GUEST COLUMN:
Emma Francis
Financial Risks Officer
Thomas Carroll Group
You’d have to have been living under a rock during the past six months to not have heard about the cyber attacks that brought retail giants Marks & Spencer, Co-op and Harrods to their knees.
Marks & Spencer was significantly affected after a hack in April. All online orders and purchases were halted and shelves were left empty as the retailer scrambled to fix the problems.
Customer data was also caught up in the breach. This meant the retailer had to break this awkward news to its customers. It wasn’t until July that M&S’s website finally felt back to normal.
Hackers are also said to have launched an attack on Co-op and Harrods, which had a knock-on effect on supplies and orders.
So, if household names like these can be seriously compromised by cyber-attacks, imagine the carnage an attack could wreak on a small to medium sized business?
Cybercrime is on the increase, in fact it is estimated that UK businesses have experienced nearly 9 million incidences of cybercrime in the past 12 months, and ransomware (where hackers ask you to pay a ransom) is also on the up.
Some attacks are easy to recognise, like a suspicious email, but others are far more sophisticated. Cybercriminals may research employees and target them directly, a tactic known as phishing. Ransomware is another threat, installing malicious software that locks you out of your own systems until a ransom is paid. Beyond the potential financial and productivity losses, the disruption and reputational damage can be huge.
As a business, you must inform the Information Commissioners Office (ICO) of a data breach. You must also tell your clients that their data might have been leaked, which isn’t a good look.
This is why, no matter what the size of your business, we recommend getting advice from qualified cyber experts to ensure that you have all the proper checks and balances in place with your IT infrastructure to properly protect yourself and your business.
Cyber insurance is an important part of that cyber protection puzzle that many people overlook, yet it is an essential one. Most standard business insurance offers little to no cover for cyber-attacks, unless specifically asked for by a company owner and so getting stand alone insurance that adequately covers your business risk, I believe, is vital.
Cyber insurance ordinarily offers an immediate incident response, which is essential to mitigate a breach. Would you know how to respond if you did suffer a hack? Outsourced IT providers aren’t necessarily experts in this field, they might know a bit but not enough to help you out in a crisis.
Cyber insurance It also offers liability cover which helps if a third party sues you for data breach (if they allege harm has been caused). It can cover IT forensic, legal and notification costs (notifying a person or business affected by a breach), as well as credit and IT monitoring, cyber business interruption, and extortion costs – if you have been affected by a ransomware attack.
Every cyber policy is a little different, so it really helps to chat with a broker about what your business needs. Think about things like how much sensitive data you store or how badly a system outage could slow you down. Laying that out up front makes it much easier to find a policy that actually fits your business.
Cyber insurance is an additional cost to your IT budget, but today, with statistics showing that cybercrime is on the up year on year, I believe businesses that rely on technology to run their businesses or hold customer data, really do need this cover.
Businesses of all sizes can be affected by cyber-attacks, yet it’s only the bigger ones that hit the headlines – but no business is immune. In fact, a Northamptonshire logistics company KNP went under after a ransomware attack in 2023.
Here are my top tips to protect your business from a cyber attack:
- Put clear policies and procedures in place – understand what data you hold, where it is held and look at the controls/processes you have in place to protect it.
- Use multi factor authentication for cloud services, all remote access, backups etc.
- Backup, backup and backup. Ensure your backups are segregated and tested -there is no point having a backup if they don’t work.
- Employee awareness training – most breaches (around 95%-99%) are as a result of human error – make sure employees are aware of the risks.
- Speak to cyber security company to understand the risks and the measures that can be introduced to protect your business.
- Have a disaster recovery and incident response plan in place so you can mitigate a breach should the worst happen.
- Cyber insurance – if you are subject to a cyber-attack, then your insurance will help with dealing with the fall out.
