We are here to help you get the best value from your insurance
0121 321 4600
Newsletter Signup
twitter Social Icon linkedin Social Icon
One in three companies have experienced a cyber incident in the past 12-months, according to Bridging the Cyber Risk Gap, the latest research from insurer Chubb.

As a direct consequence of this, a significant majority realised they were less prepared than they had hoped. In many cases, that lack of preparation will not have been around companies’ digital defences, instead the problem will have been with their own people.

Few firms in the UK understand or address effectively the human element of their cyber risk. Around 70% of cyber security breaches result from phishing attacks, and a growing number from broader social engineering by criminals.

This does not include the number of cyber breaches that result from simple human error, without malicious intent. Here are a few easily recognisable scenarios:
  • Cyber_Risks_from_employeesthe employee who emails important data to someone they did not intend;
  • the employee who falls for a scam email;
  • the employee who opens a link in an email without verifying the sender’s address;
  • the employee who goes online and inadvertently downloads malware onto a company computer;
  • and the employee who accesses company information from their own device and introduces malware.
The above are a combination of simple human error, ignorance or – more worryingly – sophisticated attacks known as ‘spear-phishing’ in which information gleaned from social media or a company’s own website is used to dupe an employee into doing something or following a link which exposes the company to risk.

All firms should undertake a holistic audit of their cyber exposure. In each area, pre-loss planning can minimise the likelihood or effect of an attack. The areas are: awareness, protection, detection, response, and resilience.

Awareness involves understanding in detail the business environment, what risks exist and what regulation applies to a firm in the event of a cyber breach.

For protection, companies need to implement a ‘best-in-class’ cyber hygiene, including proper datahandling protocols, identifying a responsible information security officer, implementing technology or buying protection against identified risks.

Detecting intruders as quickly as possible is key to limit the damage attackers can do. This includes both technology-led solutions and offering incentives to staff to raise the alarm quickly if they see or do something unusual.

Companies need a 24-hour response system that allows rapid action, including notification of those affected after an attack, as well as cleansing the system of malware.

Often referred to as business continuity, resilience is about the long-term protection of revenue, and includes communication to clients about resumption of business, rapid restart planning, and pre-planning to find alternative routes to market in the event of a complete shutdown.

Cyber-crime and fraud prevention can seem complicated, but they needn’t be. Start by putting simple, everyday steps in place to ensure you and your customers are well protected.

If you are uncertain about how to protect your business from cyber-crime, contact us on 0121 321 4600 or send your enquiry to info@clarisksolutions.co.uk

Thanks to Post Magazine; Lauren Webb, London cyber underwriting managerand Nick Bellamy, principal cyber risk engineer and technology industry practitioner at Chubb.
Cyber-securityCyber security may sound like a technical problem, but as we saw recently with the NHS attacks, preventing it is a management challenge.

It starts with carrying out a risk assessment and answering, ‘how would our business cope if we came in one morning and our computers didn’t operate?’ ‘What is our backup plan and who could we rely on to help us fix it if we had an attack?’

When you have a grip on your operations, remember your business has a responsibility to staff and customers to secure the data they use in the organisation too. The Data Protection Act requires personal data is secured and used appropriately.

Why should you do this? Because the threats from cyber criminals, hackers and identity theft are very real. When you understand the extent to which your business will be affected and what it could cost you, it becomes easier to justify the resources you’ll need to put in place now to prevent it.

Computer security for small businesses should be multi-layered, using desktop security products such as anti-virus, anti-spam and firewalls, and network intrusion detection, and hardware technologies such as security tokens, disk encryption and biometric fingerprint recognition.

But above all, it is about management. Define and train your staff on a security policy, including using strong passwords that include numbers and letters; not sharing or displaying passwords; and only opening email attachments from reliable sources. Encourage your staff to use the web responsibly, and stay vigilant when outsiders are in the office. Monitor access to the network, including memory sticks and other plug-in devices, which can be used to steal company information.

