The ever-escalating frequency and severity of cyber-attacks is becoming impossible to miss, with this year seeing mega breaches and record-breaking ransomware demands. These included attacks on the Colonial Pipeline Company, JBS US, and Ireland’s Health Service Executive – events estimated to have cost each tens of millions of dollars, with the final total possibly reaching even higher.
Such attacks reflect the increasing experience of highly organised criminal groups, which have attained levels of sophistication matching those of any large tech company or law enforcement agency. According to McAfee’s Hidden Cost of Cybercrime report, when the cumulative financial burden of cyber incidents is added to the investment made in security measures, the total cost of cybercrime worldwide was more than $1 trillion last year. This means cybercrime is currently costing over 1% of global GDP; a significant increase from McAfee’s 2018 estimate of approx. $600 billion.
Cybercrime is big business and some cybercrime organisations are seemingly run like multifaceted and sophisticated Fortune 500 companies, offering ransomware-as-a service for a fee, and managing complex call centres to help their victims source the necessary cryptocurrency to pay their demands.
Inevitably, the biggest breaches of the largest companies are the ones that make the headlines, yet the ongoing onslaught of cyber-attacks is having a devastating impact on SMEs. The lack of reporting about smaller-scale cybercrime could possibly be a reason why so many don’t consider themselves to be of sufficient scale to be a target. This is an unfortunate and all-too-common misconception among many SMEs.
According to research by Cyber Security Magazine, 43% of all data breaches involve small and medium-sized businesses, with an astonishing 83% of SMEs not financially prepared to recover from a cyber-attack. When it comes to targeted attacks, SMEs are seen as low-hanging fruit with vulnerabilities that can be found relatively easily due to out-of-date software, minimum security protocols or just poor cyber hygiene. Attacks that are deployed indiscriminately often search out such weaknesses to exploit. In this respect, SMEs are doubly vulnerable from both targeted and indiscriminate attacks.
Investing in IT security should therefore be a top priority for any SME business. As insurers we see the profound effect this can have; sometimes making the difference between a business being able to recover and continue following an attack or not. There are some highly recommended steps SMEs can take to greatly reduce the potential for a network intrusion or the impact of one:
Multi Factor Authentication (MFA)
MFA is increasingly becoming cyber insurers required standard to ensure the security posture of a business is of insurable quality. MFA has been around for several years but, since remote working, it has been adopted much more widely. Its primary benefit is to provide additional security protection beyond single factor log-in or complex /unique passwords. It does so by using time-based one-time passwords commonly delivered via SMS, a software authenticator, phone call, or physical security device. While complex passwords are a great tool, MFA makes penetrating networks and applications much more difficult.
Backing-up, Business Continuity testing and restoration
These are major considerations that can make all the difference following a cyber-attack. Backing up data, mission critical systems and applications should be completed regularly, ideally at hourly, daily, weekly and monthly intervals. Backing up data is critical and, should data recovery be needed following a cyber-attack, experience shows this is most effective when backups are stored offline, unconnected to any network. While this is an essential step, businesses with greater cyber maturity also frequently test the integrity of these back-ups. This can include testing recovery-time objectives for critical applications, with a tried and tested plan in place for secondary work arounds to ensure business continuity and that operations endure in the event of an attack. Also essential is assigning designated tasks to specific team members, with their roles and responsibilities frequently tested as part of a robust cyber incident response plan.
Segment your networks
Following the implementation of MFA, strong back-up and recovery hygiene, exploring the benefits of network segmentation is also recommended. As the name suggests, network segmentation divides a network into smaller parts or network zones, which are separated by routers, vLans or other devices. One operational benefit of network segmentation is that it can improve performance, with less network traffic congestion. In addition, segmentation can also significantly reduce the attack perimeter of a network by limiting access privileges, which helps protect against widespread attack should it be breached. To draw an analogy, if MFA is the lock on a front door, with backup and recovery the bolts on the windows, network segmentation acts like deadlocks on each internal door to limit deeper incursion.
Applying email authentication protocols
Email fraud and scams, often in the form of phishing attacks, are big business and one of the most common entry points for cybercrime, social engineering attacks and sometimes crippling full-scale attacks against computer networks and critical systems. Email authentication protocols e.g., Domain-based Message Authentication, Reporting & Conformance (DMARC) can provide additional comfort and security for an organisation by helping prevent unauthorised or fraudulent use of an organisations email domain and also track malicious email activity and traffic.
Endpoint detection software
Endpoint detection software is used to protect businesses endpoints, i.e., desktops, laptops and mobile devices. Collected under one central management function, this allows multiple devices to be protected by the latest security software such as local firewalls and antivirus protection. This technology avoids the need to install software on individual devices, leaving less room for human error or time lags that can result in hardware being unprotected. While endpoint detection software features can vary, some systems include password managers, rollback recovery functionality and encryption software. Many endpoint detection software providers also offer a single place to store and update a company’s security policy across its network, as well as useful customisable filter options to protect IT architecture.
Robust Patching Policy
In order to protect networks and systems from malicious threats and attacks, it is critical to ensure an organisation has a robust patch management policy. Patches are software updates designed to improve, modify or repair a computer program or system. Security patches are particularly important as outdated software can be more susceptible to cyber-attacks. These patches are intended to fix security or software vulnerabilities helping to make an organisation’s computer systems more secure. Good patching practice includes acting within 24 hours which is especially important when protecting from zero-day attacks which exploit unknown flaws in computer software.
Employee training
While perhaps the most obvious measure, security training can also be the least expensive and one of the most effective in identifying a cyber-attack before it begins. Human error can also cause cyber breaches, which, while there is no easy solution to this, ensuring employees are familiar with common methods used by hackers and completing regular phishing simulations can be extremely helpful in making IT environments more secure.
While the above measures are not silver bullets, and this is by no means an exhaustive list, many cyber security experts agree that adopting them will enhance a firm’s cyber security readiness and resilience. These measures, combined with insurance from leading providers offering proactive claims management and assistance from specialist crisis response partners, are proven to protect sensitive data and also mitigate against the damage cyber-attacks can cause. They have also helped companies avoid potentially costly regulatory investigations and sidestep expensive remedial measures after cyber criminals targeted their businesses.