Cyber Hygiene and Cyber Insurance Protection
How much has your cyber hygiene slipped of late? How hygienic is your computer system? What would your health rating be, if a cyber security expert took a look at your operation? Do you have cyber insurance back up?
Leading commercial insurance broker and arranger of cyber insurance policies, Gauntlet Group, is urging businesses and charities to ask themselves these questions and be perfectly honest when answering them. If they do, they may well find they are contributing to a noted slide in cyber hygiene.
What is the cyber hygiene issue?
Too many businesses have stopped taking the actions that were keeping their computer systems reasonably healthy and better equipped to deal with viruses and other threats. Frequently, businesses have ceased ensuring that employees keep on top of cyber security. The slip in cyber hygiene is accompanied by an increase in virus and phishing vulnerability.
The reasons for this are understandable, to some degree. Businesses have been firefighting and battling the impacts of rampant inflation, Brexit, the cost of living crisis and soaring energy bills. They have been trying to cope with demands for higher wages, at a time when costs are already sky high. They have been desperately trying to fill vacancies, when the talent pool is shrinking. Cyber security is a harder thing to focus on and one that slips down the priority list when many other things are directly impacting on operations.
Why does cyber hygiene matter?
Yet, practising good cyber hygiene is vital, if businesses are go avoid becoming victims of cyber criminals. Almost a third of businesses (32%) remembered that they had experienced a cyber breach between April 2022 and April 2023. There were 2.39m instances of cyber crime and 49,000 cases of cyber fraud across all UK businesses in that 12 month period. 785,000 charities were also affected.
Many measures that you should undertake, as part of your cyber hygiene, are focused on people and that really matters. IBM puts the incidence of human error within cyber attacks at 95%. Stanford University researchers are only a little more generous, saying human error accounts for 88% of issues.
What do we mean by cyber hygiene?
So what is cyber hygiene? Basically, it’s all about training yourself and your employees in good cyber health habits that allow you to be in the best possible position to resist cyber threats and online security issues. It’s a pre-event, precautionary measure that encourages you and your team to adopt a security-focused mindset and always be alert to cyber threats. It also entails ensuring that the health of your computer system is as good as it can be.
It involves getting into a good cyber routine and sticking to that, repeating cyber security focused actions, on a regular basis, to manage your cyber risk. The routine involves ticking the boxes that cyber experts recommend be well-managed, so as to reduce the opportunities through which a cyber criminal can launch an attack on your systems.
You may think that you are just small fry to such criminals, but in a world of inter-connectivity, a criminal may well view you as just the starting point they require, in order to get into bigger systems – of clients and suppliers with whom you connect. Furthermore, every piece of data they can steal from your systems has a price on the dark web, so nobody is ‘too small’ when you are a cyber criminal trying to make an illegal living.
How cyber hygiene has slipped
Setting up a cyber hygiene regime is important but so too is making sure that the one you had in place has not lapsed in recent years. The UK Cyber Security Breaches Survey found that use of robust password policies had dropped within businesses. Whilst 79% of businesses had an official password policy previously, this had dropped by April 2023 to just 70%.
Use of network firewalls had dropped even more – from 78% to 66%. Restricting the number of employees with access to vital parts of the computer system had been a policy of 75% of businesses. In April 2023, just 67% were doing this. Malware protection had been deployed by 81% of businesses in 2021. By 2023, it had dropped to 74%, leaving more than a quarter of businesses exposed.
Poor patch management within businesses
The percentage of companies who were updating software within 14 days of a new patch update was 43% in 2021. By 2023, it was just 31%. Those practising patch management in general only comprise 66% of businesses – two-thirds.
This is the general picture, however and, in some industries, cyber hygiene is even worse. Only 26% of construction businesses and 23% of those in entertainment and hospitality update their systems when new software is available.
So what cyber hygiene measures should you be focusing upon? Here are some guidelines.
Good cyber hygiene involves changing passwords regularly. You should create a company policy as to how regularly that should be, e.g monthly or six-weekly, and then make sure that this happens. Passwords should be at least 12 characters long and be a mix of upper and lower case letters, symbols and numbers. The obvious should be avoided and passwords should be impossible to guess. Do not write passwords down and use a password manager system, so that details can be held securely.
Any business should be continually updating its browsers, apps, software and firmware, as soon as new versions become available. Set up auto-updates if possible, or make sure you update systems within 14 days of a new version becoming available. Delete any apps not in use.
