A publisher we insure was recently contacted by a ‘white hat hacker’ – ethical hackers (named after the cowboys with white hats in the old black and white TV westerns) – and told that user names and passwords for two of their websites had been stolen. After being notified we called in IT forensic experts to investigate, who confirmed there had been a hack and set about plugging the security breach.
Legal advice was also taken to confirm whether or not our client was required to notify the individuals whose user names had been compromised. In the end the insurance claim we paid was around £10k but could have been much worse for the client if the white hat hacker hadn’t ridden to the rescue.
It’s just another example of how vulnerable businesses are to cyber-attack. Each year, we report on the cyber readiness of businesses. In the Hiscox Cyber Readiness Report 2017 – we found that SMEs are particularly susceptible to cyber-attack as many cyber criminals see them as a soft target and potential gateways into the larger businesses that the SME might work for.
How to improve your cyber security
We also found that those who ranked as cyber security novices (those with the least developed approach to cyber readiness) were more likely to be SMEs compared to cyber security experts who were more likely to be large companies. While this may not seem surprising given the typical small business does not have the IT resources that a larger business might have the good news is, SMEs can up their cyber security game by following six steps (most at little or no cost):
1. Involve the boss
In our report, one of the defining characteristics of firms that rank as cyber experts is the involvement of their board and executive management in setting cyber security strategy. Of course, most small businesses don’t have tiers of top management but it’s clear that whether you’re a five person operation or a five hundred person business then whoever is in charge needs to step up to the plate when it comes to leading the charge on cyber security – it’s not a job that should be simply left to the IT crowd.
2. Have a formalised cyber strategy
Cyber experts tend to have a formal cyber security strategy in place with clearly defined structures, processes and criteria. In effect, this means that your business should have a clear idea about the cyber risks your business faces and how you manage those risks. For example, if you collect personal data on your customers, how is it stored/protected, and how would you respond if it were compromised?
Do you/your employees know not to click on that suspicious looking link or open that attachment that comes from an unknown source? With some reports saying that over 90% of all successful cyber attacks are related to human error, our study shows there is a wide gulf between cyber novices and experts in the area of employee training. More than nine out of ten experts (93%) in our report say that their ‘organisation incorporates security training and awareness across the organisation’. Among novices, the figure is less than half (43%). As we have seen, most experts say employee training is effective at reducing the number of incidents. Stepping up training can be a quick win.
4. Document your processes
Recording, tracking, documentation – these are areas where the novice firms have scope for improvement at only moderate cost to the organisation. For instance, while the overwhelming majority of experts (96%) say their organisation has a core source of cyber security guidelines for employees, partners and external users, only 42% of novices are as well organised. Consider implementing data classification and information security policies that set out clearly how different types of data should be handled and controlled.
5. Tighten up the technology
An area that SMEs need to tighten up is in email encryption and the integration of strong identity authentication (better password management). In both areas, most are a long way behind both the cyber experts.
6. Transfer risk
Nearly two-thirds of cyber experts (64%) have taken out cyber insurance. That compares with just 28% of novices. It’s worth noting that cyber insurance is not just the preserve of big business, with an increasing number of SMEs taking out cover – 66% of the businesses that bought cover directly from us last year had a turnover of below £100,000.
For more details, see the Hiscox Cyber Readiness Report 2017