JACKSONVILLE, Fla. – At news conferences held in the days since Florida’s education commissioner ordered schools across the state to resume in-person classes next month, Gov. Ron DeSantis has claimed in various ways that children run an “incredibly low” risk for contracting coronavirus.
“I don’t think there’s anyone who can make an argument this is especially risky for kids,” DeSantis said Friday.
“The risk for corona, fortunately, for students is incredibly low,” he said Saturday.
Since the health of their children is the top issue of practically every parent in America right now, we wanted to run DeSantis’ statements through our Trust Index.
The first expert we consulted was Dr. Jeffrey Goldhagen, former director of the Duval County Health Department and now chief of community and societal pediatrics at UF Health.
“No, the risk is not incredibly low,” Goldhagen said.
Goldhagen said while it is true that someone under age 18 does have a decreased chance of contracting COVID-19, school children will indeed be at risk of contracting the virus in school.
But increased exposure to other children and staff needs to be considered.
“In the school system or wherever, a child is one third less at risk as an adult, but has three times the number of contacts. Then their capacity to spread the disease is the same as adults,” Goldhagen said.
Medical experts add that while face masks may be part of many schools’ back-to-school plans and masks do reduce transmission rates, getting children to wear them consistently is difficult.
According to Florida Department of Health statistics as of Friday, 17,073 people under the age of 18 across the state have contracted COVID-19. At some point, 213 of those people were hospitalized at some point. Four of them have died.
Goldhagen said not only are children less likely to get infected, they are less likely to become symptomatic. Therefore they may bring the virus home to family or others who are more suseptable.
“We have to move away from this perspective that children are not at risk of getting infected with the disease … that they’re not at risk for spreading the disease,” he said. “Those assumptions are wrong.”
Based on this pediatrician’s experience and the state data we gathered., we give a Be Careful rating to DeSantis’ statement that that “there’s an incredibly low risk to school children.”
Copyright 2020 by WJXT News4Jax – All rights reserved.
West Midlands Police issued an urgent warning to parents over a “very dangerous” live streaming app it posed a “risk to children”.
West Midlands Police urged families to be aware of the YOME LIVE streaming app amid fears predators may be bribing children with gifts in exchange for private chats.
Parents were urged to not tell their children about the app in case they downloaded it out of curiosity.
In a message on West Midlands Police’s online alert system, WMNow, Nicola Tinker said: “YOME LIVE (pronounced YO-ME) is a very dangerous live streaming app which poses a risk to children and young people.
The video will start in8Cancel
“Do not disclose this app to children as their curiosity could well send them to look at it. YOME is a publicly live stream video or voice chat which creates an easy to access video and chat environment frequented by adults in a highly sexualised behaviour.
“They target young people who often get sent gifts to persuade them to “FOLLOW” chat privately with adults. HELP KEEP OUR CHILDREN SAFE!”
BirminghamLive has asked YOME for a statement.
*To keep up-to-date with crime in your community, join the Black Country Crime Watch Facebook group where you will be alerted to any suspicious or criminal behaviour happening in your area.
Online safety for children
Below is advice from the West Midlands Police website on online safety for children:
Has something happened online that has made you feel worried or unsafe? Are you worried about the safety of your children when they are online?
The CEOP (Child Exploitation and Online Protection) website allows you to report concerns online and to discover how young people can stay safe online from issues such as online abuse or sexual exploitation.
You can also find further online safety advice from Thinkuknow or the NSPCC if you are worried about online safety, people acting inappropriately online, or if you fear you or your child is being sexually abused or groomed.
Small businesses face a heavy risk when it comes to cyber security. The best defense relies on an active, educated employer.
On March 9, 2018, the Oregon Clinic discovered an unidentified party had accessed an email account. The data breach gave attackers access to names, birth dates, medical information, and in some cases, the social security numbers of patients and staff.
The clinic was able to recover from the attack, and went on to offer patients impacted by the breach one full year of identity monitoring services.
But other businesses which have been subjected to cyberattacks face more dire consequences.
According to a recent study by insurance carrier Hiscox, the average cost to a business when it is subjected to a cyberattack is around $200,000.
Small businesses suffer most from these costly attacks. Due to the massive price tag associated with an infringement, 60% of small businesses go out of business within six months of being victimized, according to the National Center for the Middle Market.
Attackers target small businesses for a variety of reasons. Some try to gain access to employee and client information, such as email accounts, bank numbers and social security numbers. Hackers also install ransomware, which, as the name implies, will hold a network hostage until the business owner pays a fee to be released.
