Last year 46% of UK businesses identified cyber security breaches or attacks, with an average cost of £8,460 as a result of data loss or assets after the breach. Of that 46% – just 32% had cyber insurance cover. (Data according to the UK Government Official Statistics.)
Putting the numbers aside, let’s take a moment to consider the real impact a cyber security incident could have on your business:
Imagine a scenario whereby ransomware has rendered your core business systems and devices completely unusable and you are facing the threat of losing your (and possibly your customer’s) data.
- What is the impact on your ability to continue delivering operational services, and to invoice and receive payment from customers?
- What effect would this situation have on your workforce, both in terms of resource being diverted to deal with the fallout (IT, operational, customer services) and from a workload or stress perspective?
- Factor in the impact of business interruption and reduced output.
The cost of responding to the attack and the recovery process could potentially be very significant for a business, and business-as-usual would not be possible for some time.
So, what exactly is cyber insurance?
Cyber insurance is a form of cover designed to protect your business from digital threats such as data breaches or malicious cyber-attacks on work computer systems and is there to help with the cost of recovery from these attacks. A cyber insurance policy might typically cover:
- Investigation costs, and defence costs to prevent further attacks
- Loss of, or damage to data and systems
- Costs to restore the IT system within the business
- Business loss of income as a result of the downtime, and potentially compensation to customers as a result
- Ransom payments
- Reputational damage costs
- Expenses related to notification of a security breach according to regulatory requirements
- Theft of money is sometimes covered, although if often provided through other criminal policies
You could also be liable for third party (customers and other affected parties) claims and legal action.
Do I need a cyber insurance policy?
Whether or not you need cyber insurance is a topic up for debate; recently it has become a growing trend, further exasperated by the COVID-19 pandemic and more businesses are requesting to have this level of cover alongside the other more common policies such as professional indemnity and commercial property insurance.
Before taking out a policy, make sure you fully understand the following:
- What are the pre-requisites of being able to claim against your policy?
You are responsible for ensuring your business security meets requirements set by the insurance company, and you should always inform them of any change in circumstances which may affect cover (e.g. workforce all working remotely).
- Does the policy include mechanisms to help during a cyber security incident?
Forensic assistance as well as PR support maybe of huge benefit as you work through the recovery process. Equally you may need help once the initial incident has passed, for example with legal defence relating to customer claims.
- What accompanying security services does the insurer provide as part of their cover?
From cyber security consultancy to security awareness training for your employees, additional services such as these can be valuable and effective in reducing the risk of a cyber security incident.
- What is the financial limit of the policy? Is this enough to cover your business?
The important point to note is that an insurance policy is merely there to help mitigate against the effects of a security breach, it will not stop a security breach from taking place.
At Highstream, we believe having an ongoing security focus will be your most valuable defence mechanism.
Preventing incidents and attacks should be your main prerogative.
Implementing protective measures early is comparatively far less costly and easier than dealing with an attack. In fact, many insurers will insist on elements of security being in-place prior to offering cover and will want to understand what security controls you have already implemented.
Threats are evolving continually, as are the myriad of options and guidance on how to protect your business. We believe in keeping things simple, and would advise our clients to standardise on a toolset of core business systems and protect these, in line with best practice and vendor recommendations. It’s important to the use of any tools which lie outside this agreed baseline as this will significantly reduce your exposure to threats.
By following this principle, we (and our clients) are always in-touch with the best practice and security recommendations which relate to them.
Our security focus is regular and on-going:
We guide our customers through day to day risks in a professional and conscientious way, exactly as if we were their internal IT department.
A major element of our system portfolio is Microsoft 365, accommodating much of our customer’s business requirements. We migrate business data to Sharepoint and OneDrive, email to Exchange Online and encourage the use of Teams for collaboration and communication throughout the business.
The real joy of getting a customer to this stage is that they unlock significant built-in security capabilities which reach across the whole spectrum of Microsoft 365 services, including:
- Multi-factor authentication (MFA / 2FA)
- Data loss prevention
- End-point device management
We run a security programme with our customers, planning the implementation of these elements whilst measuring the effectiveness of their presence, both in terms of a trackable improvement to their security posture over time as well as against similar businesses in similar industries. This gives a really powerful picture for them to use in discussion with customers, partners and insurers alike.
Cyber Essentials – be recognised for your security focus, investment and effort
The Government’s Cyber Essentials and Cyber Essentials Plus schemes were launched in 2014 and revised last year in conjunction with the Information Assurance for Small and Medium Enterprises (IASME) consortium.
They’re used to assess SMEs against standards designed to enforce protection from common cyber-attacks. At the basic level, this involves assessment of the answers given within a guided, security focussed questionnaire which helpfully forces the participant to identify and react to areas of risk within their own business. The more advanced ‘Plus’ level of certification includes active testing of defences, both from within and from outside your IT network.
We encourage our customers to work towards the Cyber Essentials certifications as a great first step to improve cyber resilience. It wouldn’t be right for us to grade our own work to protect our customers, so we bring external assessors to ensure this is done fairly.
Achieving and publicising a Cyber Essentials certification shows that you’re serious about cyber security.
Get in touch with us today to discuss your IT security in more detail