How do I…

Protect my practice against cyber attacks?

William King, commercial development manager at Lloyd & Whyte, an AOP affinity partner, looks at the implications of cyber crime and provides top tips on how to protect your business against this growing menace

Getty/Boris Zhitkov

What is cyber crime and how can it affect you?

A cyber attack is an intentional or malicious attempt to damage, leak or steal sensitive information from a computer network. This is usually achieved by attackers gaining unauthorised access to a system, or intercepting emails between your business team members.

Cyber criminals are increasingly focusing on smaller, less protected businesses, and are more sophisticated than ever before. Whatever size of business you have, there will be technological vulnerabilities that your IT security system cannot prevent. One small business in the UK is successfully hacked every 19 seconds.

Types of cyber claims

More than 95% of cyber claims are for first party losses only, and they fall into three broad categories:

  1. Theft of funds: Most businesses transfer money electronically, making thefts via cyber crime easier. The most common form of theft is through social engineering, where criminals imitate a third party, such as a supplier, and trick the victim into transferring money to their account with false invoices and requests for funds. Whilst extortion of funds through ransomware can grab the headlines, so called ‘CEO fraud’ is becoming more sophisticated and widespread
  2. Theft of Data: The data held by healthcare organisations is often sensitive, meaning it is valuable to fraudsters. Criminals will use malicious software such has ransomware, spyware or viruses to block access and obtain this data from practice management systems. This data can be used to assist with identity theft, but can also be used to demand ransom from a business, such as a practice. £16.1k is the average cost of a data breach for small and medium-sized enterprises in the UK
  3. Damage to digital assets: All businesses rely on electronic systems and processes to run efficiently. Disruption to these systems can have huge implications. Fraudsters exploit this by gaining access and manipulating or disabling systems altogether to extort money. Business can often be left with systems that cannot be used or are costly to fix, even if they pay the ransoms demanded by fraudsters.

Prevention, detection, response

Not every single cyber attack is preventable, but to keep your business as secure as possible, here are 10 tips on how to mitigate risk:

  1. Phishing emails. One in every 3722 emails in the UK is a phishing attempt. Don’t open emails from unknown sources. Think before you click on links or open attachments. Educate your staff on signs of cyber attacks
  2. Log off when you’re away from your device, and use a security screen to protect confidential information from prying eyes
  3. Strong passwords. Make them complex, using at least seven uppercase and lowercase letters, symbols and numbers. Don’t reuse passwords from other sites
  4. Protect your stuff. Keep your equipment locked up. Report any loss immediately
  5. Shred confidential waste, including passwords if written down (although you never should write them down or share them)
  6. Sharing and storing. Only use approved applications. Hackers use clouds to gain access to information
  7. Back up. Save your data and critical files regularly
  8. Secure Connection. When accessing work networks, use a secure WiFi network, not one that is open to the public
  9. Updates. Keep your devices, browsers and apps up to date with the latest software and anti-virus protection. Modernise your risk management
  10. Report it. If it looks suspicious, report it.

Cyber incidents are happening every second, and the culprits have no prejudice as to who they attack. It is not a matter of ‘if,’ but ‘when.’

Why is cyber insurance important?

Whilst prevention is the best form of defence, here are six reasons why cyber insurance is still crucial.

  1. Cyber incidents are not traditionally picked up by standard package policies. When it comes to a cyber attack or incident, a standard policy will leave you with little or no coverage
  2. Business management systems are critical to operating your day-to-day business, but their downtime is not covered under your business interruption insurance. If these systems are brought down, a standard business interruption policy is unlikely to respond
  3. Data is one of your biggest assets as a business, yet it can easily become your biggest liability. A business insurance policy would not respond if this data is damaged or destroyed. A cyber policy can provide comprehensive cover for data restoration and even re-creation in the event of a successful attack
  4. Complying with breach notification laws costs you money and time. Cyber policies can provide cover for the costs associated with providing a breach notice, even if it’s not legally required, and can also cover the associated regulatory fines and penalties
  5. Cyber insurance is there for you pre, during and post a cyber attack or incident. In the event of a cyber incident, you will be assigned a team, consisting of IT forensics firms to specialist PR agencies, that help deal with both the immediate aftermath as well as the longer-term consequences of a cyber event
  6. Human error. Accidents happen, and human error is the leading cause of data breaches. Fortunately, it is covered by cyber insurance. 

Cyber insurance is designed to cover costs associated with cyber attacks or breaches, providing:

  • Access to an incident response team 24/7, including specialist PR agencies, IT forensics, and legal experts
  • Patient communication support, including GDPR compliant notification
  • A crisis communication plan
  • Indemnity for the various costs incurred, such as loss of income and extra expense associated with a cyber event.

Lloyd & Whyte Ltd is registered in England No. 03686765. Registered Office: Affinity House, Bindon Road, Taunton, Somerset, TA2 6AA.