News & views

Monday, June 27, 2016

NIG Director of Underwriting and Pricing Justin Clarke examines how cyber crime can affect small to medium-sized businesses. And just as importantly, how the industry and the European Union are mobilising resources to fight back against this growing threat.

Small to medium-sized businesses may feel they’re safe from cyber attacks, believing they’re only aimed at large enterprises. Unfortunately, that isn’t the case.

In fact, 75% of SMEs have suffered a security breach in the last year, according to the ABI, and the frequency and effectiveness of the attacks are increasing.

Protect from the beginning

Start-up businesses can be especially vulnerable. In the rush to establish their brand, set up their website and organise online trading, protecting against cyber attacks often takes a back seat. Besides, who would bother targeting a new and probably low value business?

The truth is, SMEs are favoured as targets for cyber criminals, who expect to meet less sophisticated protection than large enterprises deploy. As Global Cyber Risk chief executive Jody Wetby says: “It’s the data that makes the business attractive to cyber criminals, not the size – especially if it’s data such as customer contact info, credit card data, health data or valuable intellectual property.”

Potentially devastating

According to the Federation of Small Businesses, 49% of cyber attacks are phishing emails, 37% spear phishing emails, and 29% malware. In one instance, reported by small business owner Lee Moore in Computer Weekly, a devastating attack was launched by a supposedly trusted supplier, a website developer.

Lee felt she could trust her developer to set up user names and passwords for her website, email accounts and social media accounts. As soon as he sensed an opportunity to exploit her vulnerability, he began blackmailing her, stole her identity and defamed her business as bankrupt when she refused to pay the ransom demands. It took the intervention of a university computing professor to unravel the attack and establish strategies to protect Lee against similar digital onslaughts.

Automated attacks

Although it’s unusual for cyber crime to be reported so openly, it doesn’t mean attacks on small businesses are rare. Greg Shannon, from the CERT Division of the Software Engineering Institute at Carnegie Mellon reports that: “Small business is a huge target because attacks are automated. The criminals don’t care who they’re attacking, and while any given business isn’t worth much individually, they have viruses or ransomware that allow them to attack thousands or even millions of businesses.”

A route to larger targets

Criminals regard SMEs as the soft underbelly that enables attacks on larger, more lucrative targets. When a small or medium size business serves a larger client, perhaps providing payroll, HR or environmental services, it may unwittingly give cyber criminals access to that client’s IT systems. Small businesses are more vulnerable because only the biggest companies can afford the best defences.

Data breach penalties

When it comes into effect in 2018, the EU General Data Protection Regulation (GDPR) will make companies responsible for building data protection and privacy into their organisation, including IT services. They’ll have to report any breaches that put individuals at risk, and could face massive fines for non-compliance – up to 4% of global turnover

Verizon’s 2013 Data Breach Investigations Report found almost 62% of data breaches that year were at SME level. The EU GDPR is bound to increase demand from companies wanting to insure themselves against the risk of a breach. Consequently, insurers will need as much information as possible about previously reported cyber crime to help them set realistic premiums.

Making accurate assessments

As a relatively new crime, cyber attack is a difficult risk for insurers to price. While there’s 350 years of data for fires, and 100 years of data for motor and aviation risks, there are only a few years of statistics for cyber crime.

ABI director general Huw Evans said: “Cyber losses are the biggest threat to Britain’s world-leading digital economy. We need to see an anonymous, not-for-profit database covering things like business interruption costs, ransom demands, privacy breach claims and damage to IT systems. More data can help stimulate the cyber insurance market, giving greater choice to businesses in insuring against cyber losses.”

The ABI guide Making Sense of Cyber Insurance explains the key types of protection to look for in cyber insurance policies. This includes cyber business interruption losses, privacy breach costs, cyber extortion, and cyber specialist support.

To reduce the risks, and help keep premiums affordable, insurers and SMEs can work together to protect against cyber crime. Among the suggestions offered by industry experts are outsourcing to the cloud for better resilience and security, and having separate hard drives or operating systems for different functions, such as personnel, production and e-commerce.

Behind all the statistics, there is a simple truth: SMEs are prime targets for cyber criminals, and effective protection must be a priority.