Sign up for multi-factor authentication in as many places as possible, whether that is with your bank, on your social media platforms or your email servers.
Back up on a very regular basis and try to follow a 3-2-1 rule, where you take three back-ups at once, on two different types of media – cloud, disk or tape – and keep one copy off-site.
Always ensure that a computer firewall is in operation, so that malicious attempts to enter your systems are resisted. Also make sure that your firewall is correctly configured.
Make sure your computers are fitted with anti-virus software and that updates are always performed – or set to auto-update. This should prevent malicious software from entering your computer systems.
Check your privacy settings are strong and do not post anything that could help a cyber criminal piece together information that could be used to attack your systems or physical property. Don’t allow staff to participate in any quizzes or competitions that could be seeking to acquire information.
If computers are being used by employees – or yourself – whilst out and about, make sure any web browsing is only done through a VPN. This will avoid any hacker intercepting a public wi-fi system and accessing your computers.
Do not dispose of any computers until you have reformatted and wiped the hard drive clean. If you do not do this, you could allow sensitive data to fall into the hands of criminals.
Train employees in the tactics used by criminals and ensure they understand not to click on suspect links and not to open any attachments they are not expecting to receive. Make sure they know that they should check out the email address from which an email has been sent, even if it seems to be legitimate and carrying company logos that suggest it is from a trusted source.
Keep a tight control on who has access to your business systems and do not give administration rights to all and sundry.
Use data encryption options, wherever possible, to protect sensitive data.
Why such cyber hygiene measures matter
When an analysis is undertaken of successful attacks on UK businesses, it is clear many hacks/attacks are achieved as a result of a phishing exercise. Employees are drawn into clicking onto something or filling in a form that gives a criminal access to the system. 73% of attacks on businesses are a result of phishing, whilst it is even higher in the charity sector (83%).
Impersonation of a person or business is also behind 31% of attacks on businesses and 29% of attacks on charities.
Viruses still affect more than one-in-ten businesses (11%). Hacking affects a similar percentage.
With good cyber hygiene practises in place, these figures should fall dramatically, as the means through which criminals can achieve their mission will be greatly reduced.
Going beyond cyber hygiene
To make your business even more secure, you should undertake a cyber risk assessment, auditing every aspect of your cyber system and assessing where weaknesses lie. Only three-in-ten businesses actually do this.
Start by listing all of your computers and devices that are connected to them, such as printers and fax machines. Then note all of the software that is running on each device. Next, make a note of all web apps, including things such as Dropbox and Google Drive. Which apps are also being used on phones that then connect back to your system? Don’t forget tablets either.
Controlling this whole network accessibility issue is much harder if you allow employees to use their own devices and plug in to your system. A wise move is to make it a company policy that employees are not allowed to do that and are not allowed to bring in any USB sticks either. This may require you to write something into company handbooks and contracts.
Build regular staff training into your workflows and ensure that cyber training is part of any induction process.
From there, you need to consider the ‘what if?’ scenario, involving a breach still occurring. If that happens, you may well not have the internal expertise to deal with the incident and could be looking at a considerable sum of money to put the situation right.
You do not want to be scrambling around looking for someone who can assist you, not knowing where to turn, if your systems are down, your website is not able to make any sales, or customers or suppliers are becoming increasingly frustrated with you. If your customers’ data has been breached, you have an even bigger problem on your hands and having the right advice as to how to tackle this will be key.
These are all of the reasons why you need to have cyber insurance and a good and comprehensive policy that will not just pay out for the costs of putting things right, but give you access to top-level cyber security experts who can instantly analyse your systems and pinpoint where the cyber criminal gained entry.
The UK Cyber Security Breaches Survey 2023 suggested that only 37% of companies have some form of insurance protection against cyber risks. However, this is often cover provided through other policies and not specific cyber cover. Worryingly, only 7% of businesses overall and 8% of charities have a specific cyber insurance policy. Even if the focus is on larger businesses only, only 26% have a stand-alone cyber insurance policy.
Acting fast, in the instance of a cyber breach, is imperative but you need the right support to be able to do that. Best advice is to get your cyber hygiene in order, conduct your cyber risk assessment and ensure that you have the safety net and 24/7 support that can come through good cyber insurance protection. To access the latter, call us on 0113 244 8686 and let Gauntlet’s team steer you in the right direction.
For more information on all of our other policies, just visit www.gauntletgroup.com