When Taylor Swift’s Twitter and Instagram accounts were hacked back in January, the American singer took to social media to issue a tongue-in-cheek response. Echoing the lyrics to her hit song Shake It Off, Swift quipped: “Cause the hackers gonna hack, hack, hack, hack, hack…”
Not all online attacks illicit such a light-hearted reaction. Whether it’s nude photographs being stolen from celebrity iCloud accounts or the theft of credit card details from PlayStation users, cyber security is seldom far from the headlines these days.
Such attacks can have very serious consequences, not just for the individuals involved but also for the businesses that are targeted. Last month, the Office of the Information Commissioner (ICO) – which acts in Scotland as well as England and Wales on data protection matters – handed down a £175,000 fine to an online holiday insurance company after hackers accessed its customers’ records.
The fraudsters used the credit card details of more than 5,000 clients following the attack, which could have been avoided if the company had updated its database software on two separate occasions. The attack could have been even worse; the hackers could have had access to more than 100,000 records on the system, which included the card code verification (CCV) numbers printed on the back of credit cards – a piece of data that the ICO said shouldn’t even have been stored at all. In this example, the ICO found the company had no policies or procedures in place to review and update information technology (IT) security systems, with some flaws being left open for as long as five years.
Sadly, this isn’t an isolated case. A report published last week by the UK government found 81 per cent of large companies and 60 per cent of small businesses have been hit by a breach of their cyber security during the past year.
Ministers estimate that cyber security breaches cost the UK economy billions of pounds each year, with the average cost of attacks on small businesses almost doubling between 2013 and 2014. With so much money at stake, it’s no wonder that politicians are getting serious about the issue.
Cabinet Office minister Francis Maude has said he wants to cement the UK’s position as the global centre for cyber risk management, building on the strength of our country’s insurance sector. As part of a company’s broader risk management, Maude’s measures include recommending cyber security insurance to help firms deal with problems when they arise. His comments won backing from a range of business leaders.
Responsibility for cyber security needs to go all the way to the top. Surveys have revealed 52 per cent of chief executives think their companies already have cyber security protection in place, but only 10 per cent of businesses actually do hold such policies. About half of companies didn’t even know cyber security insurance existed.
One of the recommendations from the UK government’s report was that a member of each company’s board of directors should take responsibility for cyber security. And it went further, suggesting businesses need to stop thinking of online attacks as an IT issue but instead see them as a commercial risk that will affect all parts of their operations.
As well as selling policies, the report recognised that insurers have a role to play in spreading the word about the need for protection. Insurers need to ask their clients the right questions about security, it said.
One step is for insurers to make sure companies – both large and small – are signed up to the UK government’s Cyber Essentials scheme. Businesses that want to win government contracts that involve handling personal information and providing certain IT products and services have had to be signed up to the programme for tenders issued since October. Now the UK government wants to roll out the scheme even further by getting insurers to ask their clients about their cyber risk management and spread the word about best practice. Insurance brokers are agreeing to include Cyber Essentials accreditation as part of their risk assessment for small businesses in an effort to encourage greater adoption.
Insurance is no substitute for stopping cyber-attacks in the first place. But, to quote Taylor Swift, if the hackers are going to “hack, hack, hack” then at least having a policy in place will help to “shake it off” if the worst should happen and a cyber-attacker breaks through a company’s defences.
• Tim Smith is a partner with BLM. www.blmlaw.com