One in three companies have experienced a cyber incident in the past 12-months, according to Bridging the Cyber Risk Gap, the latest research from insurer Chubb.

As a direct consequence of this, a significant majority realised they were less prepared than they had hoped. In many cases, that lack of preparation will not have been around companies’ digital defences, instead the problem will have been with their own people.

Few firms in the UK understand or address effectively the human element of their cyber risk. Around 70% of cyber security breaches result from phishing attacks, and a growing number from broader social engineering by criminals.

This does not include the number of cyber breaches that result from simple human error, without malicious intent. Here are a few easily recognisable scenarios:
  • Cyber_Risks_from_employeesthe employee who emails important data to someone they did not intend;
  • the employee who falls for a scam email;
  • the employee who opens a link in an email without verifying the sender’s address;
  • the employee who goes online and inadvertently downloads malware onto a company computer;
  • and the employee who accesses company information from their own device and introduces malware.
The above are a combination of simple human error, ignorance or – more worryingly – sophisticated attacks known as ‘spear-phishing’ in which information gleaned from social media or a company’s own website is used to dupe an employee into doing something or following a link which exposes the company to risk.

All firms should undertake a holistic audit of their cyber exposure. In each area, pre-loss planning can minimise the likelihood or effect of an attack. The areas are: awareness, protection, detection, response, and resilience.

Awareness involves understanding in detail the business environment, what risks exist and what regulation applies to a firm in the event of a cyber breach.

For protection, companies need to implement a ‘best-in-class’ cyber hygiene, including proper datahandling protocols, identifying a responsible information security officer, implementing technology or buying protection against identified risks.

Detecting intruders as quickly as possible is key to limit the damage attackers can do. This includes both technology-led solutions and offering incentives to staff to raise the alarm quickly if they see or do something unusual.

Companies need a 24-hour response system that allows rapid action, including notification of those affected after an attack, as well as cleansing the system of malware.

Often referred to as business continuity, resilience is about the long-term protection of revenue, and includes communication to clients about resumption of business, rapid restart planning, and pre-planning to find alternative routes to market in the event of a complete shutdown.

Cyber-crime and fraud prevention can seem complicated, but they needn’t be. Start by putting simple, everyday steps in place to ensure you and your customers are well protected.

If you are uncertain about how to protect your business from cyber-crime, contact us on 0121 321 4600 or send your enquiry to info@clarisksolutions.co.uk

Thanks to Post Magazine; Lauren Webb, London cyber underwriting managerand Nick Bellamy, principal cyber risk engineer and technology industry practitioner at Chubb.