Hackers also target servers to create a “zombie” network, which uses a business server as a launching pad to conduct other attacks to avoid detection.
Other attackers, especially ones from foreign governments, take over a network to mine for bitcoins.
Close to 50% of all cyber attacks are perpetrated against small businesses, which hackers often perceive as low-hanging fruit. According to a report compiled by Verizon, nearly half of small businesses reported a data breach in the past two years.
Despite the likelihood of an attack, and the relative risk involved, less than half of small business owners reported spending money on cyber security last year.
This is in part because maintaining a good cybersecurity defense is costly. Unlike virus protection, a business cannot simply install a defensive program against cyberattacks and remain safe.
“The demand for these cybersecurity professionals is so high that the price they command for their services is also very high,” says Dr. Wayne Machuca, lead instructor for Mt. Hood Community College’s cybersecurity program. “This precludes small and medium-sized businesses from being able to afford and adequately staff around their cybersecurity needs.”
There are 4,600 cybersecurity job openings in Oregon, according to cybersecurity employment website CyberSeek. Despite Oregon’s reputation as a state with a heavy tech sector, there are twice the number of cybersecurity job openings as there are qualified professionals to fill them.
Ruth Swain is the interim director of the Small Business Development Center at Mt. Hood Community College, which helps small businesses protect themselves against cyber threats through the Oregon Center for Cybersecurity.
With Machuca’s help, the center has developed a program which allows students in their last year of school to provide training and cybersecurity expertise to small businesses owners and their employees free of charge.
“We worked with the interns and instructors here to come up with a cybersecurity prevention checklist for small businesses,” says Swain. “The advising is free, so we are encouraging businesses to sign up.”
The program was awarded a grant from the National Science Foundation, and Machuca says they have used the grant money to replicate the program along with its sister colleges. “It’s really exciting stuff,” he says.
Skip Newberry, president and CEO of the Technology Association of Oregon and executive sponsor of Cyber Oregon, an organization dedicated to delivering the latest cybersecurity information and best practices to businesses, says businesses which cannot afford a cybersecurity professional on staff should train employees to recognize cyberattacks.
“The first and best defense is adequate training for employees,” he says. “In this day and age, anyone who uses technology should be trained in how to spot phishing and spear phishing attempts, and best practices for managing passwords, which is how the vast majority of cyber breaches occur within small businesses.”
Much of the training is preventative, but if an attack has occurred, the most important thing for a business is not to keep silent.
Some industries, like financial services and healthcare, have been targets of cyberattacks since day one. For years, manufacturing seemed far less interesting to hackers, and even C-suite executives at these companies weren’t particularly worried about the risk of attack. However, all that’s changed now that the Internet of Things (IoT) dominates production systems across the manufacturing industry. Although these devices have helped to usher in the era of “smart” manufacturing, they’ve also dramatically expanded the attack surface across global manufacturing systems. One study revealed an average of 5,200 attacks per month on IoT devices in 2018 alone.
Cyberthreats like NotPetya, WannaCry, Stuxnet, and EKANS are constantly evolving and targeting companies in every industry around the world. But the biggest risk to manufacturing companies is that few of these organizations are truly prepared to counter these types of threats. Here are some of the top risks manufacturers face today:
Extended downtime: While intellectual property theft and ransomware are big threats to any company, the consequences of a major attack are often unique and can be devastating. For instance, a single attack could shut down a plant’s operations or even reconfigure machinery to produce faulty products without anyone realizing it until the human and business costs have skyrocketed. Although the true cost of downtime is hard to quantify, many factories lose an average of 5% to 20% of their productivity due to downtime.
Longer recovery time: Consider that many manufacturers are actually smaller companies that produce parts for larger global enterprises. These smaller manufacturers often lack mature IT security practices to prevent a cyberattack, which not only makes it easier for hackers to infiltrate their systems, it may also make it much harder for these companies to restore operations impacted by a cyberattack.
Loss of trade secrets: A manufacturing company’s systems and processes are often closely kept trade secrets. Guarding this information is not only critical for safety but also necessary to protect the company’s competitive advantage. However, the widespread use of always-on IoT devices offers bad actors countless ways to access devices and systems. Once hackers have gained access, they can potentially hack into the cameras in computers and mobile devices to surveil a physical location. They may also be able to gain access by stealing a third-party vendor’s credentials, which is why manufacturers must gain tighter control over their vendor privileged access management.
