Your business is more than 750 times more likely to experience cybercrime than suffer a fire, theft, injury to an employee or be sued for professional negligence and the consequences can be just as severe including financial loss, reputational damage and even closure.
It’s not just the risk to your company to think about, you have legal responsibilities to protect your customers’ data too. If they’re not already, they’ll soon be asking you what you’re doing to protect them and your approach could be the difference between them doing business with you or going elsewhere.
What is cybercrime?
Cybercrime is basically any crime that uses or targets a computer. In a business environment it includes accessing trade secrets, stealing customer data, online fraud and copyright infringement.
What could happen if your business suffers an attack?
It depends on the extent and type of the attack but, for example, if hackers manage to access your customers’ data, it can severely damage your reputation, destroying the trust you’ve spent so much time, money and effort building up with your customers.
In addition you might need to compensate parties who suffer a financial loss as a result of the breach in your security or take your systems down while the issue is rectified.
How do hackers do it?
Malware is software specifically designed to disrupt, damage, or gain access to a computer system and it is still the predominant method for hacking IT systems, accounting for around 60% of all cyber-attacks.
Hackers will often use a combination of tactics to infiltrate a system including phishing, spamming and social engineering – the process whereby they build up a relationship with a member of staff, eventually persuading them to open an email containing malware.
Recently, attacks using Ransomware (as the name suggests it’s a type of malicious software that blocks access to a computer system until a sum of money is paid) also seem to be on the increase. I know of two Sheffield-based businesses that were recently subjected to a Ransomware attack. One was a major law firm and it costs them £50,000 to resolve the issue.
As quickly as IT security specialists get to grips with their tactics, hackers develop new ways to access business IT systems and compromise customer data and small to medium sized businesses can be particularly vulnerable, lacking the resource to keep pace with cyber criminals.
Are small businesses really likely to be targeted?
Don’t let the high profile cases you read about in the press lull you into a false sense of security …… unfortunately cybercrime is a lot more common than most people imagine and it affects businesses of all shapes and sizes.
There were 7.6m incidents of cybercrime and online fraud in 2015 according to the Office of National Statistics and the numbers are rising year on year. A recent report from PWC showed that 34% of all organisations have already been affected by cybercrime and that figure is expected to rise by 50% in the next two years.
If you think your business is unlikely to be targeted (perhaps you think you’re not big enough to be of interest) think again because hackers will often look for a weak link in the chain to access their ultimate target which could be one of your most important customers. That’s why cybercrime is no longer a problem just for the IT department, it’s become an organisational issue that consistently ranks as one of the top three issues at board level.
What do cyber criminals do with the data they steal?
Sell it. There is a market for almost every type of information you hold and personal data is especially invaluable. That’s why we all get calls and emails from accident management companies, online chemists and the strangers asking you to help transfer their wealth to the UK…
What am I obliged to do by law?
The current requirements are set out in the Data Protection Act but the law is about to change, increasing your responsibilities to your staff, customers and suppliers. The General Data Protection Regulation (GDPR) is EU legislation and will come into force in May 2018 before Brexit is finalised and post-Brexit UK laws will still need to be at least as good to enable us to trade with the EU and most likely the rest of the world.
One important change to note as a result of GDPR is the requirement to notify customers of any personal data breach without any undue delay. To prepare for this change many businesses are already reviewing and redrafting their contracts with customers to make clear each party’s rights and obligations. They’re also seeking contractual reassurances from suppliers about how they intend to keep their data secure.
What can you do to protect yourself?
According to a PWC report, the majority of cybercrime issues relate to rogue employees and human error; one of my clients recently dismissed a member of staff who, as a parting shot, encrypted key commercial information. It took five days to recover the information.
You can reduce the risks of cybercrime by investing in robust security for your IT system and implementing (and constantly reviewing) policies and procedures around access to those systems.
For additional protection you should also consider buying cybercrime insurance which gives you and your customers peace of mind that you are financially protected and also ensures that in the increasingly likely event of a cyber-attack, you have access to the specific knowledge and expertise you need to survive it.
Cybercrime cover is usually broken down into two sections – cover for your company (first party) and cover for your customers (third party). There are a variety of policies available on the market which can be tailored to your specific needs but in general they’ll include cover for notification costs, civil liability to customers and also provide specialist assistance for dealing with extortion claims as well as advice and support about how best to protect your reputation if you are the target of a cyber-attack.
Given customers’ increasing expectation that their data will be protected (as reflected in the imminent, more stringent legislation), buying cybercrime insurance could be business critical. Some businesses go as far as advertising the cover they buy when pitching for new customers knowing it could give them the edge over their competitors.
If cybercrime isn’t on the agenda for your next management executive meeting, it should be.