News & views

Wednesday, November 09, 2016

Justin Clarke, Director of Underwriting and Pricing at NIG, talks to Jacqui Offen, Director of IT support services company J & J Systems UK, about the threat of cybercrime – and how small to medium businesses (SMEs) can reduce their risk.

Cybercrime has become a hot topic in mainstream media. How real is the threat to SMEs?

It’s very real; however, many business owners think cybercrime can’t happen to them. They believe that cybercrime doesn’t happen in the ‘real’ world’, and that hackers only target large corporations, however, these cybercriminals are increasingly targeting smaller businesses too. Cybercrime also manifests itself in many different ways which some small business owners could be unaware of. It often happens when a user doesn’t utilise adequate safety precautions when working online – especially on email. 

So email is a particular threat?

Well, rather than sending a text message or making a call, employees send emails back and forth. This starts long email threads which can put pressure on the security measures that usually support the wheels of commerce. The lack of understanding business owners have regarding these pressures, and their potentially devastating impact on security measures, can act as a catalyst for the dark side of the internet to exploit small businesses.

Like emailing an attachment that contains a malicious macro, to infect an entire system?

That’s right. This can have a devastating effect; for example, some macros open a blank page, activating a key-logging virus. It records everything you type, collecting your banking and other account information. The hacker then uses the data to arrange same-day CHAPS payments abroad. Obviously, this can cause significant loss of income and play havoc with cash flow, which for a micro business can be financially crippling.

What about other email risks?

Every day, hacks and scams bypass anti-virus software and enter business inboxes. Think phishing emails, infected hyperlinks, and even complex fake HTMLs which look legitimate, alerting you to a refund or hold on your bank account. Once the naïve user enters their personal information, the crooks can quickly hack the account – or infect the device with nasty bugs, like ransomware.

Ransomware? That’s the thing that encrypts business data and blocks access to the system until a ransom is paid…

Exactly, and all it takes is clicking on an email link or a website popup. It often goes undetected for hours, maliciously working its way through megabytes of data until you realise you can’t open any files.

I recently met a small business owner who opened a convincing fake email about a DHL delivery. It infected their laptop and encrypted the whole drive, which hadn’t been backed up. Unfortunately, it was too late for us to help, and the business will now have to spend months trying to recover data from cloud-based emails, and essentially reconstruct their business files from scratch.  

How often do you see this sort of thing?

Well, there are many other instances of ransomware affecting SMEs. Even if the infection is dealt with efficiently and the data is restored, the ramifications can be huge as it can cause a loss of confidence from suppliers and clients.

What else do these cybercrimes cost SMEs?

The costs are extensive. Sure, businesses can limit the damage with data restriction, disaster recovery and backups, but that takes time, which means lost productivity – especially since staff can’t use infected devices until they’re fixed. Sometimes, there’s a longer-term impact on lost business, and unfortunately, many businesses don’t have any data recovery services in place, putting them at significant commercial risk.

Sounds like a lot to lose. What other threats do SMEs face?

They could fall prey to a ‘spear phishing’ attack which isolates individual users in an organisation, using spoof tactics to extort money. These attacks are harder to spot, because they use legitimate-looking email headers and addresses. They are becoming increasingly prevalent because we’re so busy these days, and as such a user may not spot the scam or anomalies in the way the email has been written – such as poor spelling. Let’s say the Financial Controller opens an email, supposedly sent by the Managing Director, asking ‘Are you at your desk today?’ He replies, unknowingly sparking a conversation with an online thief. When asked to transfer funds to a particular account the Financial Controller does so dutifully; soon afterwards the money leaves the bank, and often the country, thereafter becoming untraceable and unrecoverable.

What can business owners do to avoid this?

There’s only one solution to this type of cybercrime and that’s setting up a business process with two-step verification for non-standard business payments. It is a process that every business should do regardless of size; primarily because it’s becomingly increasingly easy for cybercriminals to gather information about a business’ decision makers and their social habits from sources such as social media, websites, and even credit vetting facilities. On top of this, cybercriminals can also easily review financial stats which are available via the public domain, and target the companies that match their criminal ambitions.

Are there more sophisticated ways to guard against cybercrime?

The more sophisticated, and often efficient, option is to hire a proactive IT support provider with managed services and disaster recovery. Failing that, it’s worth training staff, so they’re aware of cybercrime risks and how to avoid damaging the business. All businesses must use operating systems and Microsoft Office products that are supported by the vendor, and have the latest security patches. They also need robust anti-virus and anti-spam software, and anti-virus email protection. Business owners should also ensure that all passwords are unique and strong.

These precautions, together with sensible system environmental measures, can often help businesses recover from an infection. When these precautions are combined with a sensible insurance policy, SMEs can hopefully minimise the risk of lost income and reputation created by cybercrime attacks.

Insurance requirements

Following the suggested precautions outlined in this article will hopefully mean your business avoids becoming the victim of cybercrime, however, should the worst happen, it is essential that you have a sensible insurance policy in place. With this in mind, let’s look at NIG’s Cyber Cover product, and see why it makes perfect sense:

Our Cyber Cover product covers:

  • Cyber crime – financial loss from hacking, fraudulent input or alteration of data
  • Cyber liability – damages and defence costs attributed to cyber crime
  • Data-Breach expense – the cost of expenses following a data-protection failure
  • Loss of business income following a cyber event (Optional)
  • Damage, loss, corruption and breakdown of hardware (Optional)
  • Data corruption and extra costs (Optional)


You can find more information about NIG’s Cyber Cover product, including Key Facts, Sales Aid, Proposal Form and Policy Wording, on our website here


NIG. Here’s Why…

As well as having a great product in Cyber Cover, here are some key benefits of choosing NIG:

  • Established – we have more than 120 years of commercial underwriting expertise.
  • Focus – we’re 100% focused on brokers, and trade all of our products exclusively through UK brokers
  • Size and scale – as part of the Direct Line Group we have the strength and security of an A-rated underwriter, combined with the scale of a FTSE 100 company.
  • Comprehensive – our extensive range of products cater for businesses large and small.
  • Competitive – our one-quote-to-market principle provides a real edge for brokers.
  • Financial support – we can provide in-house surveying and risk management funding
  • UK-wide – we have eight regional offices across the UK, combining regional coverage with local expertise.