Quite recently I rather stupidly allowed myself to become a victim of cyber- crime when browsing Peter Knights Property Academy website which had rather unfortunately for both Peter and I, been hacked a day or so before. That sinking feeling of powerlessness and self-recrimination I endured when the ransomware notice popped up on my computer screen just moments afterwards, is something that will stay with me for some months to come. Needless to say however, that the solution to my problems lay with my local IT expert parting company with £300-00 in bit coins on my behalf, followed naturally by a sizeable invoice for his trouble.
Not unlike crashing a car for the first time, I have replayed those same moments (leading up to my files being encrypted) over again in my mind, hoping that I learn something from my experience – enough at least to make the same experience unrepeatable in the months and years ahead. But we are all capable of great stupidity at times- particularly when using the internet. As hackers know that human behaviour is naturally inquisitive – so my actions are living proof that temptation is not solely confined to the Bible and the exploits of Adam & Eve. But that as they say, is enough about me.
Last week’s cyber- attack on our very own NHS (amongst many other organisations worldwide I gather) was a stark reminder of what can happen if measures are not put in place to protect your network computer systems. BBC news reports had suggested that if staff from the various parts of the NHS affected, had completed the Microsoft updates that they had been sent, their Windows XP system would have been protected. Hindsight is a wonderful thing of course, but I can’t help but think that those same overstretched and underpaid NHS staff responsible for this task, would not have regarded a massive cyber-attack (from North Korea?) as either likely or indeed a priority in their extremely busy working day. But, that in itself is maybe the point, in that cyber-crime is clearly on the increase worldwide, and does not discriminate between its victims – however hapless or unprepared they are.
So, what can be done? Well, I have always subscribed to the view that “when out of your depth, ask an expert”, so I decided to defer to a new colleague of mine, Paul Dickson of Innovation Broking (a specialist in cyber liability insurance) who speaks with refreshing clarity on these matters, and in particular what business owners should generally consider when applying for specialist cyber insurance cover;
“There are numerous cyber risk policies, and for the most part they are not standard in terms of the cover offered. Thus, there is no one size fits all and individual advice is a paramount need. For clients, we would scope cyber insurance to suit their individual risk, much more so than most general insurance covers. Issues such as data stored, use of cloud services, existence of network security policies, all apply. However, the key commercial attraction is that cyber insurance is readily accessible from the insurance market, and premiums are at a level that most businesses feel comfortable in paying. The trend is towards an understanding that a data breach (90% of cyber exposure risk) is a key concern, but what is not so commonly understood is that the insurable risk is not the prospect of being sued (and facing third party claims for losses), but the potential for your own loss or first party costs for credit monitoring, forensic costs, fines & penalties as well as ransomware and extortion”.
Paul also went onto explain that cyber liability in an uncomplicated sense is concerned with the following:-
- Data Breach Claims – Arising from hacking, dishonest employees or the loss/theft of a company laptop for example. Data breach cover is generally the major exposure for a company, as well as the highest profile cyber liability risk, and is a third- party loss – paying out damages and costs.
- Data Breach Expenses – This is worth identifying separately as it is a first party loss (costs incurred by the company rather than paid out in damages) that relates to the considerable costs that can arise from credit monitoring, and forensic investigation costs etc.
- Third Party Claims – For loss of information held by you on your networks and might include damage caused by breach of confidential information. Again, this is a third- party loss.
- Business Interruption – Caused by network security failure for loss of income or additional working costs. A first party loss.
- Extortion Claims – Threats made against a company’s network and information held on it. A first party loss.
- Media or Content Liability – Generally for content maintained on a company’s website, and covers possible risks of copyright & trademark infringement, defamation or invasion of privacy. A third- party loss – damages and costs exposure.
In conclusion, if you have not (up until now) considered cyber- crime as a possible threat to your estate agency business, then think again. But, be warned, as many insurers policy conditions revolve around the acceptability and usage of your existing security systems, and will expect sensitive data to be encrypted, and anti-virus, firewall and intrusion detection systems to be in place. If this is not the case, you should at best expect higher premiums, or at worst – your proposal to be declined for not taking your cyber security obligations seriously enough. You see it may appear “prima facie” that cyber security is a 21st century phenomenon, but I wonder how many business owners would leave the front door of their home unlocked when they sleep at night? So in reality, is taking cyber security at work more seriously really that different?
This article was written by Peter Nicholls CEO of Ideology Consulting (www.ideologyconsulting.co.uk) and for more information regarding cyber cover to suit your business’s needs, go to www.innovationbroking.com .