There are estimated to be 500,000 companies in New Zealand - more than half of those businesses don’t have a cyber crime response plan, according to PWC’s 2016 Global Economic Crime Survey.
‘Cyber crime’ is an attack against your company or systems by cyber criminals in order to disrupt your business or to receive financial gain.
A cyber event can also come from human error or human risk. Intentional ‘cyber attacks’ can include rogue employees with malicious intent causing havoc through social media posting. Whereas unintentional ‘human error’ cyber events can come from an employee sending out private information or losing it through ‘phishing’ without knowing it.
A cyber event can come in many shapes, forms and levels of severity. The New Zealand governments 2015 Cyber Security Strategy study stated that 83 percent of New Zealanders had experienced a cyber security breach
An example of cyber crime can include extortion. Where cyber criminals actively disrupt or threaten to disrupt your website or systems and seek a ransom to rectify the issue. This can lead to businesses being unable to continue to operate normally and are forced to pay up, or negotiate the payment.
A cyber attack can be taken out against any sort of business, the most common being small or medium enterprises (SMEs), as they usually have the lowest protective barriers and lack advanced security measures that large corporations usually have.
As much protection as you can construct around your business, there is always the possibility someone can break down those defences – cyber criminals can break through password blocks and other small defence efforts.
No matter the size or function of your business, if you have an online presence you are vulnerable.
Over the last six months ranging September 2016 – February 2017, the NZI Cyber Risk Survey reported 18 percent of users presented as having a high risk of attack and 29 percent were at medium risk.
Doing business online exposes companies to risks they may not have even considered. The reasons behind a cyber attack are often unknown, and an attack usually appears out of the blue, so a company must make sure they’ve taken the necessary steps to protect their business.
Those who operate without cyber insurance run the risk of dealing with the aftermath of an attack by themselves. When the risk of a breach becomes reality, the ensuing damage can have nasty consequences. Yet less than half of New Zealand companies have cyber insurance or even a defined IT security policy in place.
The overall chill: Why are we so relaxed?
Ryan Clark, national manager – Liability, for NZI says New Zealand businesses can be naïve when it comes to cyber attacks and refers to a quote that goes like this:
“There are only three kinds of companies in the world – those that have been hacked, those that are going to be hacked and those that don’t know they’ve already been hacked.”
According to Clark, New Zealand’s geographical location is no barrier when it comes to cyber crime because the internet knows no boundaries.
New Zealand has had a relatively relaxed attitude to cyber security. As a country, we’ve had limited exposure to any major cyber attacks, but the Wannacry Ransomware attack that hit the globe in May should be a wake-up call to us all. The attack has been described as ongoing and unprecedented in scale.
We also tend to think that because of our comparatively small population and remote geographic location, we’re not on anyone’s radar – an incorrect assumption.
NZI’s Ryan Clark says New Zealand business’ lack of security can cause concerns for international trading partners when choosing to operate here. Most large corporations will be apprehensive about dealing with companies that don’t have a secure cyber security system in place.
While cyber security is firmly on the radar of big businesses and boards, and the market is responding with more products and policies to increase security, small and medium enterprises still need to realise that they are at just as much of a risk as the big players.
Ninety-seven percent of New Zealand businesses fall into the category of a small or medium business, and according to PWC’s Global Economic Survey, 29 percent of those surveyed have experienced cyber crime.
Around 58,000 enterprises have been compromised by cyber criminals in the last two years.
Without cyber security, your business and its data are basically sitting ducks, but cyber insurance can assist you if an attack or breach were to happen.
The right cyber insurance cover allows your business to operate without fear of disruption, and provides your business with back-up if an attack were to occur.
NZI has put together a ‘triage team’ who are on call 24/7 in its latest cyber insurance product. The team consists of different industry experts who will work with you to resolve a cyber breach or attack and minimise the impact to your business.
The team includes breach coordinators, public relations, loss adjusters, forensic accountants, forensic IT and legal consultants.
