Cyber Security

 
Cyber Security

Myth: We have Anti-Virus software and a firewall, so it's unlikely we will be hacked.

Firewalls and anti-virus software make you less vulnerable to known viruses but don't guarantee you won't be hacked. Even corporations who spend millions on IT security get hacked every day. People are often the weakest link in the security chain. According to IBM, 95% of cyber-attacks are a result of human error.

Myth: We don’t hold any sensitive data so no one would be interested in attacking us.

Every business that relies on a computer system (and that’s pretty much everyone!) is a possible target. If you bank online, send emails or hold any client information online then your business is a target. Cyber breaches can sometimes be more than just stealing data - the aim can be to cause maximum business interruption.

Question: Why is it getting harder for staff to identify suspicious emails.

Cyber threats are evolving and becoming more sophisticated. They're not the far-fetched email scams we used to see. Emails can look like they're from genuine sources, even from your colleagues or your boss. It’s very difficult for employees to spot suspicious emails.

Myth: We outsource our IT so we don’t have to worry about things like cyber-security.

Using an IT expert is smart but you’re still exposed, responsible and probably liable. If your data is lost or stolen, you're accountable for notification requirements, regulatory investigations and fines. It’s your reputation on the line. And if your IT provider suffers business interruption, you could also find yourself out of action. Claiming back losses from an IT partner can be tricky, with tight contractual terms limiting their liability.

Myth: Hackers only go after big business. We’re too small to be a target.

Cyber criminals target the most vulnerable businesses, not just the most valuable. We don’t hear about these cyber-breaches so much in the news, but a recent UK report found that 58% of cyber-security victims were small businesses. Cyber criminals see SMEs as easy targets because they don’t have sophisticated IT systems and processes and are also more likely to ‘pay’ than spend money on IT consultants, lawyers or PR consultants to deal with a security breach.

Question: Could a cyber-attack put me out of business?

Most businesses do recover over time but there are many that don’t.

The impact of an attack is much greater than you think:

Not being able to operate for days, even weeks, can reduce your revenue and ability to pay staff and suppliers.
Inability to service clients can mean they go elsewhere.
You lose the trust of clients.
Your ability to attract new clients can be reduced.
You may have fines to pay.
Your clients could make claims against you to cover their losses.
Many business owners suffer serious emotional and physical stress.


Myth: No one ever pays those ridiculous bitcoin ransoms.

Many companies do pay and that’s why cyber criminals keep doing it.
It’s estimated that around 55% of small businesses pay out. The Better Business Bureau says the average annual loss is about $US80,000. Best practice is NOT to pay the ransom. Just because a ransom is paid, it doesn't necessarily mean that the criminals are out of our system, or are going to give back your data in its original state. It could also lead to more attacks if cyber criminals know that you will pay.


Myth: We back up all our systems so a cyber-attack would only affect us for a short time.

Backing up data regularly may make it quicker to get up and running again but it’s not a fool-proof strategy. Best practice is to tell clients that others have accessed their data.
You don’t know what the hacker might do with that data in the future. Regardless of downtime there are still significant financial and reputational impacts. Back-ups won’t help if a hacker accesses your bank accounts.


Myth: If a hacker really wants to get in to our systems they'll find a way.

The sad reality is that this is actually true. Many of the world’s biggest companies, with huge IT security budgets, have been hacked. But that doesn’t mean that you shouldn’t make it difficult for them and do all you can to minimise the impact. Often hackers are opportunists, looking for those who haven’t been as careful as they should be, rather than targeting specific companies.

Myth: We have business insurance so we’ll be covered if anything happens.

Unfortunately this is not always the case. Many traditional business insurance policies – like fire and general and professional indemnity – won't cover you in the event of a cyber incident.
Standalone cyber policies have been developed based on a better understanding of potential risks and impacts. They are purpose-built and provide broader cover.

To reduce your risk:

Keep all your software up to date.
Have a policy for responding to any suspicious activity.

To reduce your risk:

Back up your data regularly.
Use firewalls to separate the external world from your internal data and systems.
Have a business continuity plan in place.

To reduce your risk:

Keep your virus software up to date.
Train your people and offer regular refreshers.
Have a policy for dealing with suspicious emails.
Use two-step authentication.

To reduce your risk:

Ask your IT provider what their insurance covers and what their business continuity plan entails.
Have a business continuity plan in place.
Review the contracts with your service providers.

o reduce your risk:

Back up your data regularly.
Train your people.
Know what your IT provider's insurance covers.
Have a business continuity plan in place.

To reduce your risk:

Have a business continuity plan in place.
Take out cyber insurance.

To reduce your risk:

Have a clear policy outlined on ransom and extortion payments.
Create a business continuity plan or incident response plan.
Take out cyber insurance.

To reduce your risk:

Test your back-ups to make sure you are backing up correctly and effectively.
Have a cyber-security plan including other mitigations, not just back-ups.


To reduce your risk:

Have a cybersecurity plan that identifies your key risks.
Identify your most vulnerable threat areas and put policies and tools in place to minimise the impact.

To reduce your risk:

Talk to a Crombie Lockwood broker about the cyber protection that’s right for your business.
Consider taking out a cyber policy which offers incident response support. This will help you minimise the business and financial impact, and reduce the need to claim on insurance.