Breach of customer confidentiality: For many hackers, customer data is a goldmine, which is why these systems are so frequently attacked. In one instance, cybercriminals breached a manufacturing company’s customer information system and installed malware that remained active for an entire year. The hackers were able to extract volumes of highly confidential customer data such as name, billing address, telephone number, payment card number, expiration date, and verification code. The malware was specifically designed to access victims’ shopping carts to access these details.
Loss of reputation: Once a company’s data has been breached and customers have been impacted (either through production delays or loss of personal information), it’s extremely hard for a company to rebuild those relationships. The larger the deal, the larger the impact outages and delays can have on delivery dates across the supply chain. For manufacturers working with larger customers, a cyberattack that shuts down production can destroy not just the revenue from the deal, but also cause more financial damage from missing contractual agreements. While a company or customer may be entitled to compensation from a manufacturer, it’s much harder to repair the damage to a brand in a highly competitive and high-demand industry.
The good news is, there are solutions to help reduce the threat of malicious attacks through outside or third-party entities such as manufacturing partners and vendors. Stay tuned for our next blog, “Improve security in manufacturing with vendor privileged access management” to find out how!
In the meantime, to learn more about the risk of cyberattacks on manufacturing systems, download our infographic “The Top Remote Access Threats in Manufacturing.
The post Five ways cyberattacks put manufacturing systems at risk appeared first on SecureLink.
*** This is a Security Bloggers Network syndicated blog from SecureLink authored by Ellen Neveux. Read the original post at: https://www.securelink.com/blog/five-ways-cyberattacks-put-manufacturing-systems-at-risk/
Where do we stand with the management of cybersecurity risk? Answer … Not in a good place.
This position was further augmented upon reading an article in the January 23, 2020 Washington Post by Anna Fifield with the title “Wuhan quarantine expands as Chinese fear authorities withholding information about coronavirus outbreak,” available at https://www.washingtonpost.com/world/coronavirus-china-wuhan-latest/2020/01/23/2dc947a8-3d45-11ea-afe2-090eb37b60b1_story.html
One statement, by Guan Yi, a virologist who helped identify severe acute respiratory syndrome (SARS) in 2003, really resonated. In reference to the coronavirus epidemic, he said that “We have passed through the ‘golden period’ for prevention and control.”
That characterization rings so true if applied to cybersecurity attacks and defenses. One can argue as to when that transition took place. My opinion is that it happened a decade or more ago.
What this means for cybersecurity is that we are beyond protection, avoidance and (minimally) deterrence, and are turning to detection and response.
In an interview article “Epidemics expert Jonathon Quick: ‘The worst-case scenario for coronavirus is likely,’” in The Guardian of March 1, 2020 available at https://www.theguardian.com/world/2020/mar/01/the-worst-case-scenario-for-coronavirus-dr-jonathan-quick-q-and-a-laura-spinney , Quick, the former heads of the Global Health Council, states that:
“… we have a measure of epidemic preparedness—the Global Health Security (GHS) Index—that scores countries on six dimensions: prevention, detection, response, health system, risk environment and compliance with international standards.”
The GHSI does not appear to include protection, avoidance or deterrence. I think that it should. Perhaps they are implicit. In any event, it would seem to make sense for Infosec professionals to consider a similar index for cybersecurity risk by country, region, industry and organization. Yes, there are some forms of these considerations such as the Payment Card Industry’s Data Security Standard (PCI DSS), but they are not ubiquitous and not completely effective. Furthermore, we don’t have generally-accepted international cybersecurity standards.
There have been a number of attempts to establish such standards, but they always seem to fizzle out. I was involved in the GAISP (Generally-Accepted Information Security Principles) effort when it eventually came under the auspices of the ISSA (Information System Security Association) and I was involved directly in the project, heading up one of the tracks. A January 2004 draft of the GAISP principles is available at https://citadel-information.com/wp-content/uploads/2010/12/issa-generally-accepted-information-security-practices-v3-2004.pdf and is well worth reading.
The project was never completed. It collapsed under its own weight and because of differences of opinion among the leaders of the project. It is one of my greatest regrets that the standards were never finalized. It was the right time. Since then, we have seen significant failures in cybersecurity risk management, in large part because there are no universal standards and global enforcement mechanisms.
We can be reasonably certain that eventually the coronavirus will be controlled and that vaccines will be developed and made available to the masses. At this point, we do not know how much physical, emotional and economic harm will be inflicted on the world population, but it is reasonable to believe in the prospect of protection against the coronavirus and/or a cure.
