Michael Whitfield: Managing Director of CPP Group UK
Look up “cyber risk” online and you’ll struggle to find an authoritative definition – not so much as a Wikipedia entry. Like other kinds of risk, cyber risk is a notoriously nebulous and abstract concept.
This makes it difficult to visualise the full impact of a cyber incident, which may go some way to explain the relative slowness of both businesses and individuals to regard cyber risk with any kind of seriousness. After all, how do you manage the indefinable?
No matter how remote the cyber threat seems, nor how ubiquitous a “not me” mentality is, in reality no person or business is exempt from cybercrime. This includes SMEs – a cohort who may assume immunity on account of their size. The UK’s 5.9 million SMEs are the target of 62% of cyberattacks, from which the financial recovery cost them a staggering £13.6 billion in 2018 alone.
CYBERCRIME ON THE RISE
This is not an isolated example. Across the board cybercrime is escalating. In its annual report published this November, the UK’s National Cyber Security Centre reported a 10% rise in all incidents – the highest level since the Government-backed organisation was formed in 2016. The repercussions of cybercrime can be devastating: over 50% of UK companies hit by a cyberattack go out of business within 6 months, and even if they survive the financial cost, there is also the reputational damage to contend with.
Nor is the threat is set to subside. The digital expansion that has so unequivocally transformed our professional and personal lives in recent years has been rapidly accelerated by Covid-19. Remote working, combined with the need for enlarged digital capabilities, has further entrenched widespread dependency on technology. To put this in perspective, UK households are predicted to contain an average of around 50 different internet connected devices by 2023.
With the introduction of more software and functionality comes greater cyber exposure. Take the hospitality industry: now the unexpected custodians of huge personal data sets, cafes and restaurants represent an increasingly appetising target for cyber criminals.
RISK MANAGEMENT IS CRITICAL
Prevention and mitigation, often through the use of technology, remain the best way to tackle this growing threat. Software exists that can detect, profile and assess cyber risks, equipping users with actionable insights that help to fortify security and ultimately mitigate a cyberattack. Easy to use tools (such as CPP’s OwlDetect, for example) constantly monitor security gaps in a user’s digital assets and the dark web, providing expert insight into cyber risk exposure. If any sensitive data, such as bank details or passport numbers has been compromised, Owl Detect automatically alerts the victim and proposes remedial measures that need to be taken. Using preventative software like this limits the possibility of threats turning into serious attacks.
Thankfully, risk management is no longer the preserve of IT consultants. However, before anyone starts to deploy sophisticated software and risk mitigation tools, businesses and their employees need to develop a much better awareness of exactly what risks they face on a daily basis.
60% OF CYBER INCIDENTS DOWN TO NEGLIGENT EMPLOYEES
For businesses, risk management has a cultural as well as an operational dimension. 81% of employees do not receive any formal training on cybersecurity, though 60% of incidents in SMEs can be traced back to a negligent member of staff. Dispersed workforces from Covid-19 has significantly increased this danger. To use a recent example, a finance manager received a spoofing email, purportedly from their own CEO, asking for an emergency funds transfer to be made to a third party. The request appeared to be completely legitimate, to the extent that the employee complied. The business did not hold the necessary cyber risk insurance and money was permanently lost.
It is crucial to properly educate staff to recognise threats. They then need to learn how to escalate threats appropriately, when they arise. This requires businesses to cultivate a supportive culture that encourages openness and transparency around how information is shared. Otherwise, incidents like the example above can quickly take on devastating proportions.
PRACTICING GOOD CYBER HYGIENE HABITS
Among consumers, poor cyber literacy often manifests itself in small and mundane ways. For example, weak password security, using public wireless networks on private devices, or opening suspicious emails – all of which virtually invite cyber criminals to strike. Easy access to emails, for example, provides hackers with a wealth of information which they can exploit – not just personal data, but also other indirect exposures such as lifestyle choices and frequently used online services. As a result, data breaches involving emails and passwords rose 10% between 2018 and 2019 and we anticipate we’ll see a similar pattern in 2020. Practicing good cyber hygiene habits – from regularly updating passwords, upgrading obsolete software and enabling two-factor authentication – easily and effectively minimises the risks.
Such vigilance does not guarantee exemption from the consequences of bad things happening, though. Simple human error, or just the bad luck of becoming exposed to especially competent hackers can be crippling. In these circumstances, cyber insurance can play a pivotal role. While cyber insurance should always be the final line of defence in any cyber risk management plan, it remains a surprisingly underutilised resource – only 10% of SME businesses have it in place.
HAVING THE RIGHT CYBER INSURANCE IN PLACE
Businesses make a serious mistake when they consider cyber insurances differently to the other insurances they wouldn’t dream of being without. Companies rightly continue to take out insurance against fire and burglary; it’s a sad fact though, that losses are much less likely to arise in these areas than as a result of cybercrime. Cyber insurance doesn’t just indemnify customers for financial losses, it also provides expert assistance to help rectify problems and re-establish trading when cybercrime occurs.
The dual approach of implementing preventative risk management and also taking out appropriate insurance is a very sensible strategy. Being entirely cyber risk-free is a pipedream. It’s not about finding a panacea to cyber-crime either. Frankly the methods cyber criminals use evolve too quickly for that. What businesses need to do is to tackle the threats from various angles. Encouraging a culture of good cyber hygiene and security is a great place from which to start. Putting in place a good quality cyber insurance, which “kicks in” when things do go wrong, should then provide all the protection that a firm will ever need.