The Department for Digital, Culture, Media and Sport (DCMS) commissioned the Cyber Security Breaches Survey of UK businesses, charities and educational institutions as part of the National Cyber Security Programme. Among the key findings of the report was the revelation that 39% of businesses and 26% of charities have reported cyber security breaches or attacks in the last 12 months.
Among the impacted businesses and charities, one in five ended up losing money, data or other assets while 35% of those businesses report being negatively impacted by other considerations including post-breach measures, lost staff time or wider business disruption. These eye-opening statistics reveal the substantial effects of a cyber breach, which begs the question – how can organisations protect themselves? – something recently answered by Travelers Europe and Towergate Insurance in an IB Talk podcast.
On this subject, Troy Johnson, regional sales director at Towergate, highlighted the critical role of multi-factor authentication (MFA), which requires two forms of authentication to access business systems, in keeping businesses secure. Insurers are requesting this for all staff, he said, and the challenge for brokers is that a lot of clients say they have MFA in place but what they mean is it has been established for teams they see as vulnerable – e.g., finance, IT and/or HR departments – as it is still wrongly perceived that criminals are looking to obtain data rather than disrupt systems.
“So, clients are looking at this for finance, HR, and IT,” he said, “and we’re saying, ‘actually, it needs to be everybody within your organisation because the reality is that any weak link in the structure gives criminals the entry point.’ It’s communication [of that reality] which surprises a number of clients because they still think of cyber insurance as data protection whereas the reality is, for the vast majority of incidents, it’s protection against ransomware. So, the expectation that all staff have MFA in place isn’t unrealistic, it’s just down to challenging time scales to implement solutions like that.”
Lisa Farr, cyber underwriter at Travelers Europe, emphasised the rewards associated with the successful implementation of MFA across a whole business, and that this best practice can block up to 99% of account compromise attacks. It’s a really common factor when dealing with ransomware incidents as well, she said, as Travelers has seen from the London Market and the US that not having MFA can let intruders into a business system and lead to ransomware attacks.
Usernames and passwords are up for sale all over the Dark Web for criminals to purchase, Farr said, and it’s quite scary to think of how much damage even a single stolen email password can cause. This was recently exemplified by the Colonial Pipeline attack in the US which is thought to have been caused by the theft of a single password within its database.
“I think it’s fair to say that MFA is almost the entry point for cyber insurance these days,” Johnson said. “As brokers and as clients, you need to start thinking of MFA as your first port of call. Do [your clients] have MFA in place for all staff? If the answer is ‘no’, you need to qualify which staff they do have it for and, if that’s none, then you’ve got a problem. But if they do have some limited solutions in place for key staff, then you have to start the education process as to why they need it for all staff and then engage with insurers to understand the timeline and the expectations [around implementation].”
Moving discussions around MFA forward comes down to education, Farr stated, and insurers have an essential role in explaining why they want to see this security measure in place and the implications that not deploying this will have going forward. Johnson corroborated this and noted that creating stronger, safer businesses is about keeping up to date with changes in the cyber environment.
It’s well worth keeping abreast of the latest developments that are happening, he said. Take, for example, phishing. Cyber threat actors have largely moved on from traditional phishing methods, which is linked to the strong education available around what a suspicious email looks like. That being said, however, phishing still happens and phishing attempts have now evolved beyond just email to involve communication systems including SMS and WhatsApp.
“For me, the key thing is that this impacts all your staff,” Johnson said. “All staff have a life outside of work and if they use their work devices for that life, that’s fine, but just be mindful of the impact. If you’re clicking on links in social media or on an SMS on a work device, that could open the door to a cyber attacker coming in … and could be the gateway into your organisation.
“So, it’s educating staff that this is not as straightforward as ignoring a certain email, [and it’s] about having a robust procedure in place. Staff need to feel that they’re responsible for the security of the organisation as much as the IT department. They are the key defence for ransomware because we see it in our industry… the vast majority of incidents occur by human error, and human error is just simply down to education.”
As employees we each play an important part in keeping our own companies safe, Farr stated. A company can invest in the best systems and IT infrastructure possible to protect their critical data but it’s the same as having the best home security – if somebody opens up a door and lets an intruder in because they’ve been tricked, then those security controls are essentially pointless. That’s why it’s so important that employees are always on the lookout for suspicious behaviour and that they have the right checks in place to establish whether the person on the other end of a communication channel is who they say they are.
“Employees should be really mindful of emails and messaging and of clicking on [harmful] links,” she said. “Remember that these will probably be very urgent emails, or they will have errors and also, don’t feel afraid to report them as spam. From a company’s point of view, [it’s important] to have the facility set for employees to report these emails as malicious and provide constant training and risk awareness and to even set out phishing tests. They do go a long way to helping cut down these types of attacks.”