If I am being harsh, I could say that insurers will find a way to take money off anybody – however my old Risks and Insurance lecturer would probably remind me that insurers are there to help people out when risky situations occur. Those views are different sides if the same coin. Regardless of the view you take, remember the following: The large print giveth – the small print taketh away.
What is Cyber Insurance?
Several years ago, insurers started offering ‘Cyber Insurance’ to small business customers. Typically starting at a few hundred pounds per year for a small business, such insurance policies promise to pay out when you have a ‘Cyber Incident’. Regardless of what this means, the payouts can cover you for:
- Loss or damage to your data and software.
- Business interruption as a result of computer problems and network downtime
- Where you are threatened with the deletion or public release of company data unless a ransom is paid.
- The costs of telling customers when there is a security or privacy breach
- Reputational damage as a result of a data breach.
The costs of any one of these scenarios could be huge. Many businesses that encounter such an attack can take months to recover – or at worst can be wiped out entirely – putting jobs and even lives at risk.
What is a Cyber Incident?
A cyber incident is a pretty generic term which could mean many things. The threats your computer system faces can come from inside our outside your business and can be malicious or accidental. Regardless of the source of the incident, they will affect the integrity or availability of the system or will include unauthorised access or attempted access to a system – in line with the Computer Misuse Act (1990). Examples of incidents include:
- Attempts (successful or not) to gain access to your computer systems and data in an unauthorised way.
- The use of systems for the processing or storing of data in an unauthorised way.
- Changes to software, hardware or firmware of your system without the system owners consent.
- The disruption of your systems to the point you cannot use them.
Something like a computer virus can be the trigger point for all of those and more. Other attacks (often automated) include denial of service attacks, phishing attacks, ransomware attacks, spyware, keyloggers and so on. Regardless of the method, the result could be catastrophic.
Prevention is Better Than Cure!
If you choose to purchase Cyber Insurance – well that’s your call. All of these issues could disrupt your business and only you will be able to make a judgement as to the cost benefit offered to you by the insurer. What we do say though is that – whether you have Cyber Insurance or not – you should run a tight ship, IT-wise. In the IT world we call this reducing the attack surface; these are just some of the methods we employ:
- Making sure that you have up to date backups in case disaster strikes
- Running occasional disaster recovery exercises to ensure we can actually recover from those backups.
- Installing antivirus and firewall software to prevent some attack types.
- Monitor the antivirus and firewall systems to make sure they are doing their job.
- Adding an extra layer of web security that will block attacks before they reach your network.
- Preventing your staff from making changes to systems that could weaken security.
- Keeping systems bang up to date with the latest security patches.
- Preventing users from taking data off site with USB sticks or file sharing tools.
- Ensuring they use equipment owned and managed by the business.
- Ensuring all data is properly secured by use of appropriate authentication methods.
- Locking down your wired and wireless network so it can be used only by authorised devices.
- Properly ‘offboarding’ staff when they leave to ensure their data and systems the accessed are safe and secure.
There are dozens of other ways we can keep systems secure, but these are the key ones to consider and we try to employ as many of these techniques as is feasible for a given customer.
And finally… why could my Cyber Insurance be useless…?
This article is a pretty long and contrived way to say that – if you have not adhered to the terms of your insurance then you probably will be unable to claim against it. Most insurers will require you to have certain policies and procedures in place in order to make a claim. You’ll have to prove that you take the risks of cyber attack seriously and try to mitigate the risks in the ways described above. If you are not following best practice then your insurance is probably invalid.