Protecting your business against phishing, vishing and smishing
  • Be cautious of how much information you reveal about your company via social media platforms
  • Do not assume a caller is genuine because they know information about you or your company – fraudsters are skilled in collecting enough information to sound convincing
  • Do not open emails that you suspect could be spam
  • Never enter any personal or security information on a site accessed through a link in an email
  • Never open attachments from senders you are unsure of
  • Be cautious of callers who attempt to gain information from you – “I want to check a payment you made today”. Rather than, “I want to check a payment of £5,000 you made today in favour of XYZ Ltd”. The former may be trying to get you to divulge information that can be used against you later.
  • If you are suspicious, terminate the call
  • When ringing back to verify the contact, use your usual contact number, not one provided in the suspect correspondence
  • On sites that require you to input sensitive information, look for “https” in the website address – the “S” stands for “secure”
  • Ensure there is a padlock symbol in the URL address bar – this shows that your selection is secure
  • Remember that your bank may ask you for some information, but will never ask for your full password or PIN, provide you with details to make a payment, or request that you grant them access to your systems or PC
  • Familiarise yourself with what your bank will and won’t ask you if they wish to verify payments
Protecting your business against invoice fraud
  • Make your staff aware of this threat
  • Check notifications and invoices received carefully to see if the document looks like a counterfeit
  • Check that the email address the message comes from does not look odd, such as by ending in”.org” when it should end in “.com”.
  • Always call your supplier, using contact details you have on file (not those supplied in the message – that will be the fraudster) to confirm any changes before effecting them. Ensure that you validate the exact bank detail changes you should be making, in full
  • Consider setting up single points of contact with the companies you pay regularly
  • Consider adopting dual control procedures for any changes in payment information
  • Use leveraging technology that ensures invoices are matched with purchase orders, flagging any rogue invoices
  • Regularly conduct audits on your accounts
Cyber risk insurance
Insurance is an essential part of your cyber security strategy to help you to recover quickly after a breach and cover the costs involved such as:
  • Bringing in experts to support your team
  • Managing any negative press coverage and crisis containment
  • Third party liability
  • Repairing and restoring systems following an attack
  • Extortion costs you may have to pay following a ransomware demand
  • Legal advice
  • Business interruption costs
Vulnerability assessment – preventing an attack before it happens
CLA have partnered with cyber security specialists Ilicomm, who can offer a vulnerability assessment.

Their vulnerability assessment programme will not only reveal as yet undiagnosed problems, but will highlight weaknesses and recommend the explicit technical controls required to mitigate the risk to an acceptable level.

To find out more about cyber security and how to protect your business please call, or request a call back and one of our account executives will contact you.
At a glance
  • Phishing attacks result in victims being tricked into clicking on a fraudulent email link or attachment
  • While companies are investing heavily in technology to fight these attacks, human error makes all businesses vulnerable to phishing
Phishing attacks in particular require a combination of an effective human response and a technological solution.

Here, we examine why phishing can be a huge problem and the strategies that can be deployed to fight off phishing attacks.

phishingThe scale of the phishing threat
Successful phishing attacks can give hackers access to a treasure trove of data, which they can use for financial gain.

There have been numerous high-profile attacks in the UK, including one that led to the theft of £1.2 million from hundreds of students, and the recent £20 million Dridex Trojan attacks, which targeted British banks and government agencies.

Phishing attacks work because they target human vulnerabilities that exist in every business.
Janet Roberts, Zurich’s Head of Security Awareness, Group Information Security, says: “Cyber criminals rely on the possibility of human error when planning a phishing attack. Perhaps the person is in a hurry while reviewing emails and does not check before clicking on a link. Or perhaps they have not been educated about phishing and the risks it poses.

“Criminals may try to infiltrate a firewall or other system, but a company with robust technology can often prevent these types of attacks. Companies are investing heavily in preventative technology, which is good, but they need to remember that without educating their people, employees remain a weak and obvious target.”

Fighting off phishing attacks requires a three-pronged approach: detection, reporting and technology.

1. How to detect a phishing email
Many fraudulent emails share common characteristics, such as:

A generic greeting, e.g. “Dear customer” – in most organisations where people interact via email, they would be addressed by their name
  • A threat to take action – banks, credit card companies or internet service providers wouldn’t notify somebody that their account was in danger via an email threat, but cyber criminals might
  • Requests for personal information – e.g. passwords, PINs or log-in details
  • Spelling/grammatical errors – cyber attacks originate from all over the world and English is often not the attackers’ first language. Although some criminals are now employing proof-readers to check for spelling errors. Other grammatical or syntactical errors may give cause for suspicion
  • Addresses that don’t match up – one of the most basic, but important, phishing defences is to hover the mouse over a link (without clicking). The website URL will then appear on screen. Comparing this URL with the typed address will give a good indication as to whether the link is genuine.
2. Importance of reporting phishing attacks
Companies should establish clear mechanisms for staff to report suspicious emails to their IT department straightaway.

If an employee has clicked on a link they suspect contains malware (unwanted/hostile software), prompt reporting will help the company to stop it from spreading. Even if the employee has not clicked on the suspicious link or attachment, reporting the incident will allow the company to investigate whether any other employees may have done so. The time it takes to detect and respond to an attack is critical.

Verizon’s 2015 Data Breach Investigations Report highlights how, in a majority of cases (60%), attackers are able to compromise an organisation within minutes of a successful data breach.
One study found that while 80% of companies have a process for employees to report phishing, more than half (52%) of companies say their staff report fewer than a quarter of the suspicious emails they receive.

