Tina Chittenden examines the myriad risks posed by today’s cyber criminals and what steps businesses should be taking to protect themselves from harm.
The threats to businesses, and therefore pressure on security companies’ resources, seem to be at an all-time high. With 24-hour rolling news and the explosion of social media, we never seem to be too far distant from crime and criminals. This is despite the fact that the latest Commercial Victimisation Survey shows the overall crime rate against business premises in England and Wales fell between 2012 and 2014.
However, as our society is now almost completely reliant upon the continued availability, accuracy and confidentiality of information, it’s important not to take our eye off the ball and let insidious cyber attacks and data breaches wreak havoc with reputations and finances.
The Cabinet Office estimates “the cost of cyber crime to the UK to be £27 billion per annum. A significant proportion of this cost comes from the theft of IP from UK businesses, which we estimate at £9.2 billion per annum.”
According to the 2015 Information Security Breaches Survey, as many as 74% of small businesses in the UK suffered from a breach in 2014. With an average data breach costing small businesses £75,000, that’s far from an insignificant cost to the economy.
Similarly, The Ponemon Institute’s annual Cost of Data Breach Study: Global Analysis found that the average consolidated total cost of a data breach in the UK has increased by 7% since 2013 to £2.37 million. The study also found that the average cost incurred for each lost or stolen record increased from £95 to £104.
The expense doesn’t end there. The new EU General Data Protection Regulation will introduce fines of up to 4% of turnover or €20 million for data breaches, whichever is the higher. A 2% figure will apply for more minor breaches. However, SMEs will benefit from a number of opt-out clauses, including not having to appoint a data protection officer or undertake a Data Protection Impact Assessment. Additionally, some existing red tape will be removed.
It will take up to two years to fully implement the new legislation across Europe’s Member States, but the increased risks and resulting costs already apparent mean that businesses need to be ready now in order to protect their reputations and potentially their livelihoods.
Ten costs of cyber crime
The insurance industry has identified a number of specific costs business can incur following a data breach. These include the following:
(1) Breach costs: The costs incurred after the discovery of a data breach (electronic or otherwise) can be considerable. They include forensic investigations, legal advice, notifying customers/regulators and offering support, such as credit monitoring, to affected individuals
(2) Business interruption following a cyber loss: Businesses can lose income if they suffer an attack and it prevents the company from earning revenue (including where caused by damage to reputation)
(3) Crisis containment: It’s vital to communicate quickly and confidently in order to minimise reputational damage
(4) Cyber crime: The theft of money, property or digital assets resulting in direct financial loss following an external hack into your company’s computer system
(5) Cyber extortion: Threats to lock you out of your systems or ransom demands to let you back in
(6) Hacker damage: The costs to repair, restore or otherwise replace any damage to your website, programmes or electronic data
(7) Telephone hacking: Hackers can make unauthorised telephone calls after breaching computer networks
(8) VoIP hacking: As well as traditional fixed-line systems, online tools (such as Skype and VoIP, etc) can be targeted by the criminals
(9) Privacy protection: Costs to defend and settle claims made for failing to keep personal data secure (including regulatory investigations and civil penalties levied by regulators)
(10) Media liability: Accidental infringement of Intellectual Property rights or inadvertent libel in an e-mail or another form of electronic communication
Alongside the financial costs, it’s worth remembering the reputational damage that can ensue following a data breach and how this can affect your position in your industry. Research conducted by the Information Commissioner’s Office and published last year found that 77% of individuals are already concerned about organisations not keeping their personal details secure.
There’s a free Government website with resources to help businesses protect themselves against cyber threats. Anyone running a business should undertake the threat assessment: www.cyberstreetwise.com/cyberessentials/
The risks of cyber crime are not going away and, as attacks become more frequent, so the risks and costs grow significantly. Every business with electronic data should take action now to safeguard themselves.
As is the case with any threat posed to businesses, we strongly recommend taking out appropriate insurance. There are a number of good insurance policies available covering both cyber and data risks.
Tina Chittenden is Head of the Security Sector at Darwin Clayton