News: Strong 2021 performance and plans for growth in 2022.

Watch Our Webinar - Data Security and Cyber Risks in 2022

26 November 2021

We partnered with Grant McGregor Ltd – a seasoned Cyber Essentials Certification Body, to host a webinar on cyber risks facing businesses today. 

In easy to follow, plain English guidance, their Director and chief Cyber Security assessor, David Lawrence, and Bruce Stevenson's Account Executive, Phil Brown, outline the scale of cyber threats, how incidents can occur, and the six crucial controls that can help you to navigate this often-confusing subject. 

In the recording, which you can watch below, you can learn how to tighten a few essential areas of data security to mitigate around 80% of the most common data security risks and why Cyber Liability Insurance is essential to respond to a cyber-attack.

What you'll learn:

•    Specific cyber risks that you face.
•    An introduction to information compliance standards 
•    most crucial controls for compliance
•    The next steps that you need to take.

 

 

 

Transcript of Webinar

 

Hello, my name is Phil Brown and I’m a commercial broker at Bruce Stevenson Insurance Brokers. I’m joined today by David Lawrence at Grant McGregor, IT consultants and registered Cyber Essentials certification body 

We’re going to be talking about cyber risk today. I’m going to kick things off with a brief overview of the issue today and how typical incidents can occur, and David’s going to follow up with a summary on how you can really mitigate such an incident from happening to you.

Before I begin, I just wanted to say that you’ll hear various stats and figures from me today and these have kindly been provided by two major cyber insurers in the UK, Hiscox and Travelers. 

(15.27) There have been countless high-profile cyber-attacks in the news recently, and it’s becoming almost a daily occurrence to see such attacks in the headlines. But it’s easy to fall into the trap of thinking that these headline-grabbing attacks are the only ones happening. The reality is that it’s actually very, very common. Since 2016 cyber-crime has been the leading form of any crime committed against businesses.

As you’ll see on the slide, by 2019 the number of cyber-attacks by volume had increased by 63%, and by 2020 46% of all businesses had suffered some form of breach in the previous 12 months.

I do want to highlight that the last statistic there was actually from a government survey, the results of which were released in March 2020, and we have had the small matter of a global pandemic in the meantime. I’ve read a variety of different sources on the impact the pandemic has had on cyber-related incidents and none of them paint a very pretty picture. Some claim that the prevalence of phishing attacks has increased by as much as 600% in just one year. 

Most of you, if not all of you, will have received a dubious-looking email at some point, and perhaps you’ve been savvy enough to ignore and delete it. But some people don’t do that, and these kinds of attacks are getting more and more sophisticated. Around 90% of cyber insurance claims involve some kind of human error, so whilst having a top of the line security systems and anti-virus software is fantastic, you can’t avoid the fact that human beings are prone to mistakes.

You may think that to become a cyber-criminal you have to be some kind of IT whizz. To be able to spread a malicious piece of code you have to know how to write that code.

That’s not really the case though. Malware packages are readily available to purchase on the dark web. Just like buying an app from the Apple Store. You log in to the dark web, buy a piece of Ransomware and away you go. You can even hire contractors to actually carry out the deed for you if you cannot face defrauding people or businesses yourself. So it’s very easy to get hold of everything you need to carry out an attack. 
Now we’re going to do a little role-play and we’re going to run a survey. I’m going to ask you to assume the position of a wannabe cybercriminal. You’ve just purchased a piece of Ransomware code from the dark web and you’re looking for your first target.

Do you choose a large corporate giant, that has stacks of money but also spends big on cyber security, staff training, disaster recovery and the like?

Or do you choose an SME, who has less cash but also spend a lot less on security and training? When I say SME here, I mean any company with employee numbers between 1 and 250. 

So you can choose the large corporate for a big win, albeit much harder to achieve. Or the SME for a smaller win but a much better likelihood of success. Cast your votes.

The actual percentage of total cyber-attacks committed against small businesses is around 43%, although that figure is actually from pre-Covid times and I suspect it could now be significantly higher now. 

 

SME's Most At-Risk from Cyber Attack

 

What we do know though is that SMEs have the highest targeted malicious email rate.

