Social engineering and email compromise are on the rise
As businesses adopt increasingly advanced digital technology, the risks of doing business evolve. And while larger organisations have strengthened their cybersecurity systems and protocols, smaller firms become more vulnerable –cyber-criminals know their weak spots make them easier targets.
There are two types of businesses: those who have been hacked, and those that will be. The data paints a worrying picture. According to Scott Curley, Director - Professional Risks and Trade Credit, GSA Insurance Brokers, every 39 seconds, a hack occurs – with 43% of cyber-attacks targeting small and mid-sized businesses.
Many Australian small businesses don’t have cyber protection – or assume it’s already covered through their business insurance.
Curley said that’s a common myth. Professional indemnity, business and public liability insurance won’t cover things like cyber extortion, data loss through a hack, or third-party costs.
“We insure our office buildings, even though they have sprinklers and a back to base fire alarm. But 99% of your revenue might be generated online, and you don’t think to protect that aspect of your business,” he said.
The changing face of fraud
There are so many different ways criminals are extracting money from businesses, from ATO scams to fake documents and malware.
There has been a rise in fraudulent payment modification, and daily reports of email compromise. It’s important to verify any new instructions - if in doubt, call the sender to verbally confirm the changes have come from them.
There are now over 200 million forms of malware and they could be entering your business inboxes daily.
Phishing is where you receive an email that appears to be from a trusted source, asking you to do something such as ‘click to verify your details’ or ‘download an attachment’. That attachment could contain malicious code which injects a new web page into your browser, and it might look like your bank’s online banking portal.
We are also seeing an increase in ransomware demands, especially in small and mid-sized businesses. You click on a link or attachment from a ‘trusted’ sender, and it launches a code that encrypts your files or locks down your screens and servers so you simply can’t operate. With pressure to keep the business running, many business owners pay the ransom, often requested in bitcoin.
Not all scams come through email. Social engineering, where hackers manipulate people for confidential information, can happen over the phone.
Don’t make a payment on impulse. Take a step back if someone phones making urgent demands.
An exponential effect on business bottom line
Fraud can cause significant damage. You could lose a month’s turnover, but there are also long-lasting damaging effects to reputation and staff morale.
With Australia’s new data breach laws now in place, any organisation with revenue exceeding $3 million must comply by ‘promptly notifying individuals at likely risk of serious harm’ of any breach in their personal data.
Otherwise, you could face fines of up to $2.1million. And even when you do comply, there is the cost of notifying thousands of clients and containing any reputational damage.
Check your internal controls
Many businesses believe their third-party providers, such as cloud providers or web hosting platforms, are taking care of this issue. But the cloud is just as vulnerable as a data centre. Ensure you do some due diligence to make sure your provider is covered.
How do you protect yourself from the risk of cyber fraud?
First, it’s important to get your business systems and protocols in place. Get your systems checked by a reputable IT company to make sure there are no trojans, malware or viruses. Educate your team on what a phishing email looks like, any red flags to watch out for, and how to report an issue if they spot something.
All this can also happen in their home if they work remotely, so make sure their home wi-fi is secure.
Outsource your cyber response
Most smaller businesses don’t have the skills to negotiate with hackers or set up a data breach response team. But if you have cyber insurance, your insurer will set up a panel of experts to mitigate the loss and take immediate action.
“The first six to 12 hours of response are critical,” said Curley. “If it’s a denial of service attack or ransomware, they’ll check how real the threat is and if necessary, pay the ransom.”
You can expect your cyber policy to also take care of the costs of credit card monitoring (if that data is lost) and crisis management, as well as potential third party costs such as litigation, penalties, and notification costs.
It seems that cyber insurance is the one risk tool your business can’t afford to operate without. But given it’s a relatively new product in Australia, it’s worth getting a broker’s advice first.