Phishing. Malware. Hacking.
Unless you’ve been living in a cave, it’s likely you’ve seen words very much like these in various places recently. From an SME’s point of view, what’s worrying is they’re often mentioned alongside big-name companies and their latest IT-related tale of woe.
Despite, presumably, throwing lots of money at cyber security, the bigger they are the harder they fall still holds true. No one’s safe, apparently.
If you’re thinking you’ll be OK because you’re too small to bother with, think again. Sure, you might not keep the sheer volume of data that cyber crims like to get their hands on, but everything is worth something on the dark web. Besides which, hijacking your systems and holding your business to ransom instead is always a profitable option for the unscrupulous. Every silver lining has a cloud.
So what can you do? If the big boys can’t plug the holes in the digital dam, what hope have you got?
The (virtual) reality is, unfortunately, you can only do so much. Prevention is always better than cure, of course, but sometimes you need to accept the odds maybe aren’t in your favour and put your efforts into a solid contingency plan instead.
So where do you start?
Because cybercrime is a hot topic, there’s a flourishing industry for those looking for protection. If you can afford it, it’s certainly worth finding an IT security expert to poke around in your servers looking for holes. If you can’t stretch to that, the government’s packed its Cyber Aware website with priceless info and resources, and it’s a great place to start educating yourself.
The next step is thinking about worst-case scenario and how to deal with it. What, exactly, will happen if your business is the next victim of cybercrime? Will things keep ticking over? How much will an attack cost to fix? Will there be consequences for your clients? Who do you go to for help?
If you answered most of these with a shrug, it’s time to take action.
Thankfully, you don’t need to be either an IT genius or a millionaire to get robust, reliable support.
One of the quickest, easiest and most sensible things you can do is get some cyber and data insurance: a good policy takes care of the cost, time and PR needed to recover from a cyber attack.
And getting it’s no longer the onerous task it used to be – you can buy good policies online quickly and cheaply from insurers and brokers alike.
But that doesn’t mean all policies are created equal. When it comes to insurance you get what you pay for and it’s worth taking the time to check your policy has what you need. If you’re not sure what that is, you’re looking at covering two basic areas:
1. Your direct financial losses
Hardware is expensive. Software is expensive. Websites are expensive. Fixing, restoring or replacing them because of hacker damage is expensive. Cyber insurance should, as a basic box-tick, cover these costs.
Part of dealing with an attack means investigating how it happened, telling customers and regulators there’s a problem, and getting legal advice so you know where you stand. All this takes time and money, and your policy should take care of both.
If an attack forces you offline for a fortnight, say, how will your business cope? Can it still trade? If it can’t, your insurance should cover your lost income in the time you’re running around fixing things.
Holding your website, network or sensitive customer data to ransom is a cyber criminal’s favourite. Amounts demanded can run into millions of pounds, but just a few thousand can scupper a small business. Decent cyber insurance will cover the ransom, and the really good ones pay for a specialist consultancy to manage the situation for you too.
Your reputation is hard-won and easily lost. Social media means bad news travels fast and damage limitation is essential to protect your good name. Any good cyber insurance covers the cost of getting a PR agency to make the right noises on your behalf.
2. Third party financial losses you’re liable for
If a security breach means your customers’ personal data is out in the open, you’re liable for it. And as you’re liable, your customers can sue you for failing to keep it secure. If that happens, any cyber insurance worth its salt pays a legal specialist to defend you, compensates your customers and pays the costs of a regulatory investigation.
Unfortunately, you can contribute to your own downfall by, for example, using an image on your website without the proper licence. Or inadvertently libelling a third party in a leaked email, say. Either way, your cover should protect your bank balance and your reputation by defending you and paying damages you’re liable for.
Levelling the playing field
Once you’ve decided to buy a policy, the next thing to consider is how much cover you need.
Ask an insurer or broker for an answer and, somewhat unhelpfully, you won’t get one. Not a definitive one, anyway. That’s because every business is different and what might be plenty for one might be nowhere near enough for another – even if they’re outwardly very similar.
If you want belt and braces, buy as much as you can afford. Sounds obvious, but you don’t need hindsight to tell you the difference between cheap and good value.
In any case, make your decision by thinking about:
How much your business relies on the internet, email and other systems
How much sensitive or personal customer data you store electronically
How big your business is (turnover, employees, clients)
It’s no exaggeration to say the right cover could save your business. Something to think about next time you see the word ‘cybercrime’ on the news.
This article was provided by Sarah Adams, cyber risk specialist at PolicyBee.