Justin Clarke, Director of Underwriting and Pricing at NIG, explores the threat of cybercrime to small and medium-sized businesses, and explains why comprehensive cyber insurance coverage is essential.
Cyber criminals don’t go after small fish, right? Actually, nearly three-quarters of small and medium-sized businesses have suffered a security breach, and a report from the Federation of Small Business (FSB) says cybercrime targeting small and medium-sized businesses costs the UK an estimated £5.26bn a year. The report also notes that it costs small businesses disproportionately more than big businesses, when adjusted for organisational size.
Mike Cherry, National Chairman of the FSB, explains:
Cyber criminals love smaller businesses because they have more digital assets than consumers, and less security than larger organisations. In fact, the FSB report found that only a quarter of small and medium-sized businesses have a strict password policy – and just 4% have a cyber attack strategy.
The most common cyber crimes affecting small and medium-sized businesses are phishing emails (49%), spear phishing emails (37%), and malware attacks (29%). Other threats include ransomware (where data is seized and encrypted for ransom), hack attacks (where hackers access the company network), and Denial of Service (DOS) attacks which push a huge amount of data to a company’s website to make it crash.
Phishing emails send you to a website that looks legitimate, and ask you to update your account details. The fraudsters can then easily steal your personal information to commit identity theft.
Spear phishing attacks are even more sophisticated, and harder to spot. They target individuals within the organisation, often mimicking their colleagues, by using email headers and addresses to extort money. Statistics from cyber security firm Symantec show more than half of spear phishing attacks last December were against SMEs.
Malware attacks are just as damaging. You might click a link or unknowingly download malicious software (abbreviated to ‘malware’) designed to infiltrate your computer and steal sensitive information, extort money, or send unwanted advertising (adware).
Let’s look at a somewhat ironic, real-world example of a cybercrime event which recently impacted one of our customers. The business, a fishing tackle retailer, was caught out by a spear phishing attack just months after taking out a cyber insurance policy with NIG.
At the time, the company was shopping around for new office space. The account manager received an email from the managing director, asking him to pay £15,000 to a new account – presumably to secure a space. No eyebrows were raised, and the payment was made, however, the email hadn’t come from the managing director. It was sent by a cyber criminal using a spoof address.
The company quickly alerted the relevant people within NIG. As part of their policy we sent forensic experts to check the fraud came from outside the business, not from an employee, and had the client’s bank put a stop on the account. Their fast action meant only £3,276 was stolen; in part because fraudsters often drip-feed withdrawals in order to avoid detection. The claim was quickly settled, and the retailer could get back to focusing on fishing – and not phishing.
Without cyber insurance, the fishing tackle retailer would have had a different, and far more devastating, experience. After all, the average cost of a cyber breach to small and medium sized businesses is usually between £75,000 and £310,800.
It’s not just stolen funds that business owners have to worry about. There’s also the cost of loss of data and damage to IT systems and networks as well as replacing any stolen or infected devices. There’s the cost of notifying your customers, and in some cases paying compensation, as well as re-building brand confidence through public relations advice and campaigns.
There’s also investigation and legal costs, money spent responding to regulatory bodies and penalties from banks for losing customer credit card data. On top of all this there is the issue of damaged reputation and lost profit while your system is down. It’s a lot to lose and can often destroy SMEs who don’t have adequate cover in place.
That’s the true value of cyber insurance. It covers you against serious damage, loss of data, and the costs associated with a cyber-attack whilst helping you get back up and running sooner. A policy is imperative if your business holds sensitive customer information like names and addresses or bank information, or if you process payments, or do much of your business online. It should also be recognised that your standard business insurance policy probably won’t cover you for cyber-attacks.
It’s clear cyber insurance can minimise the damage caused by a cyber-attack, however, the best policy is to have robust prevention mechanisms in place. This means keeping your IT software and systems up-to-date, training your staff on safe online practices, and implementing formal policies to reduce your risk. Putting in place measures such as these, combined with comprehensive cyber coverage, will help keep your business safe from cybercrime.
As with all insurance, it’s important to choose your cyber insurance policy carefully. Check that it includes:
If you have any questions or queries regarding your existing policy or to discuss adding a cyber policy to your business give our experts at amb insurance a call on 01782 740044 or email firstname.lastname@example.org
amb Insurance Services Ltd
2 Woodland Avenue
T: +44 (0) 1782 740044
Registered in England. No.4923995.
Registered office Hillcrest House
Authorised and regulated by the Financial Conduct Authority (FCA) under firm reference number 303326.
In the event of any complaint you are entitled to refer your complaint to the Financial Ombudsman Service at:
Financial Ombudsman Service
Harbour Exchange Square
Tel: 0207 964 1000
The Financial Ombudsman Service will only be able to consider your complaint after we have had the opportunity to consider and resolve this.
If you bought your policy online then and if you are unhappy with the product or the service you received, you can also use the European Commission’s Online Dispute Resolution service to make a complaint. The purpose of this platform is to identify a suitable Alternative Dispute Resolution (ADR) provider and we expect that this will be the Financial Ombudsman Service.
Website by Exesios BDD