With the ever-increasing levels and frequency of attacks and impact, businesses of all sizes should consider specific cyber insurance. However there are some Cyber Insurance myths that need to be dispelled.

Myth #1 – My other insurance will cover me

Unless your other insurance specifically covers cyber events, you are not covered. In fact, most other insurance policies specifically exclude cyber events. The things you are trying to cover are

  • Hacking, website defacement including altering your online catalogue or ordering systems
  • Impact to business operations and time unable to trade – including the annoyance factor
  • Data theft or loss of client information – or loss of access to this information
  • Loss of intellectual property including business plans and strategies, planned client work etc.
  • Extortion and blackmail, including ransomware taking your systems offline
  • Cost of external services, such as forensic investigation, crisis management, legal costs, data recovery
  • Fines and penalties, civil litigation or other financial impact of a breach or attack

Most insurance policies will not cover you. Most “general liability” insurance cover will focus on claims for bodily injury or property damage due to negligence, with a focus on the physical world.

Myth #2 – we have good IT security measures, so cyber insurance is not needed

There are four types of attack that you should be looking out for;

  • Targeted attacks against your business specifically
  • Untargeted attacks that are just looking for any endpoint that is available
  • Internal attacks, supply chain attacks and malicious employees (or ex-employees)
  • Human error

Most good IT security measures are focused on untargeted attacks. Protecting a business from script kiddies and scanners who are exploiting the latest vulnerability in Java or Windows can be done with IT measures such as firewalls, anti-virus, and patching. However, targeted attacks are more difficult to protect from – because the attacker will do anything they can to gain access. This is what is in the minds of most small and medium businesses when they think of cybersecurity – and then they assume that they are “too small” to be targeted. Many small businesses may attempt “security through obscurity”, but malicious actors will use this.

READ ARTICLE:   New Year is time for a security tune-up

Human error can include an inexperienced administrator leaving a setting misconfigured, or audits not identifying that departed employee still has access, or just giving someone too much access. No policy or employee screening can completely remove human error.

Internal threats from employees – whether malicious or not – are everywhere. Examples like an employee taking files home or saving to their personal Google Drive for ‘easier access’, or someone sharing your customer contact details with a supplier (who also supplies a competitor). Or the employee who downloads a game or “utility” that may be infected, or the 3rd party supplier who has too much remote access into your systems. These can and do happen, no matter how good your IT security measures are.

Myth #3 – Cyber coverage is just for IT-heavy companies

IT is needed for every business. Even if it is just using email, keeping a spreadsheet of customer contact details, processing credit card purchases or just your accounts, you need your IT tools. Even if your business is not developing software code, does not have an online store or even a website – you still need coverage. You are likely to have an Internet connection, a Wi-Fi network in your place of work (and no, the default firewall in the Internet modem does not save you), accounting software or even an industrial control system – these could all be affected (or infected…).

Your suppliers, or even customers, may be impacted and then you cannot trade. Perhaps a malicious attacker wants to get to another company, and they know the target company uses the same supplier as you, so they could attack you to get to their final target.

READ ARTICLE:   Threat and risk assessment

Or, and more likely, is that there is an untargeted attack on the Internet that impacts your ability to trade, or the email service you use, or your phone system, your accounting software – or even your accountant. These types of attack are of no fault to you – nothing you have any control over, but you may need to claim on your cyber insurance because you have costs that you have to incur.

Myth #4 – we don’t hold “personal data”, so we will not be fined for a breach

There are strict penalties for breaches of personal data. Under the Australian OAIC guidelines, the privacy act requires all businesses to be responsible for data privacy. The definition of “personal data” in Australia is a lot wider than the US “Personally Identifiable Information” (PII), and so any information about a person – including transactions, purchases, or location – can be considered to be “personal data”.

Myth #5 – it won’t happen to me, or the impact will be small and manageable

First, get real. Second, are you crazy?

It is almost guaranteed that your company will be impacted by a cybersecurity incident. It may not be direct, it may be a supplier or a customer, it may be human error or a wide threat affecting hundreds of businesses, it may be a virus or a phone scam – but it will happen. No matter how much money and work you put in to protecting your business, though, it will happen.

As for impact – if you think your business can cope, try switching something off. Could be the Internet connection, your email service, your accounting software, or even taking everyone’s mobile phone off them. Then you will see how quickly you will be affected.

READ ARTICLE:   What is a Zero Day
Share this knowledge