There are still many misconceptions surrounding cybersecurity and the need for insurance. Often businesses think that they are:
Too small to be at risk (My business is too small for hackers to care about).
People often think that their business is too small to be at risk and that the hackers only target larger businesses. This couldn’t be further from the truth the hackers/cyber-criminals don’t discriminate on the size of your business, they tend to take a blanket approach to fishing and ransomware. They will use their hacking software in emails, texts etc. and send them in mass mailings hoping for a bite.
Even if your business doesn’t operate online you can still be at risk if you have a computer, phone or email account which most businesses will have to trade.
They think that by having strong passwords policy that is changed regularly they are secure.
Having strong passwords and changing them regularly is all well and good, but it is just the same as having an alarm on your house. It may reduce the risk of a home being burgled but it can’t totally prevent it.
You also can’t legislate for people being tricked into giving out their password. People also tend to use the same password across multiple sites or where passwords are constantly updated, save them somewhere/write them down, which can be the same as leaving your keys unattended and could allow the criminal the keys to your business and data.
You may also think that by having your data encrypted that this is enough to protect your business but this is in effect the same as having items locked in a safe. It acts as a deterrent but the criminal can still get in if they really want to it just takes them a little more time.
They think that by having anti-malware they will be protected
Don't be thinking that as you have firewalls and antivirus software in place you are totally protected from an attack because you are not, these steps will help protect you but they won't totally nullify the total risk of an attack.
I use my own device which is safe
Some people think that as they are the only person to use a device that it can’t be compromised, but it can be, in the same way as any other device, it is open to being hacked by a fishing email or software as the hackers send blanket emails containing links or viruses.
People often think that if they have an apple mac computer, they don’t need protection. Although Apple devices may have been less prone to attacks, as cyber-criminals tend to target the mass market, which in this case tends to be windows operated machines; it doesn’t make you immune from an attack, the odds are still the same, it is just a case of, as more people use windows then they will suffer more attacks, you just hear of fewer attacks on apple as there are fewer users.
Our IT department has it covered (in-house or outsourced)
You need to consider what skill set you would need if you suffered an attack. Most companies that have their own IT department or IT Companies that you outsource your IT Support to, won’t have the skill set to deal with all the issues that could arise from an attack. You may need access to a Forensic IT specialist or expert legal assistance to help you comply with GDPR . For example, you may need to inform all your customers as well as the ICO .
Under GDPR you can outsource the management of your data/IT system but you cannot outsource the responsibility it will still fall back on your company.
Also, there could also be a conflict of interest if you have the same people investigating what has happened and reasons for the attack, if they are the ones that were supposed to protect you from it in the first place. They may not intend to but they may well cover up aspects of weakness, such as, they failed to install an update or test it before putting it live, they clicked a link in an email (IT experts are immune from hackers), they may not be able to see where the attack has come from as it may be a blind spot, whereas somebody independent coming in will take a fresh view, and if they are forensically trained maybe able to find where the vulnerability or attack came from.
You may also think that you are ok if you be covered as all your data is in the cloud and backed up. But in most cases the companies that store your data in the cloud or your IT support will more than likely have an exclusion in your contract that means that they are not responsible for your data if a cyber attack happens and you will have no rights of recourse. They just need to inform you that there has been an issue.
Remember under GDPR you can outsource the function but not the responsibility.
Having your data backed up into the cloud or a manual drive (hard drive, tapes etc), is a good practice but won’t totally protect you. If for example, you back up your data every hour is it saving over the previous version or are you backing up multiple copies?
You also need to be wary of backing up to the same device each time because if you back up a corrupt file, back up with a virus in tow, then you could be corrupting all your data. It would be better to have a layered approach to back up where possible.
Backups are normally good for getting you back up and running after an event and a cloud-based backup normally makes this process simpler as you can start again anywhere else with the correct logins via new computers if the previous ones have been compromised.
Finally, any compensation cover from your IT support/cloud provider will be seriously limited if available as they will have clauses to exclude cover or limit their own exposure.