We partnered with Grant McGregor Ltd – a seasoned Cyber Essentials Certification Body that has helped a broad range of companies, to understand and then put in place technical controls.
In easy to follow, plain English guidance, their Director and chief Cyber Security assessor, David Lawrence, and Bruce Stevenson's Account Executive, Phil Brown, outline the scale of cyber threats, how incidents can occur, and the six crucial controls that can help you to navigate this often-confusing subject.
In this recording, you can learn how to tighten a few essential areas of data security to mitigate around 80% of the most common data security risks and why Cyber Liability Insurance is essential to respond to a cyber-attack.
What you'll learn:
• Specific cyber risks that you face.
• An introduction to information compliance standards
• most crucial controls for compliance
• The next steps that you need to take.
15.27 – Phil Brown: Great, thank you, David. I'm going to talk a little bit now about the problem that we face and why cyber insurance can help.
There have been lots high profile cyber attacks in the news recently and it's becoming almost a daily occurrence. It's easy to fall into the trap of thinking that these attention-grabbing attacks are the only ones happening. That's not true and since 2016 cybercrime has been the leading form of any crime committed against businesses. By 2019, the number of cyberattacks had increased by 63 in volume. By 2020, 46 of all businesses had suffered a cyber attack in the previous 12 months.
That last statistic came from a government survey released in March 2020 and we've had a global pandemic since then. If you read a variety of different news sources and statistics, you’ll find various answers, none of them good, and they all paint a very dire picture.
Some claim that phishing attacks have gone up by as much as 600 per cent so most of you, if not all, will probably have received a devious email at some point. You've probably been savvy enough to delete it and ignore it, but some people don't do that and these attacks are getting more and more sophisticated. Around 90 per cent of cyber insurance claims involve some kind of human error. Having the best security and the best antivirus software in place is fantastic. But you can't avoid the fact that human beings are prone to making mistakes.
This goes back to what David was saying about implementing that company security culture. You may think that to become a cybercriminal you have to be some kind of genius and to be able to spread malicious code you must be able to write that code. But that's not the case. Malware packages are easily available online to buy off the dark web. It's like buying an app from the apple store. You log into the dark web, buy a piece of ransomware and away you go. You can even hire contractors to carry out the deed for you. It's easy to get everything you need to get hold of to carry out an attack.
The big corporate players are getting hit more than daily. It's an hourly affair really and they'll have entire teams built up behind them to mitigate the risk that SMEs don't have. And that they're still taking almost 50 per cent of the attacks, so it is a big deal. What we do know about SME’s is that they have the highest targeted malicious email rate. That's not to say they don't receive indiscriminate attacks some attackers don't know or seem to care who they target and it often just becomes more of a numbers game.
That means that malicious software scans for any vulnerabilities and goes for an opening. Smaller businesses are more likely to have these vulnerabilities and therefore they are more likely to actually be hit. Whichever way you look at it, SMEs are at high risk of attack.
In the modern world, most businesses have some form of social media presence and most individuals of working age use social media. What we share on social media can sometimes be used against us. For example, favourite football teams or pet names are commonly used as passwords. If that's you and you post photographs of yourself wearing your favourite Hibernian, Hearts, Celtic or Rangers jersey onto Facebook you’re potentially giving a big clue to cybercriminals who are looking for an entry into your company network.
That might seem simple and obvious, but it does happen and every employee in your company has to remember that they could be giving clues out every single day. LinkedIn is a gold mine for cybercriminals. Our profiles typically show our entire employment and educational history. They tell the world exactly what we do for a living and who our target customer base is.
Business profiles can also be used as a key to company networks. For example, a known trick used by cybercriminals is to wait for the company to advertise a job opening on LinkedIn, then contact the company hr manager requesting to apply. They send a cv by email which is infected with malware. The HR manager opens it without question because they're expecting applicants to be sending CVs at that time. We all know that we must be vigilant when we receive an email from somebody. But that vigilance almost disappears when we're expecting an email from somebody even if we don't know them.
I'm not going to make this a cyber insurance sales pitch as that's not what today is all about. But I do think there is a common misunderstanding of the role that cyber insurance can play. If you contact the ICO first that is the start of a conversation with a regulator that has the power to find you or apply some kind of sanction or legal action. it's imperative you get off onto the right foot. You do the right things and you can demonstrate that you are planning to mitigate the breach they're taking immediate action. Most SMEs won't be in a position to do that that's nothing to be ashamed of.
You cannot expect a small business to have an internal team of side the breach response specialist sat behind them The next option was to contact action fraud or the police. They will have to be contacted but remember their duty is to catch the criminal they've no responsibility whatsoever to get your business back up on its feet or hold your hand when you're dealing with regulators. Cyber insurance is it's not like other lines of insurance. It's not just a contract of indemnity, cyber insurance is also a service-based contract so you get a full suite of facilities for immediate breach response legal advice IT forensics, PR and reputational damage control. These specialists are the best place to guide you on how to respond.
When you have that first ICO conversation it's critical that you get that right. It can be the difference between a massive fine that isn't insurable or not having a fine. As I said earlier SMEs cannot be expected to have that internal team of breach specialists behind them. If you think of a cyber policy as basically having an outsourced team of you know breach response sat behind you.
So before we finish up then I just wanted to mention one last thing that. I think there's a real stigma that we need to get you to know getting to get rid of cybercrime more than victims of cybercrime. The only shame in becoming a victim of cybercrime is if you're not prepared for an attack. It's been years and years that the walling signals have been there and they're getting louder every single day.
There isn't any excuse to underestimate the cyber risk anymore. It isn't an issue you can pass it to your IT manager to deal with. It is a genuine business risk and needs to be handled from the top down at the board level. This isn't going to go away anytime soon I can assure you of that.
Please do get in contact if you've got any queries. David is the cyber essentials specialist and any cyber insurance queries can come to me. Thank you everybody for joining and have a good rest of the day.