“There can be legal ramifications after a cyber breach or attack,” says Clark. “The public relations experts on our panel are there to manage any potential reputational damage; the forensic guys are there to contain the situation and plug any gaps to prevent it from happening again.”
Legal ramifications aside, there are many consequences that can occur from a cyber breach or attack and the ones you may think of could be only the tip of the iceberg.
The Tip of the Iceberg: Cyber Risk and the impact on business vs On-going Consequences.
The infographic below shows the ways in which a cyber attack or breach can affect your business.
Most companies are not educated on the real issues involved when facing a cyber attack, or just how much they have to deal with to resolve the attack and fix their operations afterward.
An NZI cyber insurance policy provides you with the use of a team who are expertly trained to help address and manage the consequences faced during a cyber attack to its conclusion. You can rest assured that the situation will be managed by the right people who know what they’re doing enabling your business to trade with confidence. NZI’s Cyber insurance will also cover the costs of meeting court judgments or out of court settlements as well as the legal costs of investigation and defending a claim.
Arming Yourself Against an Attack: Why you need insurance.
Most companies are still not adequately prepared for, or even understand the risks faced from a cyber breach, says the PWC report. That includes the staggering 45 percent of New Zealand organisations that don’t have a cyber incident response plan.
Many companies think that virus protection, password blocks or firewalls mean that they have adequate security – this is a massive misjudgment.
NZI’s team includes law firm DAC Beachcroft, an international legal company with 1400 lawyers around the world; public relations company Porter Novelli; and a number of IT forensics companies.
This team of experts will work with your affected business to stem the injury you’re faced with after an event or cyber attack, in addition to providing the financial insurance cover needed.
There are several different types of different cyber events. These include identity theft; loss of service; ransom demands and stealing of intellectual property, among several others.
Clark says a cyber attack can be hard to deal with all by yourself.
“A cyber attack can be like a battle vortex, often hitting you from different directions. It’s hard to know where to begin to defend yourself, let alone what to do, or who to call and how to deal with the fallout.”
“The way cyber products are set up [at NZI] means that if your business suffers a cyber breach or attack you can call our Cyber Emergency Hotline to gain instant access to our team of specialists who can advise you on what you need to do,” says Clark.
Cyber Security: Protecting yourself from all sides.
The possibility of a data breach comes with the territory when you own or operate a business or hold any type of customer data. Even the best network security and anti-virus measures do not immunise your business from viruses or cyber criminals.
Cyber events can’t be prevented, but you can protect your business against a number of cyber exposures including ransomware and hacking attacks, viruses, privacy breaches and theft of data. NZI’s Cyber policies will cover you for direct costs to your business as well as claims from third parties and legal defence costs.
It’s important to be prepared, as you would for any other emergency. Consider who on your team is responsible for alerting your IT or cyber security expert; whether the police need to be involved; whether it's necessary to discuss the issue with the media; and how to find the source of the breach.
Since the launch of NZI’s Cyber insurance in 2016, the company has created an NZI Cyber Calculator so that you can obtain an instant estimate of what it would cost your business to purchase a cyber insurance policy from them.
Keep in mind that cyber risks keep changing and as the owner of an organisation, it is up to you to have the right security in place.
Insurance companies are not superheroes and cannot prevent a cyber attack - they’re the clean-up crew. When something is on fire you take a step back and call in those who can put it out, and you should do the same after suffering a cyber attack.
NZI’s Ryan Clark says you need to start with the basics.
Businesses should start by identifying their cyber risk and any security gaps. This might be as simple as understanding the value of the data they hold, and ensuring it is encrypted on mobile devices. If small businesses are looking for advice on where to begin they should talk to their current IT provider.
“It’s important to remember that cyber risk is insurable both in terms of the financial consequences and managing the crisis itself,” says Clark.
“Cyber threats are real – unrelenting and growing at an exponential rate.”