Not just hackers in hoodies
When it comes to areas of business risk, those associated with IT are front of mind, at least where big business is concerned.
Technology risk topped the poll in leading insurer ACE's Emerging Risks Barometer 2015, a survey of 500 executives in large and mid-sized companies in 25 countries. Among the risks, hacking or technological attacks which cause service disruption were of greatest concern (33%), with data theft by staff (23%) and theft of intellectual property (18%) some way down the list.
"It is an issue," says Riccardo Abbate, corporate partner in Trowers & Hamlins' London office, and specialist in technology, "that when people hear the words 'cyber-security' or 'cyber-risk' they typically think of 'hackers in hoodies'."
"In fact, hacking, in the sense that it's so often featured in movies and TV series, that of deliberate intrusion by a determined individual or group into a computer system for 'sport' or the demonstration of intellectual prowess, is a tiny part of the picture – just 3% of the total," he notes. "The truth is much more mundane and/or organised for criminal financial gain, and therefore much more dangerous to businesses in the real economy."
And while big business may have the big systems and therefore may be expected to suffer the greatest risks, the ubiquity of technology means risk can happen anywhere.
"We are all dependent on our IT, these days," Abbate adds. "And if you're running any kind of business, your attention to technology is vital."
"SMEs are particularly vulnerable," according to fellow corporate partner Adrian Jones. "They don't have the resources of larger companies either to have IT specialists in-house or the time or cash to spend trying different solutions. And there are criminals who specifically target SMEs because they're easier."
While a cyber-attack or hack can be devastating, technology risks comes in a number of different flavours.
"As well as intrusion into systems, either to steal data, or simply to use network resources, which will commonly may be the unauthorised action by a employees or former (disgruntled) employees," says Abbate, "there is also the simple failure of systems – hardware or software – and potential corruption or total loss of data. 'Cyber', to me, is therefore about resilience in the first place, and recovery in the second. Whether you're using IT primarily for computational, informational or archive reasons, are your systems resilient enough, and if they fail can you continue in business and do you risk any permanent losses?" Unexpected IT system outages are more common than systems hacks, after all.
The true cyber-risk, then, is more a function of lack of thought and preparedness than direct action by the kind of social misfit/ computer genius recently seen in Amazon's hit series 'Mr Robot'.
"A lot of companies will have policies on social media, what their employees can post on Facebook and Twitter," says Adrian Jones, "and people are increasingly wise to clicking on a link in an unknown email. But how well do you control access to your system? It could be a consultant working for you on a temporary basis who downloads or accidentally transfers something via memory stick, or it could be much worse."
"We had one client, some years ago, who were visited by a Chinese company they thought they could do business with," he recalls.
"One of the visiting delegation asked if he could access the internet, so of course they allowed him to use a terminal. It was subsequently discovered that he had uploaded a 'sniffer' (a type of spyware which targets specific data) which gave the Chinese company access to all their designs, pricing details and customers."
"Of course, it's very important to have good policies and procedures in place," says Abbate, "but there will always be human error. You can't guard against everything, but you should at least try to guard against everything you can, because your entire business could be at stake. So, ensuring that you have appropriate procedures that are supported meaningfully by the requisite resource is key to managing an organisation's cyber-risk."
"And just because you think you have something in place, it might not be what you think it is or what is appropriate given the operational circumstances of your business," cautions Jones.
"For instance, you may have offsite data recovery, but it's important to ask questions there," he says. “The company may be based in Dagenham, but its own disaster-recovery might be in Singapore or the US, and that has implications for data protection. Life is never as simple as thinking 'I'll just do what the IT suppliers say and everything will be fine'."
Getting insurance is a natural consideration to add to the cyber-risk management 'tool box', but that may not be the comprehensive solution that it might appear to be. "The issue there is that the policy might be inadequate or useless if its scope and terms have not been procured properly to reflect the circumstances relevant to your organisation", according to Abbate. "The risk is that you get an insurance policy which you think covers you and you think 'ah well, that box is ticked' and move onto something else, and find out later when the cyber event occurs that you do not have the cover you thought you did" he says. "It is always useful to liaise with your insurance brokers and your legal advisors in such regard. But insurance (even if properly selected and procured) is only ever part of the solution: if disaster strikes and you've permanently lost sales records or customer data it might be impossible to continue in business. Financial compensation is no substitute for having robust systems and proper backups.”
Ten top tips on cyber-risk:
1. Make sure all your staff understand policies on social media, use of data and email.
2. Insurance, yes, but check what it covers and make sure you declare everything you need to, or the insurer can void your policy.
3. Insurance can't restore lost data – make sure you have backups and good disaster recovery processes in place.
4. Make sure you control access to your system – including contractors and visiting 'clients'. Nobody should be putting memory sticks into your network! 'Bring your own device' facilities need attention to ensure that confidential information does not leak outside of your organisations control.
5. If you use Software as a Service (SaaS) products, make sure you make get periodic data downloads which reflect your needs – week-old data may be no good at all.
6. Offsite disaster recovery, fine, but check where their offsite is. If outside the European Union you may – as things stand – be at risk of infringing data protection rules.
7. Hacking is 'glamorous' and high-profile, but is actually rare. Organised and well-resourced criminals are making it their business to extract data for sale to competitors and/or to hijack systems for ransom. Make sure you understand the real risks to your business, on data, software and hardware.
8. Check what data you are processing and who is processing it – you might be sharing data without knowing about it. There may be service or contract terms which allow use of your data by a third party.
9. Change passwords regularly and ensure that staff are required to use strong passwords.
10. Do not use passwords for work that you use for personal accounts.