A recent article titled “Global cyber insurance pricing rises 32%” has led to some interesting conversations at Alleviate Risk among my team, and with the odd client. Why? Because cybercriminals are opportunistic and we’re in a new world of business. The recent haphazard rush to working from home means all manner of cyber vulnerabilities have been created or revealed in businesses across the economy – small, medium and large.
This quote from the article sums it up nicely:
“COVID-19 and all of its attendant effects on technology adoption and cybersecurity, combined with independent or connected changes to the loss environment, has added a big dose of complexity into an already complicated risk landscape.”
That’s from Shay Simkin, head of cyber at international insurance broker Howden. Yes, she is speaking in a US context, but the same trends are happening here.
Think about it. All of a sudden, we’re being forced out of our workplaces, where IT is professionally managed, controlled and monitored, into using our own devices and home internet connections. The risks are clear.
In this context, the degree of difficulty for being a cybercriminal has come way down. Many cybercriminals these days aren’t “genius hackers”, they’re just conmen who’ve downloaded automated security -probing software. That’s all they need to launch the two main kinds of attacks we’re seeing: spoofing and ransomware.
- Spoofing: cybercriminals intercept emails and then use social engineering (digital grifting, essentially) to fiddle with invoices to divert money into their accounts.
- Ransomware: one day you go to work, switch on the computer and find that your entire business system is encrypted and crippled. All you have is an ultimatum: pay some sort of cryptocurrency amount to a mystery destination or your data will be deleted.
The point is, you and all the other businesses you do business with have been thrust into an era of slapdash cybersecurity. I’ve been working around this a lot, so here are my key insights…
My top 4 points about cybersecurity risks
- If you think you won’t get hacked, you’re mistaken. Actually, if you think you are immune, your risk increases. Chances are your site has already today been cased by cybercriminals looking for soft targets. It’s like that story with the two people about to get chased by a tiger and one of them stops to put on running shoes. You don’t have to outrun the tiger, you have to outrun the other guy. The cybercriminals are always coming, so, at a very basic level, your online presence just needs to be too tough to bother with.
- Insurance does not bring back data that has been encrypted or lost. Two factors here: highly sophisticated encryption tools are cheap, and decryption or recovery is rarely successful and is always very costly.
- You probably won’t get your data back, even if you pay a Bitcoin ransom. Research from Kaspersky has found that only about 25 percent of ransomware attack victims get everything back. After all, the cybercriminals have little incentive to keep their side of the bargain.
- Being a cybercrime victim casts your business in a bad light. Regardless of the data loss or outcome, there are major reputation risks associated if you have a data breach. Imagine sending a letter to all your clients saying “we were hacked and your personal data was stolen”. At the very least, this will cost you business. At worst, you could end up in court.
The big effect of raising your cybersecurity bar a little
To handle this emergent situation you must mitigate your cyber risk exposures. The key to doing so rests in how most cybercriminals operate: they cast a wide net and try to scoop up easy pickings. Generally, their automated software scans thousands of sites a day looking for specific weaknesses. If your site doesn’t have them, the scanner moves on. Trust me, your site has been scanned for weaknesses thousands of times already. This means the best cybersecurity mitigation tactic is often simply to be a slightly tougher nut to crack than the next guy.
Yes, you can have cybersecurity as part of your business insurance, but the standard cover is pretty skinny. It’s better than nothing, but you’re far better off with a standalone specific cyber policy that is responsive to your cyber-risk management practices.
Being proactive on cybersecurity goes a long way
My point is that prevention will always be better value for money than paying a Bitcoin ransom. And the tigers are already stalking your online presence, but they usually seek to attack the weaker targets. So, instead of outrunning the tiger, outrun the pack mentality of “cybercrime happens to other people”.
To learn more about “putting on your running shoes”, reach out to someone in your network who can connect you with a cybersecurity expert and/or seek a suitably qualified risk expert to assist you in mitigation strategies. At the very least, have the conversation so you understand where your exposures lay.