Blog: Cyber-Security Breaches – A Fact of Life?
By James Callender account manager at insurer Lockton Companies LLP
Last week’s announcement that the NHS had been a victim of a massive cyber-attack managed to be both frightening and unsurprising. Frightening because it shows the ability of hackers to disrupt and challenge the most essential services in our society. Unsurprising because it seems that the NHS is just one in a long line of high-profile organisations that have suffered a cyber-security breach.
From Sportsdirect to Three Mobile to Ashley Madison, and now the NHS, the list seems endless and new names are constantly being added. It includes some of the most prominent and technically sophisticated firms in the world.
The cynical amongst us might think that the only reason that the list is not longer is simply because some organisations have been able to keep their breaches from public view. Indeed, the fact the Information Commissioner’s Office (ICO) sees fit to levy a fine of £1,000 on those firms that fail to disclose a breach shows that this is a real problem.
Case in point is a report in to data security breaches at Yahoo filed with the US Securities and Exchange Commission earlier this month detailed a catalogue of data security breaches going back to 2013. This was explosive, resulting in the resignation of Yahoo’s General Counsel and the CEO Marissa Mayer losing a considerable portion of her salary. The reputational damage to the Silicone Valley giant can only have been magnified by its failure to properly disclose the breaches in good time.
And it’s not just high profile tech firms that face this threat; SMEs can often find themselves victims. In 2015 Ellen Conlin Hair & Beauty which has salons in Glasgow’s West End and Giffnock was forced to pay a ransom of EUR1000 after hackers locked the firm’s owners out of the systems necessary to run the business. In 2016 the Scottish Business Resilience Centre estimated that 1 in 3 companies have been breached by ransomware in this manner.
There are three separate dynamics that are fuelling the extent of today’s cyber-security threat to business.
Firstly, there is a tremendous amount of opportunity for cyber-criminals. These days it is difficult to find a company, organisation or individual that does not depend in large part on IT devices and the internet to carry out their day to day activities. It is only a slight exaggeration to say that we are all potential targets.
Secondly, the internet has made it far easier for individuals to acquire the skills and knowledge to carry out cyber-attacks. In their ‘The Cyber Threat to UK Business 2016/17’ Report the National Cyber Security Centre noted: “The technical skill required to commit cyber-attacks continues to decrease. Malware… easily acquired on the dark web which means the number of individuals capable of launching basic cyber-attacks is increasing.”
Finally, the consequences of simple human error have never been greater. The vast majority of cyber-security breaches occur by accident rather than by malicious act. In their report on data security trends in Q3 of 2016 one of the ICO’s headlines was a 43 per cent increase in a failure to use bcc in emails; a simple mistake that many of us have been guilty of in the past.
However, the combination of communications revolution engendered by technology and increasing sensitivity regarding use of personal data means that such mistakes can be disastrous. For instance the EU’s General Data Protection Regulations that come in to force in 2018 (and, yes, they will most likely be followed by the majority of post-Brexit UK firms) include fines of up to 4 per cent of global turnover for data security breaches. Human error is no worse than before, but the stakes are far higher.
What can businesses do about this? The most obvious step is to improve their own data-protection procedures. Crucially they must realise that the ‘tech’ is only part of the solution. Cyber breaches occur because of people and it is crucial that staff receive appropriate training to understand their responsibilities and what they need to do to maintain cyber security.
The next most obvious step is that businesses need to make plans for what they will do if they suffer a cyber-security breach. One of the best ways to do so is by arranging cyber-liability insurances. These products serve two functions.
Firstly, they provide compensation to businesses for losses suffered due to incidents such as security breaches, network interruption and cyber extortion.
Secondly, and perhaps more importantly, they also provide a comprehensive service proposition of experienced professionals, from forensic accountants to IT specialists to expert lawyers, who can intervene quickly to investigate the incident, repair the damage and mitigate the loss. Having this infrastructure waiting in the wings is of real value to businesses as it guarantees that, should they suffer a cyber-attack, help is close at hand.
This is a novel area of insurance and there is a general lack of awareness and understanding of the service amongst brokers and businesses.
The cyber-security threat is a fact of modern life. It will not go away and it cannot be ignored. It can, however, be countered and it is crucial that we all take the time to understand how to do so.