Think your business is too small or that your data and information isn’t important enough to be targeted by hackers? Think again. Cyber criminals don’t discriminate, but there are ways to help protect your business, and reputation, from cyber crime.
By Phil D’Rozario and Paul Turner
Much of our communication, be it personal or business-related, has increasingly moved online in the past two decades, and continues to do so. Every day, thousands of pieces of information are transmitted via email, text, Messenger, WhatsApp, LinkedIn, social media and so on.
Yet, while we’ve launched into the online world, how many of us have kept pace with adequate cyber protections and insurances? Every day, we see individuals and businesses being targeted by cyber crime.
But it’s not just the big end of town in the crosshairs. Plenty of smaller practices fall victim to cyber crime, and we’ve included some real examples we’ve encountered throughout this article.
At a small accounting firm with two partners and four staff, one of the staff members clicked on a link that looked like it came from a genuine email source. But the email was a scam and the firm was hacked. Its client database and information was stolen, its systems were disabled and a ransom in bitcoin was demanded.
The firm’s systems were down for more than three weeks and the cost of forensic IT help, loss of business, loss of wages and replacement of IT infrastructure exceeded $65,000. On top of this, the confidentiality, integrity and availability of the client data was severely compromised.
In trying to manage the situation, the firm sent a letter to its entire client database. But because the firm was in panic mode, it mismanaged the communication and instead caused severe reputational and brand impact, and loss of client trust.
Having best practice IT managed solutions in place would have helped this firm recover more quickly from the attack and suffer less damage. In addition, a well-worded cyber insurance policy would have covered the cost of IT forensic consultants, hardware replacement, management of communications to clients, ransom costs and negotiations, as well as loss of revenue and reimbursement of wages lost.
Cyber insurance should be regarded as business-critical insurance because the likelihood of a claim occurring within a cyber insurance policy is now as high, if not higher, than making a claim against your business insurance or PI insurance.
Yet not all insurance policies are the same, and so businesses need to understand exactly what they are and are not covered for. At a minimum, a cyber policy should provide a 24/7 breach response service (including IT forensic services), breach response management, credit monitoring, public relations crisis management, civil and regulatory defence costs and penalties, cyber extortion costs, business interruption cover and cyber terrorism.
A senior and long-serving staff member at a successful and respected financial planning firm had been trusted with some primary clients and their file information for more than a decade.
Unbeknown to the firm’s principal, the staff member established another business. For more than six months prior to leaving the business, the staff member copied and sent client files, documents, full client histories, personal identifiable information, sensitive details and company privileged information out to a private email address and saved onto external storage devices.
They also deliberately sent misinformation to clients about the firm’s ability to manage their affairs, and this resulted in financial loss of over $300,000 per annum.
An incident investigation revealed that critical areas of the business lacked policy or control from a technological (including limiting authorisation), legal, licensing and security perspective. The costs continue to mount while the legal and forensic investigation continues.
Proactive IT management and response plan
In addition to cyber insurance, a proactive IT management and a data breach response plan, supported by your IT, are critical elements to future-proof a business. The idea is that a data breach response plan should be no different to the having a fire evacuation plan; it needs to be tested and rehearsed regularly.
We recommend three pillars of secure information management to identify and address risks within the IT infrastructure to reduce the likelihood of a cyber-attack. These are:
This ‘CIA of data management’ ensures all data remains available and accessible (availability) to only authorised users (confidentiality) and remains intact and unchanged by unauthorised access or processes (integrity).
*Full statistics available in the OAIC NDBS August 2019 Notifiable Data Breaches Quarterly Statistics Report
What does proactive IT management look like?
It’s easy to tell a business to ensure its service providers are proactively managing its IT systems, network and company data, with a focus on prevention.
But what does this mean practically? We see it as an “always eyes on” and holistic approach. This would include comprehensive monitoring, maintenance, support and management of organisational systems to help identify potential issues or concerns before they become a problem.
A set of overarching guidelines and business security principles should be established, and then the business should work through a practical approach that covers these key areas:
- password management and security
- network and data access management and security
- physical security
- information exchange policies and security (e.g. secure, encrypted, audited email)
- backup and disaster recovery
- education and awareness for internal staff
- cyber insurance coverage and policy wording
- policies and procedures (e.g. incident and data breach response plan)
- legal response and management plan
- responding to the psychological impacts following a data breach
A partner from a medium-sized accounting firm sent an email containing financial details and personal information to an incorrect recipient email address. As a result, the email went to an unintended recipient in another country.
The firm was forced to notify the Commissioner’s office of a privacy and data breach, which then required thorough internal investigation and legal costs. The cost ran into the tens of thousands, while the reputational and potential financial damage to the significant customer was extensive.
The firm sought advice from the cyber insurer about how to respond to the breach while complying with the Privacy Act 1988 requirements around notifications. This in itself cost a further $18,000 because credit-monitoring services needed to be engaged to monitor for any fraudulent transactions or activity.
This incident could have been avoided if the firm had invested in systems that allowed for immediate risk mitigation by providing the ability to track the email and completely recall it from the incorrect recipient. This would have included a confirmation the email was no longer accessible and a full audit trail of what had occurred.
The biggest risk…
A successful attack can cause lasting and irreparable damage to your business. It can result in business downtime, legal and financial liability, as well as damage to your reputation, brand and the trust you have with clients. The biggest risk your business can take is to do nothing.
Managing Director at Professional Assurance
Professional Assurance is an insurance provider that provides a comprehensive range of insurance. It also offers the broader approach of looking at pre-incident risk management to see if there are things that can be reviewed and implemented to prevent or reduce the chances of a claim occurring.
CEO at Zynet
Zynet delivers a Proactive IT Management platform specifically designed to provide organisations with flexible and reliable systems and processes that increase staff productivity and efficiency. It has a specific focus on cyber security and risk management to ensure clients can remain compliant with regulatory and industry requirements, as well as proactively and cost-effectively identify and mitigate business risk.