Wish that it were so for cybersecurity risk. At this point in time, there is little indication that cybersecurity risk will be constrained nor that we will develop the prevention and protection mechanisms needed to mitigate, if not eliminate, the risk.
It is time to resurrect the creation of global standards and institute effective organizational structures that will begin to contain rampant cyberattacks and minimize the destruction that they cause.
*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2020/03/09/cybersecurity-risk-management-beyond-the-golden-period/?utm_source=rss&utm_medium=rss&utm_campaign=cybersecurity-risk-management-beyond-the-golden-period
Paul Cunningham sees some similarities between his first stint in government service—flying helicopters as a lieutenant commander for the U.S. Navy—and his current role as chief information security officer at the Veterans Affairs Department.
“Risk management—from the aviation and cybersecurity perspectives—are pretty important,” Cunningham told Nextgov, speaking from his office at VA’s headquarters in Washington, D.C. “You want to drive down risk to as close to zero as you can.”
At an enterprise as large as VA, eliminating risk entirely is impossible because it’s simply too big. VA currently employs some 404,000 people across 170 hospitals, 1,200 clinics and 130 cemeteries across more than 25,000 acres of property. VA manages the largest medical network in the country—providing care to approximately 10 million veterans annually—and each year processes about $120 billion in financial transactions. VA’s Office of Information Technology alone is comprised of several thousand federal IT professionals, managing programs and overseeing networks across the country.
“If we were a private-sector company, we’d be in the Fortune 10 or Fortune 5, on par with companies like that,” Cunningham said. “We’ve got to start thinking like a business in those kinds of numbers alone. We want to show cyber has a business value.”
That’s where risk management comes into play. In government, you want to spend the money you’re budgeted, and a common sense approach to risk management helps a CISO determine where best to obligate funding.
“If we have one more dollar to spend, do we spend it on training employees on phishing scams or invest it in our firewall?” Cunningham said. In IT security decision-making, Cunningham said you first acknowledge risk and either accept it at face value, attempt to mitigate that risk or add value to the accepted risk. Decisions on whether to implement new technologies like artificial intelligence or internet-of-things medical devices, are weighed against other factors, such as total cost of ownership, security risks and potential returns on investment.
Cunningham became VA’s CISO in January 2019, having served in the same capacity at the Energy Department for 7 years and more than a year as a branch director for the U.S. Immigrations and Customs Enforcement. The stakes at VA are high, he said, because millions of veterans depend on the agency for health care, support, small business loans, education services, disability benefits and other services. Cunningham, a veteran himself—along with approximately 60% of VA OIT’s staff—said veterans sacrificed a lot to earth those rights and services, and their experience receiving those services should be as seamless as possible.
Yet delivering quality, timely services to veterans requires a bit of a balancing act. VA, like all agencies, has to comply with numerous federal laws, regulations—and as of late—an increasing number of binding operational directives from the Homeland Security Department. Cunningham called DHS “first among many” in terms of cybersecurity partner agencies across civilian government. It’s at this three-way intersection of compliance, cybersecurity and customer experience where Cunningham really earns his paychecks.
“When I look at it, it’s the balance of how quick we can serve veterans and reduce their burden, but what are the things we have to do to meet our federal requirements and what makes sound sense,” Cunningham said. “We still do compliance chasing, but we’re putting measures and metrics on priorities. Our job is to service the veterans. If we’re not looking at that first, then we’re probably missing the mark.”
For all the talk of silos in government, VA’s executives work closely with each other and meet often. In matters of IT and cybersecurity, the CIO and deputy CIO steer the rudders, while C-suite executives meet at least weekly to address governance matters on issues like architecture, finance, requirements and acquisition. The governance board meetings also serve as a time to get buy-in on potential solutions, and for executives to address big-mission items.
The biggest right now is VA’s transition to a new electronic health records system designed to be interoperable with the Pentagon’s electronic health records system. The multibillion-dollar Cerner Millennium platform, originally scheduled for a March launch, was delayed last month to July after clinicians asked to be trained on a full version of the system.
Cunningham said VA wants to learn from the challenges the Defense Department experienced rolling out their health records system “to help us slingshot” to their own successful rollout. While executives from both agencies are partnering together to ensure interoperability between both systems, Cunningham said the partnership will extend into the digital realm, sharing threat indicators and having the “full force of DOD protecting our network as well.”
