Cybercrime is the fast-growing economic crime in the UK, and is expected to get even bigger in the next couple of years, according to PwC’s Global Economic Crime Survey 2016. The steep increase in cyber attacks is because more firms are using the cloud to store their data and the increasing interconnectedness of networks and gadgets brought about by the ‘internet of things’. But despite the growing threat more than a third (35%) of UK businesses say they have changed nothing following a security incident in the last 12 months, according to our Hiscox Cyber Readiness report.
Many small businesses understand the importance of cyber security, but often don’t know how their business is at risk. Hackers are drawn to a number of industries, so if you work in one of these then it makes sense to take steps now to improve your cyber security.
Online retail sales are growing fast and so is the number of cyber attacks. A third of UK retail and wholesale businesses have suffered two or more cyber attacks in the past 12 months, according to our cyber report. In 2015, the vast majority (79%) of credit or debit card fraud suffered by shops was committed online, as was nearly two-thirds (64%) of account card fraud, according to the British Retail Consortium’s (BRC) Annual Retail Crime Survey.
Your website doesn’t need to be attacked for you to suffer a problem. Customers’ use of the same passwords for different accounts made it easy for hackers to get access to a number of their accounts on various shopping websites, retailers told BRC. So, retailers need to have effective cyber security in place.
Small retailers are just as vulnerable to attack as big-name high street stores. One of our customers, a chain of opticians was the victim of a ransomware attack that resulted in all of its files being encrypted. Although the optician paid the hacker’s demand for £400 in Bitcoins, not all of the company’s files were recovered, so it needed an IT expert to help the firm recover the rest. The total cost of the attack came to £60,000, which we covered.
This industry has become a prime target for hackers, because of the large amount of customers’ information that companies keep on their systems. Our report reveals that 40% of British food and drink companies and 30% of travel and leisure firms have suffered two or more cyber attacks in the past 12 months.
Last year, pub chain JD Wetherspoon suffered a cyber-attack that took months to uncover, in which hackers stole personal information from more than 650,000 of its customers.
Apart from stealing customers’ names, card numbers and expiration dates from hotel and leisure firm’s IT systems, hackers can also steal the passwords and login details of people while they are using unsecured Wi-Fi networks on their premises, internet security experts have warned.
So if you’re a hotel, pub, restaurant or café you need to make sure your cyber security is strong.
Hospitals and health practices are suffering a wave of cyber attacks. Over 40% of healthcare and pharmaceutical firms have suffered two or more cyber attacks in the past 12 months, our research reveals. Earlier this year, the Barts NHS Trust, the country’s largest, suffered a malware attack that forced it to take its computer systems offline as a precautionary measure. That follows a ransomware attack last October, when North Lincolnshire and Goole NHS Trust had to cancel thousands of operations and hospital appointments at three hospitals as it was forced shut down the majority of its computer systems.
More than a third of UK health trusts may have suffered attacks in the past 18 months, according to press reports. In February 2015, the Information Commissioner’s Office (ICO) expressed its concern at the number of data breaches taking place in the healthcare sector. It suffers by far the biggest number of data security breaches reported to the ICO, which has imposed fines of over £1.3 million against NHS organisations.
‘The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers…Time and again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.’
Ransomware attacks are being carried out on an industrial scale, targeting hundreds, even thousands of hospitals at a time, cyber security experts warn. They are soft targets for hackers because they tend to run old IT systems to which many employees have access. It only takes one of them to mistakenly download malware that could result in all the data held on that system being encrypted by hackers.
There has been a big increase in attacks against financial firms in recent years, as cyber criminals increasingly turn their attention to this sector. In 2016, financial watchdog the FCA received 78 reports of cyber attacks on financial advice firms, as part of a fast-rising trend. In 2015 the watchdog said 27 had suffered an attack; by the end of September 2016, they’d received 75.
Hackers targeted Argyle Financial Planning, a small Home Counties financial advisor, in a ransomware attack in September 2016 that caused the firm enormous difficulties. To meet the rising cyber security challenge, the FCA said it is looking for a ‘security culture’ in financial firms, driven from the top downwards, with senior management engaged and responsible for their company’s cyber security policy.
Law firms are now being seen as rich pickings by hackers, because of the huge volumes of clients’ very sensitive personal information they keep on their systems, and because their cyber defences tend to be pretty low. The massive Panama Papers leak of client files should be a wake-up call for all law firms, data security consultants argue. But although both the ICO and the profession’s own regulator have warned solicitors about their data security, and over a quarter (28%) of professional services firms were the victim of two or more cyber attacks in the past year, many firms remain unaware of what easy prey they are for hackers.
Law firms can take some easy steps to bolster their cyber defences, Bob Anderson, the former chief of the FBI’s cyber squad explained in our recent blog.
Agencies are increasingly storing a lot of consumers’ private information on behalf of their clients to create personalised marketing campaigns. But this has made them a growing target for hackers and has raised the risk of them falling foul of tougher data protection rules. Our research has shown that 45% of media, technology and telecom had suffered two or more cyber attacks in the past 12 months. But few marketing firms are aware of the danger they face.
One of our clients, a marketing agency, had its computer system hacked into and databases containing thousands of people’s names, dates of birth and contact details stolen by cyber criminals. The firm’s clients reported the breach to the Information Commissioner’s Office, which didn’t fine the agency, but its clients sued it for the substantial legal costs they had run up. We defended our client and settled the claim.
Many small businesses ask: ‘Why would a hacker be interested in my information?’ But the question really should be: ‘Why would a hacker not be interested in my information?’ If your data is valuable to you then it’s valuable to a cyber criminal.
Ransomware attacks are an increasing problem, with employees inadvertently downloading a virus onto a company computer that locks all the files on the system. Although organisations can pay to get their data back, it might take days, weeks or even months to retrieve all of the files. You might never get them all back. Meanwhile, your business is suffering.
Hackers are now growing more ambitious, targeting not just financial information but also customer data and intellectual property, which could, if stolen, bring down a business. So, it’s crucial to act fast to help prevent your company from becoming a victim.
Read our Hiscox Cyber Readiness report 2017
Find out more about our Cyber and Data risks insurance