In recent weeks, we’ve heard from small businesses, insurance brokers and senior government figures. All have very different concerns, worries and priorities but there was one topic that repeatedly came up: how to tackle cyber threats to businesses.
I’ve already mentioned on this blog that 60% of small businesses suffered a data breach in the past year, while some of the bigger names have also been hit. In the United States, both Home Depot and UPS suffered hacker attacks, while JP Morgan lost the details of 76 million customers and seven million small businesses in a recent attack.
More recently, and closer to home for small business, was the Information Commissioner’s Office fine of £7,500 to hotel booking site Worldview Limited after hackers accessed the card details of over 3,800 customers due to a vulnerability that had existed in their website since 2010.
Whether you’re big or small, hackers don’t discriminate. All they need is a vulnerability.
One of the largest of those vulnerabilities has been Shellshock (also know as Bashdoor), which exploited a weakness within UNIX servers and caused havoc – estimates put the number of affected machines at around 500 million worldwide. And it’s here where one of the more frightening aspect of a cyber hack comes in for businesses.
The Shellshock vulnerability
Shellshock was what’s known as a zero day vulnerability attack. It’s called zero day, because the weakness in the system hasn’t yet been uncovered by the security firms, which means they’re like gold dust to hackers. Once a hacker discovers a zero day vulnerability, it’s a race for anti-virus companies, software providers and cyber security firms to find a fix and protect you.
This may sound alarming but there are some practical steps you can take here. If you outsource your cyber security, then be sure that your supplier is clear on how they’d handle an attack. How quickly can you apply a patch to your system? Do they have a procedure in place and are they on top of the latest developments in the industry?
If you have more in-house capabilities then it’s important to have a robust patching procedure. This means that as soon as a patch is released by a software house or anti-virus company that you’re able to install the patch straight away rather than being left vulnerable for several days. Of course, this is easier said than done in some cases.
In many cases, especially zero day vulnerabilities, there is very little you can do to prevent the attack, but there are steps you can take to protect yourself before and after. Having an incident response plan is one such step. You may not be able to prevent a zero day vulnerability but a good plan can help you prepare and minimise the damage (something my colleague Abi Clark has also written about).
Another area of support is forms part of the government’s National Cyber Security Strategy, where they’re encouraging small businesses to sign up to their Cyber Essentials scheme. This provides companies with the basic technical controls needed to ensure a standard level of protection against the most common cyber crimes.
How protected are you?
But while much of the focus is on the likes of Shellshock, it’s also important to be on top of existing threats, such as an SQL injection. According to the Information Commissioner’s Office, this is one of the most common threats to businesses and is often caused by poor quality coding. If you’ve not touched your website in several years or outsource the coding, you may want to do a quick coding hygiene check, as detailed by the ICO.
But while the ICO offer advice, they are also unafraid to penalise those who don’t fix these issues as we’ve seen with the example of Worldview.
So on one hand there’s advice, on the other there’s punishment. The underlying message from the ICO and the government is they will offer all the assistance they can but it’s up to the individual companies to have appropriate security in place.
If the worst does happen, having the right cyber insurance for your company can help you investigate why and how the breach occurred and how you can prevent it in the future, while also providing support to manage the reputational fallout.
It should be stressed that if you’re insured, this does not remove the need for a business to manage the risk of a cyber attack or data breach. Instead, it should be part of a holistic approach, which includes the aforementioned patching procedures, investment in security and education of staff.
But sometimes, no matter what steps you take and how big you are, even the best protection can’t anticipate human error. In a recent case, the Ministry of Justice were fined £180,000 by the ICO after suffering a data breach. They actually had the right encryption software and hardware in place, but nobody had turned it on.
For more information on Hiscox’s Cyber and Data Risks insurance, click here