Cyber crime may seem like a relatively recent phenomenon.
In fact, using technology either to access information or hold an organisation’s corrupted systems to ransom has been happening for decades.
Last July, one of the world’s leading IT companies, IBM, published the 17th edition of its authoritative report tracking data breaches across the globe.
It revealed that the average cost of such attacks was £3.5 million – up almost 13 per cent in the space of only two years as the volume of major incidents has increased.
Just months later, the Harvard Business Review assessed that the risks associated with cyber crime were “skyrocketing”.
Whilst the immediate effects felt by companies which fell victim to criminals were “quite severe”, it said that the results were even more devastating in the long-term. They included being less competitive as well as making it more difficult and more expensive to arrange business finance and cyber insurance.
The Review concluded that these risks “should not be ignored”.
There is plenty of evidence from a purely domestic context to show why that advice is sound.
The most recent data from the Information Commissioner’s Office (ICO) shows that cyber-related breaches accounted for 25 per cent of the 8,797 such incidents affecting public and private sector bodies in the UK last year.
That proportion was one-third greater than in 2019. Furthermore, the number of ‘denial of service’ (in which attackers block access to or shut down an organisation’s systems) or malware attacks rose by 200 per cent and 100 per cent respectively in the last quarter of 2022 alone.
This year has started similarly badly with The Guardian, Royal Mail and the outsourcing group Capita all being hit.
None have been abstract, victimless incidents. For instance, nearly half a million members of the UK’s largest private sector pension scheme are among those reportedly impacted by the Capita attack.
Cyber incidents do not only affected large organisations either.
The Government’s latest cyber security survey showed that 39 per cent of all businesses who took part had been targeted in the previous 12 months.
That same study suggested that the true incidence would have been higher but for under-reporting by “less cyber mature” bodies.
Despite the unwanted attentions of criminals, the ICO has warned that the biggest risk to organisations’ digital security is not cyber warfare or crime gangs but complacency.
Whilst the ICO has done superb work in taking a lead in guiding business as to what constitutes best practice when it comes to data management and dealing with a data breach, I have to say that – in this regard – it isn’t my experience.
Every single conversation which we now have with commercial clients touches on the importance of cyber security.
Businessmen and women have made clear to me that it is a topic which is almost unique.
Companies can face a broad variety of challenges during their lifetimes. To deal with them, executives need to be able to make decisions quickly and that requires having clear, relevant information available.
With the likes of an economic downturn or Brexit, such details can be gleaned from a range of reliable sources.
It means that even the most sensitive issues can be addressed in a way which doesn’t unnerve staff, customers or the markets.
As the many recent examples illustrate, though, a data breach is the one threat which managers can never really be sure about tackling, given that the true extent of any damage may take some time to emerge.
I believe that is one key factor driving the demand for cyber insurance.
Even more than support in the way of incident response, companies are finding that discussions with brokers like Broadway about their current operations and state of preparedness can help identify weaknesses and ultimately improve how they function.
Insurers too use technology as part of a thorough process – known as ‘inside-out underwriting’ – to determine risk and influence the price of any policies put in place.
This understanding is, sadly, something often only appreciated by businesses in the aftermath of a cyber attack.
One – Sudhakar Ramakrishna, the CEO of the US software group SolarWinds, which was hacked in 2020 – later realised that “you’re not going to be able to solve all the problems yourself…you might need the community to help”.
An outside perspective is, of course, not an absolute defence – if any such thing really exists – against cyber crime.
However, it can be the difference between limiting the impact of any such event and severe, long-term and possibly existential damage.
Written by Martin Lilley, Director of Corporate