Policy Monitor

Stay vigilant against cyber risks – cyber security cannot be a one-off exercise

For many organisations, thinking about cyber security has been an irregular exercise triggered when high profile cyberattacks make the headlines. Brokers may have offered Cyber Security insurance as a bolt on at the annual insurance review to ‘plug any gaps’ then the topic, and the threat falls off the management agenda. Nick Denning, CEO of Policy Monitor, discusses the best strategies to remain constantly vigilant as new threats emerge and evolve, and insurance cover becomes increasingly expensive and harder to obtain.

UK faces emerging cyber threats

Speeches by Deputy Prime Minister, Oliver Dowden and Lindy Cameron, the CEO of the National Cyber Security Centre (NCSC), at the CyberUK conference in Belfast on April 19th, highlighted how cyber threats continue to emerge and evolve. There are now growing dangers from Russia-aligned hackers. Such groups, whether state-sponsored or independent, but sympathetic to Russia, are seeking to “disrupt or destroy” Britain’s critical infrastructure.

The recommendation is that organisations such as those related to providing the UK’s energy and water supplies act now to protect against the emerging cyber threats. The emergence of this increased menace acts as an example of how cyber threats constantly appear and mutate in unexpected ways.

Mr Dowden went on to unveil plans to set cyber resilience targets for key sectors to meet within two years and to bring private sector businesses working on critical infrastructure into the scope of resilience regulations. However, it is not just utility providers who need to be concerned. If utilities are targeted then all organisations could be at risk from the knock-on effects. How would your business cope with a disruption in electricity supplies or if your provider of cloud business apps and data was to go offline for a period?

Cyber insurance premiums rise

Cyber insurance premiums have been increasing over recent years as the number and size of claims have risen rapidly. Insurance provider, Marsh, in its quarterly global market update on insurance pricing, found that cyber insurance pricing increased 34% in Q4 2022, on top of a sizable 66% increase in the third quarter. Industries such as manufacturing experienced even higher rate increases.

In October 2022 news channel CNBC looked into the availability and affordability of cyber insurance and how this can vary by industry and business size. They reported that the US Government Accounting Office (GAO) predicted small businesses may have more difficulty in purchasing cyber insurance. It noted that the extent to which cyber insurance will continue to be generally available and affordable remains uncertain. They cited the example of one insurer opting not to insure the energy sector because of its vulnerability to attacks and because of “concerns that energy operators do not follow robust cyber security protocols.”

Staying safe is a never-ending endeavour

Because the nature of the risks keeps changing it is important to keep your eye on the ball, rather than thinking you are done by completing a checklist and filing it away. That is why it’s useful to use a tool which will continue to monitor your preparedness, nudge you to perform checks and remind you to refresh employee awareness and training. Such a system will also provide you with the proof that you are taking cyber threats seriously when you approach companies for cyber insurance or when you need to make a claim. Hard evidence can show that you are doing all you can to mitigate the risks. This might help reduce your premiums or increase the chances that any claims will be paid quickly and in full.

There are many ways that your organisation can be proactive and improve its protection against cyberattacks, for example:

  • Keep all software and devices up to date with the latest security patches and updates
  • Use strong passwords and enable multi-factor authentication on all accounts and devices, particularly administrators
  • Use antivirus and anti-malware software to detect and nullify malicious software
  • Educate employees about cyber security and the importance of following safe practices when using the internet and company devices
  • Back up important data regularly to protect against data loss from an attack and to enable you to fall back to a safe state.

These steps may seem like common sense but become increasingly worthless if they are not kept front of mind and up to date. Indeed, performing such tasks as a one-off exercise might give your organisation a false sense of security and reduce your speed to respond to news of emerging threats or when attacks actually happen in your own business. You need to be organised and systematic to make sure all software updates and patches keep on being applied; password policies prompt for regular reviews and changes; and employees remain aware and educated on the latest threats.

The Government provides organisations resources through the cyber essentials scheme managed by IASME www.iasme.co.uk and from websites such as www.ncsc.gov.uk and https://www.gov.uk/government/publications/cyber-security-what-small-businesses-need-to-know. All offer excellent guidance. 

Your organisation needs to stay vigilant against cyber risks. Treating cyber security as a one-off exercise could have expensive implications and even sink your business.