Should you buy cyber security insurance for your business?
Two-thirds of Australian businesses were interrupted by a cyber security breach in the past year. Telstra’s annual security report reveals that of those businesses that were interrupted, almost 90 per cent experienced a breach that was undetected. In many cases, it’s not until the victim is unable to access their data that the business becomes aware of the breach.
In addition to taking all reasonable precautions to be cyber secure, the Telstra report recommends taking out cyber security insurance for additional protection.
So, we’ve put together a guide that will help you decide whether you should buy cyber security insurance for your business.
ECU's Master of Cyber Security will give you the skills you need to develop a cyber security strategy to protect your business.
Why would a business need cyber security insurance?
Protection from financial loss in the form of insurance is common in business, particularly when risks are tangible and easily assessed. It’s common for most businesses to have a motor vehicle, property and professional indemnity insurance. However, these same businesses may have difficulty assessing the risks of cyber security, which include data breaches and business interruption.
If your business experiences a cyber attack, you may be compelled to notify affected individuals and the Australian Government under notifiable data breaches legislation. Naturally, there will be direct costs involved in contacting those affected, but these costs may increase if your data breach attracts media attention and requires crisis communication expertise.
What types of cyber crime is a business exposed to?
A common form of cyber attack is ransomware, which is often delivered through a seemingly-legitimate email, like an invoice. An unsuspecting staff member clicks on the link and the ransomware is downloaded – usually encrypting files or blocking access to systems until a ransom is paid. Ransomware can interrupt the business activities of an office, an organisation and even entire cities. Cyber-attacks can be a grey area in business interruption insurance. They generally don’t come with headwinds that insurance actuaries can use for forecasting.
Ransomware is often delivered through emails in the form of phishing messages, and it’s something that almost everyone has been exposed to whether they are in business or not. It’s a crude and simple method of cyber crime, but it’s also effective and easily automated by hackers. While there are programs to reduce this risk, phishing is a form of social engineering that aims to deceive end users, or in this case, your staff.
Staff can also play a part in exposing a business to cyber crime, particularly if they are unhappy or planning to leave the business. A report in the UK found that students and staff of universities were launching Denial of Service attacks on their own institutions in an effort to crash networks.
Another simpler cyber crime is using another staff member’s email to send a regular invoice with alternative bank details. As it comes from the usual email address and is a routine invoice, the client pays, but the money goes into the cyber-criminal staff member’s bank account. By the time the crime is recognised, the staff member and the funds could be gone.
While ransomware may be the most common form of cyber crime, hacking is usually the biggest concern for business leaders. Hacking involves gaining access to a business network or device. It can be achieved simply by observing a staff member typing in a password, or it can be as complicated as finding an online vulnerability to gain access. Hackers may silently steal information, cripple essential infrastructure or use your network to perpetrate even bigger cyber crimes.
What does cyber security insurance cover?
Cyber security insurance in Australia generally covers the financial costs associated with a cyber crime, including:
- notifiable data breaches
- business interruption
- damage to infrastructure
- claims arising from an infringement of a third party’s privacy or intellectual property rights; and
- response management.
Because there are so many variables involved in cyber crime, insurance companies regularly offer education and specialist advice to improve the customer’s cyber security. However, there are a number of minimum requirements that must be met before a business is offered cyber security insurance. A business would need to work with an insurer to find the right solution for their security needs.
How much does cyber security insurance cost?
Much like professional indemnity insurance, cyber security insurance costs vary depending on the main activities of the business, the size of the organisation and the annual turnover.
It’s much easier to estimate the cost of not having cyber security insurance. The Australian Government initiative, Stay Smart Online claims the average cost of a cyber attack to a business is $276,323. They also highlight that the average time to resolve a cyber attack is 23 days. That recovery period increases to 51 days if the attack comes from within the business.
Who needs cyber security insurance?
It’s commonly thought that hackers only go after the big end of town, such as Yahoo, Facebook, Sony and Marriott hotels. While these breaches make the headlines, it’s also true that big business is more likely to be cyber prepared. This makes things more difficult for hackers who are more likely to seek several small ransoms, which are far less detrimental to the business, instead of one large ransom.
With automation, artificial intelligence and machine learning, hackers can target thousands of organisations, making endless attempts at passwords in a frighteningly short amount of time. As internet speeds get faster and machine learning becomes more sophisticated, the hackers are continually pushing the limits of cyber security.
Only two per cent of Australian businesses are not considered a Small to Medium Enterprise (SME), but two-thirds of all businesses have experienced an interruption due to a cyber security breach in the past year. So, it’s not unreasonable to suggest that all businesses, no matter how big or small, should be considering some form of cyber security insurance.
Can my business be secure without cyber security insurance?
A quarter of all Australian businesses don’t have an incident response plan to deal with a damaging cyber attack. This means the first step many businesses will take towards cyber security will be when it is too late. So, before you even think about cyber security insurance, it’s worthwhile putting together a cyber security policy for your business.
You should implement some basic security against cyber security risks:
- Update passwords to complex pass-phrases that swap letters to symbols and use different spelling. You can also look into using a password manager to secure and generate passwords.
- Ensure you are using a business level of anti-virus software and update it regularly.
- Back-up your system and files regularly (and test it).
Having a sound knowledge of cyber security and the risks involved is invaluable for any business. A Master of Cyber Security will ensure you have the tools and techniques to predict, identify and mitigate cyber risk. It will provide you with the knowledge and strategies to defend and respond to threats and attacks, protecting organisations, people, their data and rights.
Learn more about ECU's online Master of Cyber Security.