When it comes to the security of your business, the risk of potential cyber-attacks is a huge consideration. And with malicious Russian cyber-ware attacks appearing in increasing numbers, it's now more important than ever to make sure you're doing everything you can to protect your business from cyber security risks.
This article covers the fundamentals of cyber security, the most common types of cyber-attacks (including malvertising and social engineering), and the active, practical steps you can take to protect your business.
Cyber-attacks are "the use of a computer to gain unauthorised access to data in a system." An individual may initiate them, or they may be part of a more significant effort involving multiple parties.
Unfortunately, for any business, the risk of being targeted by a cyber-attack is high. And even if the target doesn't lose essential company data, there's often a considerable cost of mitigating the damage from the attack. In one famous example, after a cyber-attack in 2016, Yahoo had to pay $50 million to its shareholders and another $50 million for legal costs and activities.
To find out more about our cover to protect against the risk of cyber-attacks, watch our video with cyber security expert Dave Williams below.
The risks and liabilities of cyber-attacks mean that businesses need to take their security seriously. Every business can put some simple steps in place, and we’ll cover these below.
To keep your systems up to date and protected, you need to ensure that your system patching is correct. Errors in patching can lead directly to vulnerabilities in your system, which can considerably impact security and compliance.
You can be prepared for a cyber-attack by ensuring your anti-virus software is updated and running correctly. Your anti-virus should automatically update, but if you need to install it manually, make sure that any updates have been done.
Users create the most common vulnerabilities through their actions on the computer and internet connections. Make sure staff have appropriate access only to areas and functions they need to perform their job role, and restrict access appropriately for contractors/temporary staff/guests as required.
The first step in safeguarding your data is to make sure you're doing regular backups. This way, if there is a cyber-attack on your business, you'll have an up-to-date backup that can be used to restore the data. Backups should never be stored in the same location as the primary data.
Your backups should also be secure. It's also vital to make sure that you have documented procedures for restoring in the event of a full-scale IT failure.
Cyber security is a significant concern for any business with an online presence. But, unfortunately, it's not enough to have strong passwords and anti-virus software, as cyber criminals are becoming increasingly sophisticated in their methods. From malvertising to social engineering, the risks of weak cyber security can have huge impacts on your business. It’s important to keep your staff trained and up to date on current risks, and this is also likely to be a requirement of any insurance policy.
Find out more about how business can protect themselves from cyber attacks in our video below.
There are three parts to cyber liability policy.
Firstly, there's the cyber and data type losses, which includes protecting you against ransomware type attacks. Even though this sounds like it should be a cyber-type insurance policy, it's actually much wider than that. These can include theft of data, but also non-cyber related data losses, or GDPR type breaches which can lead to interest from the ICO (for example, a laptop theft or leaving documents in a car).
There is then the cyber-crime extension. This covers your business for theft of money from your company bank account, or potentially telephone-type fraud where criminals extract security information from you that allows them to access your bank accounts.
Finally, the cyber social engineering extension covers your business against the CEO-type email at 4 o clock on a Friday afternoon which asks you to urgently transfer some money to a specific bank account.
This article covers some of the critical cyber security threats to business and identifies vital steps businesses, employers, and employees can take to reduce the risk.
Malvertising is a relatively new cyber-attack technique, with the term comes from a combination of malware and advertising. Cyber criminals embed malware into the ads of well known, trusted online publications.
When an unsuspecting internet user loads the web page or clicks on the ad, they load the malware onto their device.
Malvertising can also be carried out by drive-by downloads. This means that if you visit a site that has malicious code inserted into its ads, malware may be downloaded to your device without you even clicking an ad.
Unlike other forms of cyber-attack, the victim does not have to click on the malicious ad for the attack to succeed. Once the ad is loaded, the malware is executed, and the infection process begins. Malvertising uses vulnerabilities in browsers like Internet Explorer and Google Chrome or software like Adobe Flash to load malware onto the computer or device.
This type of cyber-attack has become more common in recent years because it’s much harder for anti-virus software and firewalls to detect these types of attacks.
There are a number of steps employers and business owners can take to actively prevent malvertising attacks. These steps include:
Social engineering is a type of cyber-attack which uses human error to access sensitive information rather than software vulnerabilities. Social engineering attacks take advantage of people's mistakes or weaknesses to access secure systems. These attacks aim to steal confidential information, such as passwords and credit card numbers, or to install malware on a computer.
Social engineering attacks generally involve tricking someone into believing they're communicating with someone they trust (e.g., their boss or trusted business) and asking them to perform some action.
The most common types of social engineering attacks include:
A phishing email pretends to be from an organisation you trust, like your bank or employer. The email will include a link to a fake website that resembles the real one and may ask you for your password or other personal information. If you provide this information, the attacker will access your account.
In this type of cyber-attack, the attacker creates a false scenario and asks for sensitive information to solve a problem. For example, a criminal could send an email pretending to be from your internet service provider and tell you that your account has been suspicious activity. To verify that you are the account holder, they ask you to provide your password or credit card number. This type of attack relies on urgency and fear.
A quid pro quo cyber security attack is a type of cyber-attack in which an attacker tries to obtain sensitive information from a victim by offering them something of value.
The attack usually comes in an email that appears to be from someone they know or service they use.
Implementing effective cybersecurity measures is particularly challenging because there are more devices than people, and attackers are becoming more innovative. But there are several steps businesses can take to reduce the risks posed by social engineering attacks.
These include:
Password security is an essential step in your company's cyber security. Here are some tips to boost your password practices.
The risk of a cyber-attack is a key concern for any business, especially against the backdrop of increasing malicious Russian-based attacks. There are many practical steps a business can take to reduce their risk; including regular staff training, a positive security culture and awareness of social engineering and malvertising. An independent insurance broker will be able to advise on suitable cover to protect against cyber-attacks and liability, specifically tailored to your business.
Contact us today to discuss your cyber liability insurance requirements.