Channel Island organisations could be leaving themselves open to huge losses if they rely on insurance to cover damages from a major cyber-attack.
Logicalis is warning organisations not to consider cyber insurance an alternative to good cyber security. The IT experts fear up to 80% of businesses would not be covered by their cyber insurance policies in the event of a cyber-attack because they are not following correct security protocols.
Ricky Magalhaes, Managed Security Services Director, Logicalis, said: “Many companies think cyber insurance is an alternative to good cyber security practices, however, if you don’t have correct controls in place, your insurance will not cover you.
“Up to 80% of companies with cyber insurance are not following basic cyber security procedures, which means if they suffer a loss, it will be hard for them to claim because they have been negligent.”
Even if you have followed correct procedures and an insurance company pays out, the real costs of a cyber-attack could be well beyond the financial compensation you receive. The losses faced by US drug maker Merck following the NotPetya attacks last year could be over $750 million from lost sales, extra costs, and lost business this year. It is expected to receive an insurance pay-out of up to $275 million – nearly a third of its costs.
The Logicalis Security Operations Centre (SOC) detected more than 124 cyber-attacks on Jersey companies during the first three months of 2018 – just a fraction of the real level likely to be happening.
Common attacks included hackers exploiting vulnerabilities in systems caused by organisations failing to install patches, or compromising systems because they were badly configured. Ransomware is a significant concern, and the number of Office 365 Break-ins, where someone reads and edits emails without you knowing, is growing. A small number of companies also suffered a DDoS (Distributed Denial of Service) attack, where their internet bandwidth was hijacked. Logicalis also detected a significant number of cases where hackers have used credentials they’ve bought from the dark web to log in to systems.
Ricky said: “If you leave your house open and have break in, an insurance policy is unlikely to pay out. You need to be able to prove you locked the door, and prove that you had a break in. With cyber insurance, knowing that your data is up on the dark web is not proof
that someone stole it. You need be able to identify the security breach, and prove that you took all the necessary steps to prevent it. If you are not diligent an insurer will not pay out.”
According to Morgan Stanley, the cyber insurance market is expected to be worth $10 billion by 2020. However, organisations need to put the correct controls in place if cyber insurance is to have any value for them.
Ricky said: “Insurance is only effective if you follow the policy, and take the necessary steps to get your security controls in place. Proper security monitoring, simple procedures such as using two-factor authentication, and regular training and testing of staff to help prevent security breaches in the first place, are vital, whether you are insured or not.
“A lot of cyber-attacks happen because of behaviour of staff, rather than because of the technology, which makes it very hard to assess risks. One thing is certain, though, the risks of cyber-crime are higher than ever.”
Logicalis is one of the Channel Islands’ largest providers of managed IT services and security solutions, offering clients a comprehensive service managing, maintaining, and monitoring IT systems, data, and security.