On the horizon, Cunningham foresees the government’s tech workforce challenge as a major obstacle. Technology, he said, “is moving faster than the budget cycle can support,” and it is becoming increasingly difficult to recruit tech talent to the government ranks. Data from the Office of Personnel Management suggests VA is among the most challenged agencies when it comes to recruiting young tech talent. There may be no singular solution to this challenge, but Cunningham said increased partnership with the private sector—creating a sort of revolving door where techies move in and out of government with relative ease—may improve the government’s outlook.
“We’ve got to look at where we can partner with the private sector, for them to train people who can feed our machine and our people can feed back out in a more porous manner, so people don’t feel like they’re taking a big hit,” Cunningham said, noting the salary discrepancy between private and public sectors. “If you’re young and want hands-on experience, getting in the federal space is one way to do it.”
Cunningham also stressed the importance of role-based cyber training. Every employee, Cunningham said, has to be trained to be cyber and privacy warriors, but a standard one-size-fits-all cyber training isn’t enough. Employees require training relevant to their specific duties, and VA organizes a variety of summits and campaigns to “keep it at the forefront.”
“We’re trying to teach them habits that empower them without distracting from their jobs,” Cunningham said.
For aspiring CISOs, Cunningham recommends rounding out those resumes. A variety of career experiences is typically better suited for a CISO role than someone who has been in a singular role, Cunningham said. Further, while technical chops are great, they are not necessarily required for a policy-heavy role.
“For someone who wants to be a CISO, go read a job description and see what you can’t answer well, and then move your career to fill in those voids,” Cunningham said.
Along with WhatsApp, other firms being targeted in these scams include PayPal, Facebook, Microsoft and Netflix.
If you are concerned about these types of online attacks then the UK’s National Cyber Security Center has some good advice for consumers.
Here’s their top tips for avoiding phishing scams online.
• Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor. Others will try and create official-looking emails by including logos and graphics. Is the design (and quality) what would you’d expect from a large organisation?
• Is it addressed to you by name, or does it refer to ‘valued customer’, or ‘friend’, or ‘colleague’? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
Hackers have finally done what bond issuers may have feared most from cyber criminals.
A ransomware attack on Pleasant Valley Hospital in West Virginia was partly responsible for the hospital’s breach of its covenant agreement, according to a notice to the hospital’s bondholders from the trustee, WesBanco Bank. It appears to be the first time a cyber attack triggered a formal covenant violation, according to research firm Municipal Market Analytics.
The virus entered the hospital’s system via emails sent 10 months before the cyber criminals asked the hospital for money, said Craig Gilliland, the hospital’s chief financial officer. The information the criminals held for ransom did not contain patient data or confidential data, so it was “more of an annoyance,” he added.
Because of the attack, the hospital was forced to spend about $1 million on new computer equipment and infrastructure improvements, Gilliland said. That cost, along with declining patient volume, caused the hospital’s debt service coverage for the fiscal year that ended on Sept. 30 to fall to 78%, below the 120% the loan agreement requires, according to the material notice to bondholders.
“When we had the cyber attack, we didn’t have the sophisticated anti-virus software that we needed,” he said. “Cyber attacks are effective on smaller hospitals and smaller government agencies who do not have the resources and do not spend the money to proactively get ahead of the curve.”
The hospital did not miss any payments to bond investors. Gilliland said he is not aware of whether or not payments were made to the perpetrators because the attack was managed by a cyber liability insurance carrier Beazley Group. Mairi MacDonald, who manages media relations for Beazley Group, said via email that the company does not comment on specific client matters.
“The resolution of the situation will likely cost the hospital via monetary settlements and security hardening, making a financial rebound a bit more difficult than otherwise,” MMA said in its report. “Pleasant Valley highlights cyber risks as, at least so far, primarily a worsener for most municipal credits.”
Cyber risk is a growing concern for the municipal market. There were 133 publicly reported attacks against health-care providers since 2016, 47 of which occurred in 2019, according to data collected by threat intelligence company Recorded Future, Inc. Health-care providers are at particular risk for cyber attacks because patient care is disrupted, so there is an expectation the hospital will pay to remedy that quickly, said Allan Liska, an intelligence analyst at the company. Health-care providers also use unique software that is often managed by vendors, leaving updates to the software out of their hands.
“You have hospitals and doctors offices that are often forced to run outdated and old software that makes them at risk for these ransomware attacks,” Liska said.
And it’s not just health-care providers that are at risk. In 2019, state and local governments reported 106 ransomware attacks, nearly double what was reported a year before, according to data collected by Recorded Future. Among them were the Syracuse School District, which said it experienced a cyber attack that could “impact its financial position” according to a July 31 regulatory filing, and the city of Baltimore, which disclosed a cyber attack to investors in its bond offering documents when it borrowed last year.
