Cyber Risk is the fastest growing exposure to small businesses in Australia. With the changing environment brought on by Covid-19, we saw an enormous increase in workforces operating in remote environments and working from home. This has significantly increased the exposure to cyber risk. Claims data has shown us that historically, cyber criminals just encrypted data and requested money for it to be restored. Now they are moving into more sophisticated crime where they are stealing data and demanding high ransoms for its return. Knowing this, we beg the question, are they actually returning the data, or just a copy of the data? In one recent example, an Australian business incurred $350,000 just for the ransom costs. Then add to that, the business interruption costs and reputation damage / public relation costs and we can see the significant financial impact it had on that business. Could your business survive a similar loss?
Online criminals see SME Businesses as an easier and more attractive target over large corporations because they do not have the security budget or complexity of IT infrastructure. This leaves SME Businesses more at risk, particularly if they are not prepared. Working from home brings increased risk as home networks may not have the same level of security as business or corporate networks.
According to a Norton SME Cyber Security Survey, in 2016 one in five businesses in Australia suffered a Cyber attack, and this increased to one in four businesses by 2017. This trend is alarming considering its exponential growth and we are currently sitting in 2020. Businesses who took part in this survey noted that downtime costs along with recovery costs were the heaviest financial impacts they suffered from the attack. Of those business hit in 2017, the Australian Small Business and Family Enterprise Ombudsman reported that 60% closed their doors permanently within 6 months of the attack.
It is also worth mentioning that under the Privacy Act, companies can now be fined up to $2.1m, and individuals up to $420,000 for any privacy breaches, including those caused by a Cyber Attack. Employee error continues to be responsible for approximately one third of all cyber security breaches.
If your business uses a computer system for anything, even just for email, it is runs the risk of being a target for cyber criminals. Many business believe it won’t happen to them, citing some common misconceptions:
- I don’t hold valuable data – Valuable data isn’t limited to intellectual property. It can be as simple as your employee’s or supplier’s Tax File Numbers and bank account details. Even just a contact list in your email account is valuable to a Cyber criminal.
- I don’t transact online – Most businesses use a computer, a local network, or a server to hold electronic files and records, bank online, or manage their invoicing. Any of these activities may include sending and receiving personal or sensitive information.
- Our data is safe in the Cloud – You are legally responsible for your information that is stored in cloud, even if a hacker accesses the cloud via a third party. Data stored in the cloud can be accessed, copied, stolen or altered just as easily as data stored on a computer or a server.
- Our IT employee / IT consultant will take care of it – If they work 24/7 they might be able to! A Cyber Risk Insurance Policy offers 24/7 emergency Incident Response services. The Cyber Incident Response Team is made up of individuals who have the experience and global expertise in these fields to help mitigate further loss, mediate complicated situations, and provide the best advice on what action to take next.
- Our IT system cannot be breached – No system can be 100% safe. Some of the most secure systems in the world have been hacked including the FBI, Commonwealth Bank of Australia, Facebook and Sony. It can be much more simple than that – a misplaced phone, tablet or computer can be all that is needed for your system to suffer a security breach.
What Can You Do?
- Patch Operating Systems and Applications – Hackers will use known security vulnerabilities to target computers. A patch fixes security vulnerabilities in software applications to keep them secure.
- Restrict Administration Privileges – Administration access is the “key to the kingdom”. Restricting this access to those that need it lowers your risk.
- Multi Factor Authentication – User access is granted only after successfully presenting multiple, separate pieces of evidence. This makes it harder for adversaries to access your information.
- Daily backup of important data – Regularly backing up all data and storing it securely offline allows you to access data again if you suffer a cyber security incident.
- User application hardening – Flash, Java and web ads are popular ways to deliver malware to infect computers. Blocking web browser access to these applications assists in preventing malware infecting your computers.
- Application Whitelisting – A whitelist only allows selected software applications to run on computers. All other software applications are stopped, including malware.
- Disable Untrusted Microsoft Office Macros – Applications use software known as ‘macros’ to automate routine tasks. Criminals use macros to download malware and then access sensitive information.
- Contact your Insurance Broker – Call us to take out a Cyber Risk insurance policy to protect your business in the event of an attack.
While implementing all these tools will reduce your risk, you are still vulnerable to a cyber attack. Technology is moving, developing and evolving at an extraordinary pace, and so are the cyber criminals. Having an insurance policy in place will help reduce the financial burden on the business and get you back and running sooner post-attack. If you didn’t have a Cyber Insurance Policy, could your business survive?
We thank Emergence Insurance and Dual Australia for their contributions to this article.