That’s not to say they don’t receive indiscriminate attacks – some attackers don’t know or seem to care who they target, and it often becomes more of a numbers game than a targeted approach. What does this mean? Malicious software scans for any vulnerabilities and goes for anything that has an opening. Smaller businesses are more likely to have vulnerabilities; therefore, they are more likely to be hit.

Whichever way you look at it, SMEs are at high risk of an attack.

 

Where Do Cyber Criminals Get Information?

 

Now we’re going to go back to role-playing though and again you’re the would-be cybercriminal. You’ve decided to carry out a targeted attack on an SME and you’ve selected the company you want to hit. Now you need as much information as possible about that company, and also about the individuals who will be targeted. You’re going to use this information to your advantage to manipulate your target and allow you access into their network. Where could you find this information?

•    Social Media
•    The Company Website
•    The Company Office
•    The Dark Web

The correct answer is that all of these could be used by a criminal to gather information for a targeted cyber-attack. 

In the modern world, pretty much every business has to have some kind of social media presence, and most individuals of working age use social media in their personal capacity. But what we share on social media can be used against us. For example, favourite football teams or pet names are commonly used as passwords, so if that’s you and you post a photograph of yourself on Facebook wearing your Hibs or Hearts jersey, you’ve potentially given a big clue to criminals looking for an entry into your company network.

LinkedIn is a goldmine for cyber-criminals. Our personal profiles typically show our entire employment and educational history and tell the world exactly what we do for a living and who our target customer base is. Business profiles can also be used as a key to company networks. For example, a known trick used by criminals is to wait for a company to advertise a job opening on LinkedIn, then contact the company HR manager requesting to apply. They send a CV by email which is actually infected with malware, and the HR manager opens it without question because they’re expecting applicants to be sending CVs at that time. 

 

Why Cyber Insurance Differs From Other Insurance

 

We all know that we must be vigilant when we receive an email from somebody we don’t know. But that vigilance almost disappears when we’re expecting an email from somebody, regardless of whether we know them or not.
Now we’re going to go back to the role play, but this time you’re going to be the victim. The cybercriminal has found a way into your network. It’s Monday morning and you’ve just switched on your computer, but you and all your colleagues are completely locked out. A notification on your monitor states that you must pay £50,000 in Bitcoin in order to receive the decryption key to unlock your network.

What do you do first?
•    Notify the Information Commissioner’s Office (ICO) that there has been a potential personal data breach
•    Contact Action Fraud or the police
•    Contact your insurer and advise them of the situation
•    It’s clearly a prank - hope it all goes away

The correct answer is that you should contact your cyber insurer. Now I’m not going to make this a cyber insurance sales pitch because that’s not what today is about, but I do think there’s a common misunderstanding of the role a cyber policy plays when a breach has occurred.

If you contact the ICO first, that is the start of the conversation with a regulator that has the power to fine you or apply some kind of sanction or take legal action. It is absolutely vital that you get off on the right foot, say the right things, and can demonstrate that you have a plan in place to mitigate the breach and are taking immediate action. Most SMEs won’t be in a position to do that. That’s nothing to be ashamed of. You cannot expect a small business to have an internal team of cyber breach response specialists sitting behind them.

The next option was the police or fraud team. Well, they will have to be contacted, but remember that their duty is to catch the criminal. They have no responsibility to get your business back on its feet or hold your hand when dealing with regulators.

Cyber insurance is not like other lines of insurance. It is not just a contract of indemnity, it’s also a service-based contract. It provides a full suite of facilities for immediate breach response, from legal advice to IT forensics to PR & reputational damage control. These specialists are best placed to guide you on how and when that first ICO conversation is had, and it’s critical you get this right. I said earlier that SMEs cannot be expected to have an internal team of breach specialists, but think of a cyber policy as having an outsourced team of breach specialists at your disposal.

We need to get rid of the stigma that is attached to victims of cybercrime. The only shame in being a cyber victim is if you are not prepared for an attack. The warning signals have been there for a number of years and they’re getting louder by the day. There really isn’t any excuse to underestimate this risk anymore. This isn’t an issue that can be passed on to your IT manager to deal with.

It is a genuine business risk that needs handling at the board level, and I can assure you it isn’t going to go away anytime soon.

Contact Us