil News November 2025 front cover image
This article originally appeared in the November 2025 issue of Fuel Oil News magazine. View the magazine