A Pragmatic Checklist for Cyber Loss Prevention

A Pragmatic Checklist for Cyber Loss Prevention

Almost half of businesses report having experienced a cyber-attack or breach in the last 12 months.   According to the UK Government’s own research, 39% of these attacks result in financial loss.   Insurers Hiscox put the typical financial loss for a business that is victim of a cyber crime at £42,000.

In “Your Biggest Risk Wears Shoes” we highlight the cultural weakness in our defence against cyber-crime.   90% of breaches stem from human error.

There is no silver bullet that will make a business safe from cyber crime.  Instead, it is a combination of Prevention and Protection.

As this is a topic where it can be difficult to cut through the scare stories and IT terminology, we’ve talked to the experts to put together some business-focused advice.

Step 1: It can (and does) happen to every business

Just because you haven’t had a loss yet doesn’t mean that you won’t.   Cyber incidents need to be part of business continuity planning and you need a risk mitigation strategy.

Ownership of the strategy needs to be at board level.  All business functions contain vulnerabilities, so function leaders need to be aware of the risks and the actions necessary to mitigate those risks.

Step 2: Get to Know the Threats

The National Cyber Security Centre (ncsc.gov.uk) is an essential starting point.  It has plain English guidance for everybody – from individuals to large enterprise.

It contains step-by-step advice and details the most common threats.

Step 3: Understand the Vulnerabilities in Your Business Model

The way you do business, who you do business with and your processes all contain vulnerabilities.   

Here are just a couple of examples:

  • Finance Function: Invoice Hijack / Business Email Compromise – attackers pose as vendors, suppliers or customers in order to steal money using tactics such as initiating fraudulent payments or hijacking normal conversations around genuine invoices to redirect payments.
  • HR: Payroll hijack – similar to invoice hijack, the attacker tricks HR into diverting salary payments into the criminal’s bank account.   Data Theft – attackers subvert HR processes to harvest employee credentials
  • All Functions: Important information being provided by emails containing links and attachments.   If it’s normal for information to be contained in an email it becomes easy for criminals to subvert the process to introduce malicious links or attachments

Step 4: Get Protected

Sometimes the whole news cycle around Cyber Crime can feel like one long sales pitch for Cyber Security products.

Buying Cyber Security products can also feel like the ‘tick in the box’ that means everything is safe now. 

Buying Cyber Security Products is not just a transactional decision.  IT Support providers and Cyber Security experts will agree that most clients don’t give them a detailed brief – which leads to their clients being either under-protected or paying for product they don’t need.

Share the findings of internal risk assessments with them and ask them about the specific threats and vulnerabilities that you are concerned about. 

Step 5: (If necessary) Get Tested

If there are hundreds of thousands or millions of pounds of transactions flowing around the business, it’s worth having a regular assessment of your vulnerabilities. 

Penetration tests can be simple or complex – but if your risk assessment suggests that a loss of data, loss of service or misdirected payment would have a significant impact on business results, then it’s worth the investment.   A ‘Red Team’ event will involve security experts staging a ‘hack’ on your business and its processes – they will behave exactly like a cyber-criminal and use the latest technology and techniques to do it. 

The findings will reveal the gaps, the vulnerabilities and the actions that need to be taken and can be invaluable in loss prevention.

Step 6: Engage Your People

After a while everybody becomes immune to warnings and statements that appear everywhere they go.   Staff need to understand the threats and be part of the design of strategies to mitigate them.

Regular training is vital – and get them looking for (and reporting on) possible incidents.  Near-miss reports are commonplace in Health and Safety and they are great for building an increased level of vigilance in Cyber Security.   Measuring the frequency and identifying new threats also allows the business to be proactive.

Step 7: Make an informed decision on Insurance Cover

Many providers of Cyber Insurance cover will state that their biggest problem is that clients can’t tell them the cover that they need.   As a result, they go for generic packages that leave them over-insured in some areas and exposed in others.

We’re aware of an incident of invoice hijack that led to the victim making paying in the region of $150,000 into a fraudster’s bank account – all the while believing they were paying their supplier.  Whilst they had insurance cover for this type of incident, it was capped at a long way below the amount lost.   As a result, although the victim was able to get the banks to retrieve some of the loss, they ended up on the edge of litigation with the supplier in order to reduce the overall financial loss.

Having a clear view of threats and ownership in each business function also provides a better view of the overall risk.   That means that it is possible to make an informed decision about the type and level of cover required.

Should you have any questions or require specific advice – please do not hesitate to get in touch.