Cyber Security and Liabilities: An Overview for Business Owners

When it comes to the security of your business, the risk of potential cyber-attacks is a huge consideration. And with malicious Russian cyber-ware attacks appearing in increasing numbers, it's now more important than ever to make sure you're doing everything you can to protect your business from cyber security risks.

This article covers the fundamentals of cyber security, the most common types of cyber-attacks (including malvertising and social engineering), and the active, practical steps you can take to protect your business.

What are cyber-attacks?

Cyber-attacks are "the use of a computer to gain unauthorised access to data in a system." An individual may initiate them, or they may be part of a more significant effort involving multiple parties.

Unfortunately, for any business, the risk of being targeted by a cyber-attack is high. And even if the target doesn't lose essential company data, there's often a considerable cost of mitigating the damage from the attack. In one famous example, after a cyber-attack in 2016, Yahoo had to pay $50 million to its shareholders and another $50 million for legal costs and activities.

To find out more about our cover to protect against the risk of cyber-attacks, watch our video with cyber security expert Dave Williams below.

How can you boost cyber security for your business?

The risks and liabilities of cyber-attacks mean that businesses need to take their security seriously. Every business can put some simple steps in place, and we’ll cover these below.

1. Check your system patching

To keep your systems up to date and protected, you need to ensure that your system patching is correct. Errors in patching can lead directly to vulnerabilities in your system, which can considerably impact security and compliance.

2. Check your defences by making sure your anti-virus is up to date

You can be prepared for a cyber-attack by ensuring your anti-virus software is updated and running correctly. Your anti-virus should automatically update, but if you need to install it manually, make sure that any updates have been done.

3. Boost your access management

Users create the most common vulnerabilities through their actions on the computer and internet connections. Make sure staff have appropriate access only to areas and functions they need to perform their job role, and restrict access appropriately for contractors/temporary staff/guests as required.

4. Review your data backups to make sure they're secure

The first step in safeguarding your data is to make sure you're doing regular backups. This way, if there is a cyber-attack on your business, you'll have an up-to-date backup that can be used to restore the data. Backups should never be stored in the same location as the primary data.

Your backups should also be secure. It's also vital to make sure that you have documented procedures for restoring in the event of a full-scale IT failure.

5. Educate staff on the types and dangers of attacks such as malvertising and social engineering

Cyber security is a significant concern for any business with an online presence. But, unfortunately, it's not enough to have strong passwords and anti-virus software, as cyber criminals are becoming increasingly sophisticated in their methods. From malvertising to social engineering, the risks of weak cyber security can have huge impacts on your business. It’s important to keep your staff trained and up to date on current risks, and this is also likely to be a requirement of any insurance policy.

Find out more about how business can protect themselves from cyber attacks in our video below.

What type of risk is cyber security insurance designed to protect business owners from?

There are three parts to cyber liability policy.

Firstly, there's the cyber and data type losses, which includes protecting you against ransomware type attacks. Even though this sounds like it should be a cyber-type insurance policy, it's actually much wider than that. These can include theft of data, but also non-cyber related data losses, or GDPR type breaches which can lead to interest from the ICO (for example, a laptop theft or leaving documents in a car).

There is then the cyber-crime extension. This covers your business for theft of money from your company bank account, or potentially telephone-type fraud where criminals extract security information from you that allows them to access your bank accounts.

Finally, the cyber social engineering extension covers your business against the CEO-type email at 4 o clock on a Friday afternoon which asks you to urgently transfer some money to a specific bank account.

Malvertising and social engineering: What are the risks to businesses?

This article covers some of the critical cyber security threats to business and identifies vital steps businesses, employers, and employees can take to reduce the risk.

Malvertising

Malvertising is a relatively new cyber-attack technique, with the term comes from a combination of malware and advertising. Cyber criminals embed malware into the ads of well known, trusted online publications.

How does malvertising work?

When an unsuspecting internet user loads the web page or clicks on the ad, they load the malware onto their device.

Malvertising can also be carried out by drive-by downloads. This means that if you visit a site that has malicious code inserted into its ads, malware may be downloaded to your device without you even clicking an ad.  

Unlike other forms of cyber-attack, the victim does not have to click on the malicious ad for the attack to succeed. Once the ad is loaded, the malware is executed, and the infection process begins. Malvertising uses vulnerabilities in browsers like Internet Explorer and Google Chrome or software like Adobe Flash to load malware onto the computer or device.

This type of cyber-attack has become more common in recent years because it’s much harder for anti-virus software and firewalls to detect these types of attacks.

How can business owners prevent malvertising attacks?

There are a number of steps employers and business owners can take to actively prevent malvertising attacks. These steps include:

• Reviewing your ad networks;
• Running regular malware scans
• Keeping software up to date with anti-virus programs and ad blockers
• Paying for effective anti-virus protection
• Installing an ad blocker

Social engineering

Social engineering is a type of cyber-attack which uses human error to access sensitive information rather than software vulnerabilities. Social engineering attacks take advantage of people's mistakes or weaknesses to access secure systems. These attacks aim to steal confidential information, such as passwords and credit card numbers, or to install malware on a computer.

Social engineering attacks generally involve tricking someone into believing they're communicating with someone they trust (e.g., their boss or trusted business) and asking them to perform some action.

The most common types of social engineering attacks include:

Phishing

A phishing email pretends to be from an organisation you trust, like your bank or employer. The email will include a link to a fake website that resembles the real one and may ask you for your password or other personal information. If you provide this information, the attacker will access your account.

Pretexting

In this type of cyber-attack, the attacker creates a false scenario and asks for sensitive information to solve a problem. For example, a criminal could send an email pretending to be from your internet service provider and tell you that your account has been suspicious activity. To verify that you are the account holder, they ask you to provide your password or credit card number. This type of attack relies on urgency and fear.

Quid pro quo

A quid pro quo cyber security attack is a type of cyber-attack in which an attacker tries to obtain sensitive information from a victim by offering them something of value.

The attack usually comes in an email that appears to be from someone they know or service they use. 

How can businesses reduce the risk of social engineering?

Implementing effective cybersecurity measures is particularly challenging because there are more devices than people, and attackers are becoming more innovative. But there are several steps businesses can take to reduce the risks posed by social engineering attacks.

These include:

• Training staff to be aware of the risks and on how internet scammers work
• Encouraging a positive security culture
• Using cyber security measures such as two-factor authentication for critical accounts like banking logins.
• Encouraging employees to be suspicious and to check the authenticity of any links

Password security

Password security is an essential step in your company's cyber security. Here are some tips to boost your password practices.

• It's essential that all employees choose strong passwords and keep them confidential. A strong password has at least eight characters, including one uppercase letter, one lowercase letter, one number, and one symbol.
• Passwords should not be reused. A password manager tool can help with this.
• Passwords should never be shared or written down. This is a major security risk for everyone in the company.
• Implementing failed-login monitoring and account lockout measures can also be a valuable tool to boost your cyber security.

Conclusion

The risk of a cyber-attack is a key concern for any business, especially against the backdrop of increasing malicious Russian-based attacks. There are many practical steps a business can take to reduce their risk; including regular staff training, a positive security culture and awareness of social engineering and malvertising. An independent insurance broker will be able to advise on suitable cover to protect against cyber-attacks and liability, specifically tailored to your business.

Contact us today to discuss your cyber liability insurance requirements.