By Ed Prescott, Director at Prescott Jones Insurance Brokers
As a business owner, what would you consider to be the most important aspect of your business to protect? You might think it’s your building, your vehicle fleet or your other company assets.
It may come as a surprise to learn that the aspect of your business most likely to be under threat is your data and computer systems. The people stealing corporate data are not necessarily the hardened criminal masterminds they once were, but amateur hackers who are infiltrating online business systems in their spare time. Cyber attacks can leave confidential data open to prying eyes and leave your business and livelihood at risk.
In the year leading up to October 2014, 60% of small businesses in the UK suffered a breach in cyber security, so there has never been a more important time to prepare yourself against the threat of a cyber attack.
So what exactly constitutes a data breach?
A data breach is defined as an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorised to do so. This kind of threat could be catastrophic for a business, whether you are investing on behalf of a client, dealing with confidential details or processing payments from customers. The loss of any of this data has an impact on not only the company whose system was infiltrated but can have a domino-like effect on all of its customers as well. Your business could be legally liable for stumping up the cash to replace any losses incurred by your clients and other third parties in addition of course to your own financial losses.
The most high-profile corporate breach in history took place just last year. On 24 November, all computers on the Sony Pictures Network were taken over by a grinning skull with a warning that, unless demands were met, data from Sony would be placed in the public domain.
In the next few days, private Sony Pictures data appeared on file-sharing sites, including scanned copies of passports, unpublished scripts and marketing plans. This incident was of such a scale that it could have meant irreparable damage to Sony Pictures’ reputation. It could be argued that the company was only saved by the strength and heritage of its brand; and no doubt a crack team of very expensive lawyers.
To report or not, that is the question
A recent Times article reported that the cybercrime industry is now bigger than the drugs trade, estimating that the cost of fraud to the UK economy in 2013 was £52 billion. Despite this, only one in five crimes are reported to the relevant authorities according to the City of London’s Police Commissioner. Of course, for reputational reasons, few businesses will want to admit to having their private documents viewed by an unauthorised third party, but certain “serious” cases involving the breach of sensitive client and customer data must be reported to the Information Commissioner’s Office (ICO).
You must notify the ICO of a serious personal data breach within 24 hours of becoming aware of the incident, as failure to comply can result in a £1,000 fine.
What are the consequences if my business is affected?
Companies can understandably be nervous about reporting a breach of security, as firms that are proved to handle data insecurely can be fined up to half a million pounds. In reality, these fines currently tend to amount to tens of thousands of pounds, but tougher sanctions are expected to be put in place against firms that don’t take the necessary precautions.
A draft European Union bill has been continuously altered in Brussels over the past few years, as it aims to create much stricter deadlines for managing cyber breach reports. It also has plans to raise the maximum fine level to 100m Euro or 5% of a company’s global turnover, which means it is even more essential that companies have the best security systems and insurance in place, should anything go wrong.
How do I protect myself and my business?
It’s essential that all companies review and understand the cyber risk to the business data, review the strength of the physical protections in place and amend and improve where necessary. It must then have plans and policies in place recognising what should be done on discovery of a breach.
This risk assessment and mitigation should then be backed by a comprehensive cyber liability insurance policy. The insurance market has responded well to the emergence of cyber risk with a number of insurers providing excellent cover for first party and third party risks. Often these policies provide risk management support pre loss and sophisticated post event investigation, containment, resolution and remediation management support.
Here are some examples of the main areas that you need to address in order to protect your business:
It is important that all employees know the basics of cyber security. Companies should address cyber security within staff contracts, and supplement this with on-going training about the ever-changing risks that could threaten the company. It’s important to remember that not all threats are caused by external forces. A disgruntled employee or someone leaving the company could open your business up to a data breach, or it could also be as simple as a staff member accidentally clicking on a malicious link.
Bring your own devices (BYOD)
95% of UK businesses let employees bring their personal mobile devices into the corporate network. Allowing staff to bring their own devices to work saves companies, particularly SMEs, a lot of money but according to a study from BT, mobile security breaches affected 41% of UK organisations in 2014.
Businesses that allow employees to use their own devices need a BYOD policy, which involves installing malware and ideally including a tracking service and the ability to remove any sensitive documents from the device remotely.
For employees that connect to the business framework through a web portal, businesses have the opportunity to install a programme that will scan each device for a potential breach each time they log in.
So what risk assessments can you carry out?
There are specialist service companies emerging who can help you carry out risk assessments and independent insurance brokers will have access to insurers who, in addition to providing the ultimate insurance protection, can offer risk assessment and management support.
They will ensure you understand what data and information your company holds, which could vary from intellectual property, financial, customer details and employee records. Once it is understood what data is important to the business and your customers, the process of evaluating the threats and risks can begin and ultimately result in the appropriate insurance cover for the business being taken out.
It is understandable why businesses may not take the threat of cyber attacks seriously. Hackers target celebrities for their naked photos, right? Wrong. Increasingly, hackers are targeting the websites and systems of small businesses for fun and profit. SME owners have lots of complex legislation and regulations to comply with which can be a minefield in itself, but is it really worth putting your business at risk for the sake of some time, planning and insurance to provide that all important peace of mind?