Don’t think it is just the Yahoos and Talk Talks of this world that get hit with cyber attacks. More and more small businesses are being targeted as easy prey and the consequences can be devastating. Here are a few examples we have come across. They are big companies but the same scenarios happen everywhere:
Service Company – Breach of personal information
The insured’s business covers 70 countries worldwide. It holds approximately 286,000 individual data records. The insured was advised by an external security firm of a breach of its systems; forensic support and monitoring services were put in place. A further breach occurred five weeks later, initiated by the same perpetrator. It became apparent that the insured’s systems had been under persistent attack since the original breach was detected. The hacker exploited a weakness in the insured’s legacy web-facing systems and used this as a stepping stone to the internal network. As a result of the breach the hacker was able to extract some personal data. The perpetrator was known to be part of a highly skilled team of hackers who target specific data and has since been arrested by the FBI.
Forensic investigations and repair of the insured’s systems were undertaken (by KPMG). All data subjects were notified of the breach and offered credit monitoring and ID theft insurance. The insured obtained PR advice on reputation management
All affected data is now held on clean servers with updated and enhanced security.
Total payout US$906,000.
Retailer – Cyber extortion
The insured has a trading entity, with an online presence. The company received a demand from an individual/organisation demanding payment of a set sum or they would crash the website. The payment was not made and the individual launched a denial of service attack. The website crashed multiple times. During one attack, the insured lost revenue of £250,000.
CMS, KPMG and also NYA (extortion specialists) were appointed. These parties worked together to advise on whether or not we should make the extortion payment, assist the police and advise the insured about any steps they could take to prevent further attacks.
Non-physical business interruption
A supermarket chain suffered a system failure due to faulty hardware, leading to the corruption of data. Point of sales system failed, as did the automatic stock re-ordering system. Staff dealt with the POS system failure, by reverting to manual processes. Once systems were restored, the supermarket had to perform a full stock-take in order to investigate what had been sold, what had been re-ordered and what still needed to be replenished.
Initially, the policy paid the costs to discover the source of the defect and restore the data and software to its original format. Cover was provided for loss of income during the network downtime, but by far the largest part of the claim was for the Increased Cost of Working (ICOW) to bring in additional staff to undertake a full inventory and stock take.
How are businesses exposed
- Online sales
- Internal network downtime – not simply a case of logging in remotely
- Using a data centre doesn’t remove risk
- People are still the highest risk – social engineering / staff errors. 7 out of 10 people arrested for cyber crime were employees
- Telephone networks – phone hacking
- Is the business the weakest link into another network – 75 % of reported breaches traced to a trusted connection
- Data protection – encryption is just part of the answer
- Business Interruption losses often larger than a data breach costs – 2/3 of DDOS attacks lasted over 6 hours, with 12 % lasting from 1 day to over a week
If you don’t want to insure against these risks and the losses suffered then now is a good time to test the robustness of your systems and take the risk yourself. If you hold client data then this is even more important. The UK adopts new regulations in May 2018, which will see a huge increase in the fines being handed should you lose that data or allow anyone to steal it.