Managing cyber risk: How FDs can protect their firm from a costly attack
7 min read
30 May 2018
Despite a growing awareness of cyber risks amongst businesses, a lack of knowledge about which bespoke protections are increasingly available to SMEs is threatening reputations and, ultimately, profit margins.
This was the view offered by Martin Camp, director of the corporate client division at insurer Aston Lark, at a roundtable session at this year’s FD Surgery. In an insightful talk, FDs from a cross-section of businesses discussed what measures can be taken to mitigate cyber risk and protect their fast-growing companies from attack.
Kicking things off, Camp revealed that more and more UK business owners were beginning to approach the insurance community for help after their firms became victims of cyber-attacks – the most common being ransomware and denial-of-service attacks.
Camp told the sorry cyber story of one business – an owner of an online FX trading platform – which had asked for help after an incident where one of its high net worth customers had lost £150,000 when his online trading account had been hacked (and subsequently emptied) of funds.
“The hacker had learnt how this individual had been trading with the FX platform over a period of time then one day, within the space of a few hours, had managed to replicate his instructions and get away with this person’s money,” explained Camp.
“This was one of the trickier cyber claims we’ve seen. We invoked our client’s policy straight away, but because the FX platform involved electronic trading and very little human interaction, it was clearly going to be difficult to determine where their claim would fall.
“The customer blamed the FX platform for the error, but our investigation showed that there was nothing at all wrong with it. The platform was approved by the FCA and its systems were very robust – from a tech standpoint it was strong.
“The problem lay with a lack of security of their customer’s home network, from which he was trading. In terms of our client, there was no crime or negligence. The platform wasn’t in control of its client’s money and it had never even entered their bank account.
“In the end, we had to convince our client’s’ professional indemnity insurers that a negligent act had taken place. But, it was a complex issue falling across a number of different insurance covers, and total recovery costs came to nearly £500,000.”
Aston Lark’s client was fortunate not to have to pay for the hacker’s theft and reimburse its customer. The message for SMEs was clear: as cyber crime becomes more sophisticated, the need for an equally sophisticated cyber policy is vital.
How can SMEs protect themselves?
Day-to-day activities at SMEs increasingly occur online, even in industries that have traditionally been based on face-to-face interaction. As a result, businesses that have previously been unfamiliar with all things digital may now be facing considerable cyber risk.
One roundtable attendee, a FD of a mortgage firm employing 70 staff, asked what practical measures he could introduce to reduce the chance of a data breach at his firm. Camp explained that the greatest risk of a breach in all businesses, but especially those still relying on face-to-face interaction, is human error.
He said: “The key is to make staff aware of the importance of cyber safety to the business. We are all ‘inbox busy’ at work, and hackers play on that fact. Some of their tricks are very sophisticated.”
Another FD present said her business, an IT recruitment firm, had repeatedly been targeted by hackers posing as HMRC. She explained: “My ex-boss forwarded me an email last week containing a header which looked like it was from the Treasury, saying he was owed £4,500 in tax. The email included a link to a page where you could ‘find out more’. I told him: ‘I hope you didn’t open it!’”
Penetration (or “pen”) testing – the practice of testing computer systems or networks to find weak points that hackers could exploit – was one method of mitigating cyber risk the FDs discussed during the roundtable.
One attendee, who worked for a charity and had carried out pen testing on his system, said that he thought it a worthwhile exercise, despite the high costs involved. He added: “Hiring an expert to get through your system’s layers of security is probably the only way of finding out just how vulnerable it actually is.”
Camp went on to say: “Once you’ve done pen testing on your system and you know where your weaknesses are, you can start to build on them, from the centre-out or the centre-in. But, it doesn’t stop someone accidentally leaving a work laptop on a train, or an employee unwillingly making a payment to a bogus client.
“The human fire wall is the one that’s always the most vulnerable. You might have the best tech security going, but the human fire wall is the one where you could always get caught out.”
Protecting your firm against cyber risks is increasingly about striking a balance between educating staff, so as to reduce human error, and investing in system security features hackers will find increasingly difficult to bypass.
It’s no longer something that can be put off, either. With hackers becoming smarter, swifter and more sophisticated, it’s only a matter of time before a business which refuses to act will fall victim to an attack. If the worst happens, and your firm is targeted, cyber insurance can often step in to offer a ready-made response.
“If your business is breached, you won’t have to worry,” said Camp. “With cyber cover, specialist teams will run you through that breach, telling you what steps to take and how to access legal advice. They’ll point you in the direction of IT professionals too.”