Cyber-security breaches – A fact of life?

By James Callender, Producer at Lockton Companies LLP.

If anything should focus the minds of Government Ministers and MPs about the importance of online security, the recent cyber attack on both Houses of Parliament should.

Westminster was hit by a "sustained and determined" attempt to gain access to MPs' and their staffers' email accounts - mostly those protected by weak passwords - with MPs suggesting blackmail as a possible motive.

It was one of many instances in what has been a hectic first six months of 2017 - a period with an inordinate number of cyber-security meltdowns, not just corporate breaches but state-sponsored ransomware.

Just a month after the Wannacry strain temporarily crippled NHS hospitals, delaying vital medical procedures, another wave called Petya (and a few other names) infected networks in many countries - including the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosneft.

The cynical among us might think that the only reason that the list is not longer is simply because some organisations have been able to keep their breaches from public view. Indeed, the fact the Information Commissioner's Office (ICO) sees fit to levy a fine of £1,000 on those firms that fail to disclose a breach shows that this is a real problem.

A report on data security breaches at Yahoo filed with the US Securities and Exchange Commission recently detailed a catalogue of data security breaches going back to 2013. This was explosive, resulting in the resignation of Yahoo's General Counsel and the CEO Marissa Mayer losing a considerable portion of her salary. The reputational damage to the Silicone Valley giant can only have been magnified by its failure to properly disclose the breaches in good time.

The importance of disclosure is rocketing up the agenda with the imminence of the EU's General Data Protection Regulations that come into force in 2018. They will affect all UK firms (and will most likely be followed by the majority post-Brexit) and include fines of up to 4% of global turnover for data security breaches.

And it's not just high profile tech firms that face the threat of data breach. SMEs can often find themselves victims. In 2015, a Glasgow hair salon was forced to pay a ransom of €1000 after hackers locked the owners out of their systems. In 2016 the Scottish Business Resilience Centre estimated that 1 in 3 companies has been breached by ransomware in this manner.

The danger for SMEs is that many think it won't happen to them; that they are not big enough to ping on the hackers' radar; that they can protect themselves with some off-the shelf anti-virus software. In fact, these are the enterprises which are most vulnerable.

There are three separate dynamics that are fuelling the extent of today's cyber-security threat to business.

Firstly, there is a tremendous amount of opportunity for cyber-criminals. These days it is difficult to find a company, organisation or individual that does not depend in large part on IT devices and the internet to carry out their day to day activities. It is only a slight exaggeration to say that we are all potential targets.

Secondly, the internet has made it far easier for individuals to acquire the skills and knowledge to carry out cyber-attacks. In their 'The Cyber Threat to UK Business 2016/17' Report the National Cyber Security Centre noted: "The technical skill required to commit cyber-attacks continues to decrease. Malware... [is] easily acquired on the dark web which means the number of individuals capable of launching basic cyber-attacks is increasing."

Finally, the consequences of simple human error have never been greater. The vast majority of cyber-security breaches occur by accident rather than by malicious act. In their report on data security trends in Q3 of 2016 one of the ICO's headlines was a 43% increase in a failure to use bcc in emails; a simple mistake that many of us have been guilty of in the past.

However, the combination of the communications revolution engendered by technology and increasing sensitivity regarding use of personal data means that such mistakes can be disastrous. Human error is no worse than before, but the stakes are far higher.

What can businesses do about this? The most obvious step is to improve their own data-protection procedures. Crucially they must realise that the 'tech' is only part of the solution. Cyber breaches occur because of people and it is crucial that staff receive appropriate training to understand their responsibilities and what they need to do to maintain cyber-security.

The next most obvious step is that businesses need to make plans for what they will do if they suffer a cyber-security breach. One of the best ways to do so is by arranging cyber-liability insurances. These products serve two functions.

Firstly, they provide compensation to businesses for losses suffered due to incidents such as security breaches, network interruption and cyber extortion.

Secondly, and perhaps more importantly, they also provide a comprehensive service proposition of experienced professionals, from forensic accountants to IT specialists to expert lawyers, who can intervene quickly to investigate the incident, repair the damage and mitigate the loss. Having this infrastructure waiting in the wings is of real value to businesses as it guarantees that, should they suffer a cyber-attack, help is close at hand.

This is a novel area of insurance and there is a general lack of awareness and understanding of the service amongst brokers and businesses. We always recommend that our clients thoroughly review their exposures with our assistance, and consider purchasing this protection.

The cyber-security threat is a fact of modern life. It will not go away and it cannot be ignored. It can, however, be countered and it is crucial that we all take the time to understand how to do so.