What are the ‘Online Risks’ to your business – and how do you deal with them? 

Recent Cyberattacks against High Profile UK retailers have highlighted the risks to all business. M&S are said to have insured for £100 Million but their recent losses might exceed £300 Million. 

How much can your business afford to lose in the event of a Cyber attack?

How much do you insure for? (Consider the additional costs incurred because of any form of cyber interruption or intervention as well as loss of revenue.)

How do you check that your Insurance policy includes all relevant sections of available cover? (Some activities/events that you think should be insured are excluded by some insurers.)

How do you ensure that you comply with the Cyber insurance policy conditions? (Many policies will insist that you & your staff/team/operatives undergo regular cyber awareness training. Do they?)

The following Q&A session may be helpful – or it may raise as many questions as it provides answers. However, not all businesses have a help desk and the IT department might be the boss or someone ‘with an interest in IT who knows a bit about the business. With this in mind, I have added some additional information where appropriate and which we hope will be useful.  

Q&A Session

How can you be better prepared, bounce back better if you are hit and check your insurance programme is adequate? 

To help protect your retail business, in this Q&A, our cyber risk and retail industry specialists answer your most urgent questions following the recent cyberattacks targeted at businesses in the retail sector. 

Can my business avoid being hit by cyberattacks? 

While avoiding cyberattacks altogether may be unrealistic, the National Cyber Security Centre (NCSC) has issued some useful guidance on best practice precautions. In summary, the NCSC recommends businesses should:

• Deploy multi-factor authentication (MFA) across your organisation, which reduces the risk of unauthorised access by adding an extra layer of verification that makes it harder for attackers to compromise accounts.  –  Though a third party is often required to implement MFA,  it is generally easy to set up and well worth-while. Don’t forget – it applies to everybody and is most important for senior staff, managers and directors.

• Enhance monitoring against unauthorised account misuse.  –  This suggests that ‘authorised account misuse is OK – which I am sure is not the intention. Ideally, you will be able to automate this process. If you are not sure how – ask! 

• Pay special attention to employees with higher-privilege access to your IT infrastructure, including domain admin, enterprise admin and cloud admin accounts, and checking their access is legitimate.  –  It is usual for senior staff to have greater access and authority. It is therefore most important to make sure that all senior staff adhere to any system procedures, training and security.

• Review helpdesk password reset processes. IT helpdesks are increasingly targeted in search of credentials to penetrate organisation networks, so, in addition to regular training, having a robust policies and processes on verifying employees’ identities is essential.  –  It is highly likely that the ‘help desk’ of many businesses will be a person who knows a bit more than the others about the system. They will probably not be highly trained in the dark arts of Cyber Security – but they will, never-the-less, be the target of potential hackers and opportunists alike. 

• Identify logins from unusual sources.  –  The relevance of this will depend on your system, its purpose and the intended users: if in doubt, seek advice! 

• Monitor threat intelligence in real time and respond rapidly to alerts.  –  This is something that most companies will struggle to do. There are systems available and some are included within the cost of insurance.

• Any suspicious activity can signal unauthorised network access. You need to be vigilant over possible social engineering attacks, which impersonate help desk interactions to infiltrate your organisation’s IT systems.  –  Whilst this is undoubtedly true, one should remember that practically any activity – no matter how innocuous – could lead to unauthorised network access. The ‘bad guys’ are getting smarter by the minute and with the use of AI can emulate most human activity so it will no longer look ‘suspicious’!

You should also regularly revoke active sessions (meaning users have to authenticate themselves regularly for continued access to IT systems) and identify when individuals have created suspicious accounts. 

If a cyberattack hits your business, how can you restore operations quickly? 

Developing and regularly testing a robust incident response plan can help minimise the impact of any cyber incident and restore your operations quickly.

At first sight, this looks to be quite challenging – but identifying potential incidents early minimise costs and adverse effects later. You will probably need to seek the help of a cyber professional – and even if you have a team in-house who can do the job’ a second opinion is always useful (even if not immediately appreciated by the inhouse team!).

Your incident response plan should set out how you define a ‘cyber incident,’ as well as the procedures for identifying and reporting them. Your plan should also include processes for containing incidents to prevent further damage and outline steps to restore systems. It should also establish how you plan to learn lessons from any cyber incident.

While no simulation can fully replicate the pressure associated with a real crisis, cyber incident workshops can prove vital in testing your incident response plans. In particular, testing and simulations can help key decision-makers identify any issues with cybersecurity or gaps in planning, which they can then address to help the business recover rapidly after any incident.

Are you insured against the types of losses emerging from recent Cyber Events?  

The answer here will depend on the specifics of your coverage and the circumstances of any attack. – Remember, Some non-Cyber insurance policies that seem to cover events will have a Cyber Exclusion. You should check carefully for the excluding terms and conditions.

If you’re not clear on the scope of cover and whether it’s fit for the intended purposes, now is the time to stress-test it. Are there any gaps and what measures can you take to plug them?

Is the amount of insurance you’ve purchased adequate? 

Even if you evaluate your type of cover as fit-for-purpose, you should also assess the adequacy of your limits against all the potential financial implications of cyberattacks, for example, business interruption, ransom payments and notification costs.

Underinsurance not only presents a balance sheet problem, but may also leave your directors exposed to shareholder actions. Boards can face allegations of failure to ensure robust IT systems or inadequate handling of cyber risk, which can include failure to maintain adequate cyber insurance.

Do you understand the cyber risks most likely to impact your business and the financial damages you could face? 

Identifying and quantifying your specific cyber risks is the first step to finding the most efficient way to mitigate them. Cyber risk quantification analytics that use industry and organisation-specific scenarios can give you a detailed picture of the financial consequences of cyber incidents. With this insight, you can plot a course to the most effective and efficient combinations of risk controls, transfer and insurance limits. 

 

The cyber insurance market is more competitive than it has been in recent years, meaning now’s a good time to investigate your options.

To understand and ensure your cyber risks more effectively, or to strengthen your incident response planning, get in touch with:

BGi.uk for insurance: info@BGi.uk 

Gambryce.io for training systems analysis: info@gambryce.io

 

Author: Nick Elwell

Thanks to Theresa Long, Retail Practice Leader. Willis Limited for the original article.

Feature image by Pixabay