For Pleasant Valley Hospital, the insurance company Beazley Group “connected the Hospital with other vendors to settle and remediate the issue,” according to the statement to bondholders. To address the decreasing patient volume, the hospital has lowered its labor costs and plans to convert doctor offices into two rural health clinics and to offer a new medical withdrawal inpatient service.
The threat to credit will get worse in the public finance realm before it can be alleviated, said Geoffrey Buswick, an analyst for S&P Global Ratings. Issuers can do all the right things, like protect their network and have proper insurance in place, and still find it difficult to fully offset cyber risks, he added.
“The various actors out there, be it a nation-state or criminal organization or just a rouge hacker, seem to have advanced technologies that are changing quickly,” Buswick said.
–With assistance from Amanda Albright and Danielle Moran.
Want to stay up to date?
Get the latest insurance news sent straight to your inbox.
Source: National Cyber Security – Produced By Gregory Evans debug_backtrace reloaded A PHP bug initially dismissed as posing no security threat could potentially enable code execution outside the sandbox in shared-server environments, a new exploit has revealed. Discovered in the popular website language nearly two years ago, the vulnerability can allow attackers to execute arbitrary […]
View full post on AmIHackerProof.com
In January the Information Commissioner’s Office (ICO) fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine-month period before the attack was detected.
The company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.
Because the data breach occurred before the General Data Protection Regulation (GDPR) came into effect, DSG were found to have breached the earlier Data Protection Act 1998.
The ICO cited poor security arrangements and a failure to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
The ICO said that the contraventions in this case were so serious that they imposed the maximum penalty under the previous law, but the fine would inevitably have been much higher under the GDPR.
The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving affected customers vulnerable to financial theft and identity fraud. The ICO received 158 complaints between June 2018 and November 2018 from DSG’s customers. As of March 2019, the company reported that nearly 3,300 customers had contacted them directly in relation to this data breach.
The ICO stressed that while cyber-attacks are becoming more frequent, organisations still have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.
This incident will have cost DSG a great deal, both in direct costs to deal with the breach, and also in terms of its reputation. DSG may also face claims from its customers – especially given the ICO’s findings of poor security.
Given such incidents it’s unsurprising that the threat of cyber attacks is keeping many business leaders up at night and sadly, if business leaders aren’t worried, then they aren’t paying attention. In fact, the latest Allianz Risk Barometer 2020 from insurers Allianz – which identifies the top corporate risks for 2020 – highlights cyber risk as the number one business risk for 2020. Seven years ago cyber risk was ranked just 15th.
A top priority for all businesses in 2020 must be to take all reasonable and practicable steps to make their businesses as cyber risk proof and as resilient as possible. There’s plenty of guidance and support available – the National Cyber Security Centre (NCSC) promotes cyber essentials which should be a first port of call for any SME (https://www.cyberessentials.ncsc.gov.uk/about).
Businesses should also consider whether they should take out cyber insurance. It should not be assumed cyber risks are covered in your existing insurance policies.
A number of cyber policies are now available and a specialist insurance broker should be able to assist you and help explain what’s available and what is and what is not covered. Such policies can help protect against financial losses (including for business interruption, privacy breach costs, cyber extortion, hacker damage, and media liability) but many also offer assistance at the time of an incident e.g. by providing cyber forensic support.
Such policies do pay out – last year the Association of British Insurers revealed that 99% of claims made (207) on ABI-member cyber insurance policies in 2018 were paid – this is one of the highest claims acceptance rates across all insurance products.
As the NCSC advise:
“Organisations that are considering cyber insurance should understand that it will not protect you from an attack, but it may provide you with additional resources during and after an incident. So cyber insurance can be considered as an additional risk management tool, but do take time to:
understand the scope and scale of the cover provided
ensure that you are able to meet any operational requirements placed on you by the insurer”
As always when buying insurance you need to read the fine print of the cover. Crucially you must also ensure you meet any security or other IT requirements placed on you by the insurer. If you have pre-existing IT issues you knew or ought to have known about and these lead to a breach of security you are unlikely to be covered.
Insurance is not a panacea, of course. You need to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks your organisation faces. This is required by the General Data Protection Regulation (GDPR) in any event where you process personal data.
Ensuring your business is protected against cyber security risks should be a recurring New Year’s resolution, no matter what type of business you run.
Simon Stokes is a Partner with law firm Blake Morgan . He leads the firm’s technology practice in London and specialises in information technology law.