Cyber security Is your business ready?

Cyber risk experts from Hiscox Insurance shared the findings from their 2021 Cyber Readiness Report and discussed the tools businesses need to prepare for the cyber threats of tomorrow.

Following a year of multiple lockdowns, uncertainty and a new way of working, the cyber threats that businesses are facing, and the ways organisations can protect themselves have evolved – and quickly. Our ‘Building Resilience Against Cyber Risk’ webinar identified the cyber challenges businesses have faced over the past 12 months and what they can do to better protect their future.

The Institute of Directors’ Senior Policy Advisor, Joe Fitzsimons, was joined by Hiscox Insurance’s Cyber CEO, Gareth Wharton, and the Hiscox UK Cyber Underwriting Manager, Stephen Ridley, who talked through the key findings of the fifth annual Hiscox Cyber Readiness Report and the implications for business.

Stay up to date

Prior to the webinar, the IoD conducted a survey which revealed that 30% of businesses are more vulnerable to cybercrime since the pandemic. A live poll during the webinar had similar findings, with 22% of respondents acknowledging their organisation had suffered a cyber-attack in the last 12 months – perhaps unsurprising, considering that another live poll found that 46% of organisations had not increased their cyber defences during the pandemic.

So why have cyber-attacks gained traction during the pandemic? Increased home working has made navigating cyber security all the more challenging, with Wharton explaining: “More remote working provides new challenges, with businesses often having to set up new remote-access systems.”. This change in working style has forced IT departments to change how they provide access to staff now that a huge percentage are working at home.  This means new systems (often VPN services, which are being frequently targeted by ransomware gangs), and therefore potentially new vulnerabilities and new services to patch and protect.  Cyber is a complex risk, but it’s not an impossible risk. Doing the simple things well will stand you in much better stead.” said Wharton

Ransomware attacks are becoming more targeted

The Cyber Readiness Report also reveals that around a sixth of firms reporting cyber-attacks had to deal with a ransomware demand, with just over half those targeted (241 firms) paying out a ransom, either to recover data or to prevent publication of sensitive information. The cost of these payments totalled $7.3 million.

“Criminals are getting much more savvy about ransomware,” said Ridley. “It used to be a stack-it-high, sell-it-cheap style model. Now it’s becoming much more targeted.” Once criminals gain access to a system, they’re doing a lot more in terms of working out business revenue, how reliant the business is likely to be on its systems and what the damage to the business would be if data was exfiltrated – and then charging what they deem a ‘realistic’ ransom based on that information.

The report also showed that phishing emails in particular are a favourite tool of the extortionists, with almost two-thirds of ransomware victims citing this as the method of entry. Wharton warned that the successful phishing emails focusing on the spread of Covid-19 are likely to shift to vaccine information and sign-up requests – something for companies and individuals to look out for as the vaccination drive continues.

The businesses deemed cyber security experts by Hiscox are considerably less likely to be targeted in a ransomware attack, and less likely to pay ransoms, which Wharton explained does more than just protect an organisation: “We’re getting to a stage where cyber security is becoming a business advantage.”

The future: back to basics

There are a number of ways businesses can prevent or minimise damage when it comes to a cyber-attack. In fact, being prepared for a cyber-attack is now very much seen as a business advantage – yet it’s one that not all businesses understand.

Ridley outlined a number of tips to help businesses improve their cyber security defences:

1. Share the risk. In other words, have a standalone cyber insurance policy – Hiscox found 27% of businesses have a standalone policy, a slight increase yoy.
2. Make sure someone is responsible. Nearly half of firms with fewer than 10 employees had no defined role for cyber security.
3. Deal with key vulnerabilities. Address existing threats, such as email server updates – the threats you know about are the ones that are easiest to defend. In fact, since 2020, more smaller companies are increasing their IT spend, which is a very good sign.
4. Back up – ideally off-site, because this puts the business in a far better position to recover any lost data.

By doing the above, Ridley confirms you can improve your cyber expertise which, he says, “is a key piece of the puzzle”.

But a take-home not to be missed is the human factor. “It’s easier to change technology, but changing people, their mindset and the culture around cyber security is much more difficult,” said Wharton. “A holistic approach is really important.”

Ridley concluded by pointing to the gap that exists when it comes to the training of employees in cyber security – something as simple as knowing how to spot a phishing email. “There’s a bit of a way to go to realising that employee training is a really critical part,” he said. “It’s something that can be quite easily overlooked, but is fundamental in making sure businesses are prepared for cyber incidents.”

Hiscox wants to help your small business thrive. Their blog articles will contain lots of useful information relevant to your growing business. But these articles do not constitute professional advice and must not be construed nor relied upon as such. To find out more on a subject we cover here, please seek professional assistance, specific to your circumstances.

*Any discount is only applicable to policies introduced via the Institute of Directors, whether existing or new, but could not be applied to policies that are being managed by an alternative third party such as an insurance broker.

Discount available for the lifetime of your policy applies on renewals while the Institute of Directors remains an Introducer Appointed Representative of Hiscox Underwriting Ltd.

Terms and conditions apply. For full terms and conditions see hiscox.co.uk/IoD/business-insurance.

The Institute of Directors is an Introducer Appointed Representative of Hiscox Underwriting Ltd. who is authorised and regulated by the Financial Conduct Authority. For UK businesses only.