Is your business protected from cyber attack?
The sad answer is, most kiwi small-to-medium businesses (SMEs) are not prepared for, or equipped to recover from a cyber attack. Most of us believe you have to be as big as Lion Brewery or the Waikato DHB to be a target for cyber crime.
Financial advisor and insurance broker Matt Noonan says that’s not the case.
“In 2020, cyber crime cost New Zealand businesses $17 million,” says Matt. “While that’s a massive number and big companies make up the headlines, on average, cyber attacks cost $19,000 each. They’re hitting tradies, accountants, basically any business with a computer. Most SMEs just don’t have $19,000 in their bottom line.”
That’s why cyber insurance is so important.
What are cyber attacks?
Cyber attacks and cyber crime covers a wide range of criminal activity.
Pronounced ‘fishing,’ these kinds of attacks are opportunistic and rely on fraud. You might get a phone call from someone claiming to be from your bank, asking you for your online banking password. You could be sent an email that looks like it’s from a legitimate business, asking you to pay an invoice to their ‘new bank account.’ Phishing relies on pretending to be someone you trust in order to steal money or information from you.
A hacker installs a malicious programme on your computer network. This programme could steal your information, crash your computers, or block you from doing certain things.
A popular type of malware attack. Once a hacker has gained access, they might install a programme on your computer that encrypts all of your files until you pay a ransom. What would you do if you couldn’t open any files on your computer? This kind of attack took down the Waikato DHB in June 2021.
Denial of Service attack
Most websites or computer servers can only handle a certain amount of traffic. In a denial of service attack, hackers use bots or hacked computers to flood a website or server with so much traffic that it collapses. This kind of attack crashed the New Zealand Stock Exchange in 2020.
The value of cyber insurance
In Christchurch especially, we know the value of insurance. From serious floods, fires and earthquakes, our insurance policies have replaced tools, equipment, vehicles, and buildings to help us keep trading and get back on our feet.
The main difference with cyber insurance is that it mainly covers intangible things, like information.
“Cyber insurance policies first came onto the market about seven or eight years ago. They weren’t very popular, and near impossible to sell because most businesses didn’t think they were at risk,” says Matt. “Cyber insurance policies have changed a lot in the last three years.”
They’ve needed to. The number of ransomware attacks against New Zealand businesses has increased over 100 percent in the first quarter of 2021 alone.
What happens after a cyber attack?
Insurance companies who protect against cyber attacks have an 0800 number clients can call 24/7. You’ll get assigned someone to help you straight away. The first step is usually figuring out what happened and why. Your insurer will bring in a forensic expert who will figure out how the hacker gained access, and if possible, stop them from doing it again.
Now, not all cyber policies or insurance companies cover social engineering - that means you were convinced to do what the hackers wanted you to do. For example, paying an invoice thinking it was going to a business you trusted, or clicking a link or an attachment in an email that then gave the hackers access. Like insurance policies in general, it’s important to seek advice and get the right level of cover for you.
Your cyber insurance policy usually covers bringing in the forensic experts, replacing any damaged computers or servers, and even breach notifications - telling your customers their data has been hacked and monitoring to make sure their data isn’t fraudulently used. Some cyber insurance policies also contain business interruption cover. So, if you can’t work for a period of time while you’re setting back up, the policy will make sure there is still cashflow coming through the door.
Your insurer is highly unlikely to pay any ransom to the hackers. After all, that’s what makes cyber crime profitable, and we don’t want to encourage hackers to take advantage of Christchurch businesses.
Why aren’t kiwi SMEs prepared against cyber attacks?
Education is the biggest hurdle right now.
“We hear about attacks on big organisations like Lion Brewing, the New Zealand Stock Exchange and the Waikato DHB. They make the news. What doesn’t make the news are the hundreds of real estate agents, plumbers, and panel beaters who get hit every day,” says Matt Noonan.
“Whether their cyber insurance cover helps them out, or the business owner pays the ransom, businesses would prefer to keep the fact they’ve been attacked quiet,” he says. “So, people keep on believing they’re not at risk.”
“The biggest misconception I hear from business owners is that ‘my data is safe in the cloud,’” says Matt. “That’s just not true. You’re still responsible for what happens to the data you’ve saved in the cloud, and the sad truth is, even cloud storage systems can be hacked.”
“The insurance industry is publishing ‘white papers’ where all of the data around cyber attacks in New Zealand is collated. That way I can show businesses how many others in their industry have been attacked in the last year. Just because you’re an SME and there’s only a few people in your company does not mean you’re invulnerable to attack. If you have a computer, use email or have a website, your business is being actively targeted by cyber criminals,” he says.
Make your business cyber secure
Don’t think about what you’d do if your business is attacked. Think about what you’ll do when it happens. You need to prepare your recovery plan now!
Invest in IT
Ask an IT specialist to help you get set up with anti-virus software, a back-up system that can securely save your data, and employee training to help avoid successful social engineering phishing attacks.
Patrick Moran from Computer Clinic talks about this more on Episode 25 of the Real Solutions Business Podcast. Have a listen for more suggestions on protecting your business against cyber attacks. We recommend contacting Computer Clinic if you have any IT questions.
Cyber insurance is now a standalone policy like car and contents insurance. Ask your insurance broker if they cover cyber insurance. If they, or the insurance companies they work with don’t specifically offer cyber cover, we recommend talking to Matt Noonan at Amicus.
As with all insurance policies, it’s important you have cyber cover that’s tailored to your business, and that you know exactly what you’re covered for.
Create a recovery plan
What’s your business continuity plan? Who should you call? Have a clearly written policy, and we recommend printing off a hard-copy so you’re not reliant on your computer.
For example, when you realise you’ve been hacked, is someone responsible for unplugging the server? Will you call your IT company or insurance broker? How will you notify your employees? Will you get a communications specialist to help you with notifying your clients?
Set a meeting with your trusted experts, like insurance broker, IT specialist, and lawyer to make sure you have a comprehensive plan that will help you get your business back on your feet.
Trusted professionals protecting your business
We believe in protecting businesses. Godfreys Law has been assisting Cantabrians and local business owners for nearly 150 years. While the risks people and businesses face have changed a lot in that time, Godfreys Law has been there to help you protect and recover what’s important to you.
If we think there’s an area of your business at risk, and we don’t provide the services to help you cover it, we’ll recommend trusted professionals to help look after you.
If you have specific cyber security questions, we recommend Patrick Moran at Computer Clinic and Matt Noonan at Amicus. If you want to know more about protecting your business in general, contact the team at Godfreys Law.