It is therefore vital that companies foster an environment in which employees understand their role in preventing phishing, and that employees are updated regularly on the latest phishing lures being used.

3. Importance of regular updating of technology
Cyber criminals are continually adapting their methods to make their phishing lures harder to spot. Therefore, while a human line of defence can complement a technological solution, it cannot replace it.

As cyber security company Proofpoint observes in The Human Factor 2015 report on phishing: “While an important tool, user education cannot be the last line of defence: organisations should deploy automated defences capable of detecting and blocking threats that do not look or behave like previously known threats.”

Proofpoint’s research highlights that on average, one in 25 malicious messages is clicked on, and that this ratio remains almost exactly the same regardless of an organisation’s size or how many malicious messages it receives.

Cyber criminals realise if they keep attacking, they will find a soft target sooner or later. However, companies that have built a human line of defence to back up their IT solutions will be best placed to minimise the risk of becoming the criminals’ next victim.

These days we all rely heavily on our computers and computer systems. Whether you are an individual with one laptop or a multi-national business with a global network, any incident that disrupts our computer usage can be devastating. Incidents include:
  • An employee opening an email containing a virus
  • Employees losing removable media such as a memory stick or laptop
  • Server infiltration by hackers
  • Home and mobile working reducing security levels
These incidents may be more prevalent than you think; 60% of small businesses suffered a cyber security breach in 2014*

Cyber-crime-insurance_1Cyber risks come from a range of threats which can be covered by suitable cyber risk insurance.

You may think you are covered by your commercial insurance for some of these incidents, such as loss or damage to hardware, but a specific cyber insurance policy will cover much more and provide proper support when you need it most, for example, a typical scenario could be:
  1. A successful attempt has been made to infiltrate your computer systems and data has been stolen or corrupted. You will need help from experts who can provide immediate support and advice.
  2. The stolen data is sensitive and could cause serious damage to your company’s reputation. You need legal advice and public relations support to minimise any adverse publicity.
  3. The data accessed contained personal details and financial information. Claims for damages could follow and you need to cover your legal costs and any compensation.
  4. Your IT department or external consultant will have to restore the information that was lost or stolen. You need to cover the resulting costs.
  5. However, your IT department may lack the resources or the knowledge to resolve and fix the breach. You will need the support of a team with the skills and experience to protect your business as soon as possible.
  6. Disruption to your business, while you resolved all of the issues, resulted in loss of sales and revenue. You will want compensation for those losses.
There are many other implications to consider when thinking about protecting your computer systems and infrastructure and every business will have different risks.

This is where an insurance broker can help. They will be able to assess your exact needs and find the most suitable policy for your business.
*HM Government & Marsh UK Cyber Security Report March 2015
Many small businesses think they are too small to be targeted by cyber criminals however, recent statistics show that 74% were affected by a security breach in 2015. More worrying is the fact that it can take an average up to 231 days before the company is aware of being hacked. A lot of damage can be done during this period.
£65 - £115K is the average cost of a security breach to a small business*

Cyber_risk_insuranceAs we rely more upon technology, the risk of a cyber-attack increases. Most businesses hold information about customers, employees and banking details on their computer systems that are the backbone of their business management. The result of a security breach could damage the viability of the entire business.

The government backed Cyber Essentials scheme (see link below) provides useful information to help protect your business against hacker attacks. However, as they say in their document “You can never be totally safe, but most online attacks can be prevented or detected with basic security practices for your staff, processes and IT systems”.

For peace of mind and to limit the financial implications of an attack, you may want to consider an insurance policy.

What does cyber security insurance cover?
Cyber and data risk insurance will provide support and help to protect your business from some of the financial consequences of a cyber-attack if a hacker gains access to your computer systems.

It provides you with comprehensive cover and a trusted partner to help reduce the effects of a security breach:
  • Mitigation of the financial impact of data leaks
  • Advice and support for your IT department
  • Managing the risk of any adverse publicity
  • Protection from third party claims against the company
  • Regulatory fines for data breaches
  • Loss of profits while recovery is taking place
  • Professional fees
  • Breach coaching
  • Costs involved with limiting damages and recovery of data
  • Theft of hardware or system access codes
  • Data breach by an employee
  • Legal advice and professional fees

The support is provided by a cyber incident response team and policy holders can also benefit from assistance after a data breach, to help restore systems and firewalls.

For a full breakdown of the cover available and to discuss your requirements with one of our Account Managers, please contact us on 0121 321 4600 or complete our enquiry form.

* https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/412017/BIS-15-147-small-businesses-cyber-guide-March-2015.pdf