get cyber insurance

Curb your complacency on cyber risk!

Another week, another three major cyber attacks hit the news. You may have seen recent reports that Cabrini Hospital in Melbourne, Toyota Australia and the Australian government have all been targeted by sophisticated cyber attacks.  The government and Toyota have claimed that the attacks were unsuccessful and no data was obtained, but Australian security agencies are investigating the ransomware attack on the hospital.

There are so many cyber attacks (one every 39 seconds according to Security Magazine), that it can start to sound like white noise. But the figures below should convince you otherwise. You might think ‘it won’t happen to me, it only happens to big corporates’ but it’s also important to note that 43% of cyber attacks target small businesses!

Cyber security by the numbers (source: Smart Money):

  • 516,380 — the number of Australian small businesses that fell victim to cyber crime in 2017, according to Norton.
  • $4,677 — the average amount the majority of SMEs would have to pay to free their data from ransomware.
  • 25 hours or more — the amount of downtime one in four businesses hit by cyber attacks suffer.
  • $1.9 million — the average cost to a medium sized business if hit by a cyber attack.
  • One third — the number of SMEs who say they continuously back up their systems’ data.
  • One — the number of staff members that hackers need to dupe in order to gain access to your business’ data.

What are the different types of cyber attacks?

First of all, let’s make sure we’re on the same page about what a ‘cyber attack’ is. A cyber attack is considered when an organisation or individual maliciously and deliberately attempts to breach the information system of another individual or organisation. Typically, the cyber attacker is seeking some sort of benefit from disrupting the victim’s network (i.e. a ransom), though some do it as part of protest or ‘hacktivism’.

Some of the most common types of cyber attacks, according to technology giant Cisco, include the following:

Common types of cyberattacks

Malware

Malware is a term used to describe malicious software, including spyware, ransomware, viruses, and worms. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous link or email attachment that then installs risky software. Once inside the system, malware can do the following:

  • Blocks access to key components of the network (ransomware)
  • Installs malware or additional harmful software
  • Covertly obtains information by transmitting data from the hard drive (spyware)
  • Disrupts certain components and renders the system inoperable

Should you pay a cyber attack ransom? In the case of Cabrini Hospital, they paid the ransom that was blocking access to their client records, but they only got a portion of the records back. According to the Australian government and Forbes magazine, you should NEVER pay a ransom. Not only are you not guaranteed to get your systems back up and running as they were before, but it also makes cyber attacks more appetitising and lucritive for the cyber criminals.


Phishing

Phishing is the practice of sending fraudulent communications that appear to come from a reputable source, usually through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine. Phishing is an increasingly common cyberthreat.


Man-in-the-middle attack

Man-in-the-middle (MitM) attacks, also known as eavesdropping attacks, occur when attackers insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can filter and steal data.

Two common points of entry for MitM attacks:

1. On unsecure public Wi-Fi, attackers can insert themselves between a visitor’s device and the network. Without knowing, the visitor passes all information through the attacker.

2. Once malware has breached a device, an attacker can install software to process all of the victim’s information.


Denial-of-service attack

A denial-of-service attack floods systems, servers, or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfill legitimate requests. Attackers can also use multiple compromised devices to launch this attack (sometimes known as a botnet). This is known as a distributed-denial-of-service (DDoS) attack.


SQL injection

A Structured Query Language (SQL) injection occurs when an attacker inserts malicious code into a server that uses SQL and forces the server to reveal information it normally would not. An attacker could carry out a SQL injection simply by submitting malicious code into a vulnerable website search box.

Learn how to defend against SQL injection attacks.


Zero-day exploit

A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time. Zero-day vulnerability threat detection requires constant awareness.

Your data breach and privacy obligations

Are you familiar with what your obligations are should your business experience a data or privacy breach? Under the Privacy Act, you have a duty to disclose breaches when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.

Examples of a data breach include the following incidents:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person.

There are a few exceptions, which may mean notification is not required for certain eligible data breaches.

Agencies and organisations that suspect an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected.

When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they must promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.

The notification to affected individuals and the Commissioner must include the identity and contact details of the organisation, a description of the data breach, the kinds of information concerned, and recommendations about the steps individuals shoudl take in response to the data breach.

As you can imagine, this process can be expensive, time-consuming and damaging to the reputation of your business. Prevention truly is the best medicine! There are many ways to protect the privacy and data on behalf of your business and your clients. You can find more information provided by the Australian government here, including what client information you are required to protect and the steps you must take (such as ensuring you have a privacy policy available) to comply withe the Privacy Act and the Australian Privacy Principles.

The Australian Cyber Security Centre (ACSC) has also developed cyber mitigation strategies that may assist in protecting your systems from cyber threats. However, a lot of the recommendations are fairly sophisticated, and sometimes it’s the basic, simple risk management activities that are what let us down, such as:

  • Making sure you have good password management – don’t use the same password for everything, and use a password that isn’t easy to guess
  • Provide awareness and education for yourself and your team – make sure you know what the latest scams are and what they look like, reminders NOT to click on attachments unless you are 110% confident that you know the sender and are expecting the information
  • Practice locking your computer and phone when you’re away from your desk – the windows + L key is a shortcut to locking your laptop!

There are many simple ways you can protect your business – perhaps the best thing is to set a date and make a plan with your team! Delegate responsibilities and hold each other accountable for good password management and data protection measures.

Where does cyber insurance fit in?

Insurance forms an important part of your risk management framework. It works as your safety net should your business be targeted by a cyber attack or experience a data breach.

Insurance policies differ, but they can include things like:

  • Business interruption loss due to a network security failure or attack, human errors, or programming errors
  • Data loss and restoration including decontamination and recovery
  • Incident response and investigation costs, supported by a 24/7 multilingual incident reporting hotline and on-demand vendors
  • Delay, disruption, and acceleration costs from a business interruption event
  • Crisis communications and reputational mitigation expenses
  • Liability arising from failure to maintain confidentiality of data
  • Liability arising from unauthorised use of your network
  • Network or data extortion / blackmail (where insurable)
  • Online media liability
  • Regulatory investigations expenses

(Source: Examples above from Chubb)

Get a cyber insurance quote

Find out more or get a quote specific to your needs and your business – just contact us!

Please note: The information provided in this article is only general in nature – before making business decisions you should consider seeking advice specific to your situation.