Cyber-attacks are not just a concern for Big BusinessIt may seem like only large companies such as airlines or international providers are going to be targeted. That is simply, and unfortunately, untrue. Big Businesses have an enormous amount of security in place to prevent most attacks directed at them – they are harder targets while small businesses can be easy pickings.
April Canada, an insurance company providing cyber coverage, found that 85% of data breach incidents were to small business. These businesses do not have the same resources to protect themselves – be it in order to gain access to the funds (or crypto currency like Bitcoin) to pay a ransom, react swiftly in working to notify and reassure their customers, or implement the necessary changes to prevent another attack.
Not to mention the additional risk caused by more and more employees working from home, on unsecured networks or devices, which may cause easier access to malicious entities.
April Canada also estimated that the average cost of a ransomware attack to a small business was $713,000, including loss of income due to business interruption and reputational damage. The largest loss I have seen personally to date is for a $30,000 ransom to unencrypt an AMO’s data and allow them to operate again.
Types of Cyber Attacks and MotivationsThere are so many types of attacks that can be made digitally. In the same cyber training session mentioned above the expert presenter also pointed out that if something is online someone out there is going to try to hack it and there is no end to the potential damages. There were even people looking into how to hack thermostats to ransom heat in the winter!
While most data breaches end the same way – a breach of your company or personal information resulting in monetary, reputational, and/or physical damage, some of the most common biggest methods of attack are as follows.
1.
Phishing, This can be broken down in many different subcategories, but the result is the same, tricking someone into believe a fraudulent communication and revealing confidential information.
(Example. A fake delivery email from a supplier getting you to log into a spoofed site and giving away your password and access to your account.)
2.
Malware, Short for Malicious Software, this is a file or code that gain access to your system and allows a threat actor to access your data and systems. This can lead to “code exploits” which uses a flaw in security to allow an intruder remote access to your network.
(Example. A malware file gets into a network, allowing someone to steal and sell your data.)
3.
Social engineering, This can actually be a non-technical strategy used by interacting with an attacker who often succeeds into tricking people into violating a company’s security practices.
(Example. An email directed at you from your “boss” directing you to send a payment to a “new client” who is really the threat actor.)
4.
Human error. Unintentional action by a person than allows any of the above breaches to occur.
(Example. Clicking a suspicious email attachment which downloads malware into your network.)
Apart from the financial aspect there are other reasons why someone might want to commit a cyber-attack. Sometimes it is considered ‘Hacktivism’ where the person feels a sense of justice in exposing something they deem corrupt. There has also been a rise in state sponsored hacking by foreign powers where they are targeting large companies to finance their government or gain access to a rival nation’s information.
Of course, there are criminal organizations expanding into cybercrime.
There is an additional risk from dissatisfied employees looking to get back at their bosses, who may provide company passwords or straight access to their company’s data. I once worked with someone who revealed that they had left a program in their former employer’s system to delete their data 5 years after she left their employ.
Cyber Insurance CoveragesCyber Insurance is still relatively new, which allows for a broad range of wordings and arrangements of coverage. Most policies' coverage can, however, be broken down into 2 main categories.
1.
First Party Coverages. These are costs directly related to your business and getting it operational again. They include Business Interruption (gross earnings from when you were unable to operate), reputational damage, extortion expenses and payments, and regulatory and payment card industry fines and penalties.
2.
Third Party Coverages. These coverages are for costs you are legally required to pay for damages to anyone else affected by an attack made against you, including multimedia (infringement of offline/online media agreements) and security and privacy breach liability (data breaches).
There are also additional coverages included in most policies for costs related to forensic and mitigation expenses, reporting, notification to customers, credit monitoring, additional defense, digital asset losses and reconstruction and more.
A few of the more specialized insurers include even more additional coverages for Cyber Crimes (which may otherwise be excluded under a standard property policy) for funds transfer fraud, theft of funds, and corporate identity theft.
Cyber policies come in a large variety of limits, ranging from as low as $25,000 to $5,000,000 and higher so they are designed to fit every type of operation.
Additional Benefits of Cyber Insurance Cyber Insurance is not just about the coverage for when things go wrong. Cyber Insurance is also about risk management to reduce your chances of being the victim of an attack.
Nearly all cyber insurance policies come with access to insurer provided risk management resources or access to services like CyberScout. These services include access to online tools, videos, and training to help your employees know how to recognize suspicious emails and respond to a cyber incident.
Some insurers even provide monitoring of the Dark Web to ensure your data is not compromised and provide alerts of the same.
Cyber insurance is also different from most other types of coverage because of the urgency and specialized nature of claims. In order to react quickly claims are reported directly to the insurance company who staff experts in the cyber field – not insurance, are multilingual, and are available 24/7. They know how to lock down your systems, gain access to crypto currency to pay ransoms, negotiate terms, and even start remediation with your clients if their information was compromised.
As cyber threats become increasingly frequent and severe it is important to remember nothing is 100% safe, and no matter how much we prepare we can still be vulnerable. That is why we have insurance, it will be there before, during and after an attack.
Sandy Odebunmi has been an aviation insurance broker for over 30 years during which time she has specialized in General Aviation and creating affordable solutions for her clients and aviation associations across Canada. She is now the Vice President of Aviation at Sound Insurance Services in Toronto. 416-642-6360 sandyo@soundinsurance.ca