Cyber Threats are Evolving, You Need to Evolve with Them

As businesses and industries embrace digitalisation to drive operational efficiencies and meet customer expectations, new opportunities for cyber attacks open up. Consequently, there’s a growing need for businesses to ensure they’re protected against such threats.

Cyber attacks can happen to businesses of any size, and most attacks are untargeted – meaning all businesses are at risk. But despite this, 38% of SMEs don’t think it would happen to them.*

Here are a few key things you need to consider:

1. Everything rests on the response.
   A rapid response to an incident or breach is vital. Recovery requires co-ordinated expert support to reduce the impact, so it’s important to ensure that your protection delivers immediate support to minimise any damage and get your business back on track. This should include:
   • A dedicated incident manager to co-ordinate activity and bring in the right experts when necessary
   • Specialist IT forensics and consultants to identify the type of attack, the extent of the damage and whether data has been compromised
   • Reputational experts to help minimise any negative impact on your brand, customers or suppliers across press and social media
   • Support with recovery activities, including access to free counselling services for any staff affected by a cyber event or online incident.
2. All businesses are at risk.
   Most criminal activity isn’t targeted at a particular business or industry. Instead, sophisticated tools are used to search the internet for system vulnerabilities. This means any business, large or small, can be targeted – with 32% of UK businesses suffering a cyber incident in the last 12 months.*
3. People make mistakes.
   If you and your employees aren’t aware of the risks of phishing or social engineering, you’re more likely to fall for such attempts and your people could end up being the weakest link in your cyber security. Effective training can help safeguard against this.
4. Operations and reputations need protecting.
   Many businesses are heavily reliant on technology to carry out day-to-day business operations. Not being able to access vital IT systems due to a cyber attack or data breach could result in significant business interruption and reputational impact.

What can you do to protect your business?

The good news is that we can provide you with the right protection for your business now and in the future. We’re all facing a fast-changing, ever-evolving threat landscape – but whatever your size and sector, we can find you cyber insurance that fits your needs and specific exposures in a way that’s affordable and easy to understand.

Things You Need to Do

This is a summary of the actions you must take in relation to our Cyber Insurance cover to make sure you are protected and that your policy cover operates fully.

Access & Passwords

Access to Your Computer Equipment is authenticated by the use of individual identification and passwords. Any default or manufacturers’ passwords or access codes must be changed and kept secure

Data Backup

You must maintain adequate backup copies by backing up all data no less frequently than every 7 days. The integrity of any data backup must be validated using operating system routines or checks.

Backups must be stored securely and separately from the original data or programs by:

1.  holding a copy offline, such as backup tape or disconnected service such as a USB device or external hard drive; or
2. using a specific cloud service that is separate from your main network; or
3. replicating to another of your networks that is separated and disconnected from your main network

Data Disposal

All Personal Data and other sensitive business Data must only be disposed of in a secure manner by:

1. shredding any paper copies
2. ensuring any Computer Equipment has all Data erased before disposal

Software Updates

You must install any updates for firmware, operating systems, software and programs within 14 days of an update being released by the manufacturer or provider where

1. the update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’; or
2. the update addresses vulnerabilities with a Common Vulnerability Scoring System (CVSS) v3 score of 7 or above.

Firewall Protection

You must ensure that Computer Equipment that is connected to the internet or any other external network is protected against unauthorised access by an active firewall.

Virus Protection

You must install anti-virus software and ensure that it is updated at intervals of at least once a month if not automatically and in full and effective operation at the time of a loss.

External Cyber Crime, Payment Controls

You must

1. ensure that Partners, directors and Employees are trained in the dangers of Social Engineering Fraud, and keep a record of such training
2. have a documented policy, which states that details of any new payee requests or amended payment instructions are always checked verbally by using details held on file or a published website and do not solely rely on the new instruction.

This policy must be accepted by all Partners, directors and Employees, with such acceptance recorded.

Extortion Cover, Extortion Demand

You must

1. on receiving a Cyber Extortion demand immediately notify and comply with the requirements of our Claims Service Provider Telephone 0800 051 4473
2. immediately notify Action Fraud of the Cyber Extortion
3. take all reasonable steps to effectively mitigate the Cyber Extortion loss
4. not disclose the existence of the Cyber Extortion Cover save for any disclosure required under applicable law to relevant law enforcement authorities.

If you’re looking for cyber insurance cover but are not sure where to start, get in contact with Commercial Insurance today on 01737 373 222.

*Source: SME Pulse survey conducted by YouGov, on behalf of Aviva, in which 512 British SMEs were questioned. Fieldwork took place between 5-12 October 2022. All percentages are rounded to the nearest whole number.

Request a callback