Decoding Cyber
A broker's guide to the world of cyber risks, essential terms, mitigation techniques and solutions
properties.trackTitle
properties.trackSubtitle
Decoding Cyber has been designed to empower brokers to talk to their commercial clients about cyber risks and coverage with confidence by enabling better understanding of the world of cyber.
The cyber threat landscape is evolving
The world has and continues to become increasingly interconnected through technology, which not only creates more possibilities for individuals and businesses to interact in ways that were previously unimaginable, but it also widens the threat landscape for cyber-crime.
Cyber risks have existed for decades, but now we’re seeing criminals use innovative methods to develop more sophisticated forms of attack to target supply chains, acquire sensitive information, and disrupt businesses’ operations. It’s reported that 15% of breaches are attacks on business partner supply chains, and 12% are attacks on software supply chains, which results in an average breach cost of GBP 3.77m (USD 4.76m*) and GBP 3.35m (USD 4.23m*) respectively***.
82% of data breaches in 2022 involved data that was stored in cloud environments***, and with 45%** saying that staff in their organisation use personal devices to carry out work-related activities, otherwise known as ‘bringing your own device’ (BYOD), criminals continue to take advantage of potential security vulnerabilities.
The different types of cyber threats
With the digital landscape evolving at an ever-increasing pace, this presents both new opportunities and risks for businesses to consider.
To help you understand the most common cyber threats businesses face, we’ve created a simple glossary which outlines each term.
Botnet | A network of hi-jacked computer devices used to carry out various scams and cyber-attacks. |
---|---|
Cyber attack | The intentional and unauthorised entry of computer instructions, including any Malware, intended to gain access to, delete, alter transmit or disclose data, or interfere with a computer system. |
Data breach | A breach of security leading to the accidental or unauthorised transmission of, disclosure of, access to, loss of or theft of data transmitted, stored or processed on a computer system or as paper recrds. |
DoS (denial of service) | A Denial of Service attack is when a website is bombarded with such a high volume of traffic that it stops working; these attacks are often carried out by multiple computers as part of a Botnet. Also known as DDoS (Distributed Denial of Service). |
Operational error | A negligent or inadvertent IT operating error and/or process error on a computer system including an error in the choice of software to be used, a set-up error or any inappropriate one-off operation. |
Phishing | Fraudulent messages (typically emails) attempting to trick users into entering their details into a spoofed website or spread viruses through infected attachments. |
Ransomware | A form of malware which makes all files on a computer unreadable until a ransom fee has been paid. |
Social engineering | The act of exploiting human weaknesses to gain access to personal information and protected systems, this form of attack relies on manipulation rather than hacking a computer system. |
Spear phishing | Highly targeted and personalised phishing attacks sent to individuals who have been researched extensively. |
Spyware | A form of malware which spies on a computer user without their knowledge, recording sensitive details such as passwords and credit card details. |
Trojan | A type of malware disguised as legitimate software (such as fake antivirus programs) which can steal or encrypt data. |
Worm | Malware which automatically and rapidly moves from device to device, spreading viruses and trojans as it does. |
How often businesses reported breaches or attacks in 2022**
Types of breaches or attacks that businesses identified in 2022**
Jargon buster: making sense of essential cyber terms
The world of cyber can be very technical, especially when it comes to the terminology used.
To help you navigate conversations related to cyber, we've put together a glossary of some of the most common technical terms used in the market.
Antivirus Software
Back-up
Email Filtering
Encryption
Firewall
Malware
Multi-Factor Authentication (MFA)
Password Policy
Patching
Payment Card Industry Data Security Standards
Penetration Testing
Personal Data Record
Privileged Access Rights
Unsupported or End of Life Software
Vulnerability Scanning
Let us not forget one of the biggest cyber threats a business may face... human error.
Unfortunately, when it comes cyber claims, around 90% of these stem from some type of human behaviour - with human error seven times more likely to be behind a data breach than hackers.
Some of the most common examples of human error include:
- Data being sent to the wrong recipient.
- Lost or stolen paperwork.
- Failure to redact data.
- Failure to use blind carbon copy (bcc) when sending an email.
- Unencrypted devices being lost or stolen.
- Clicking on phishing emails, where recipients open emails and click on links which are designed to trick them into giving information to hackers or giving hackers access to their systems.
Mitigating against cyber risks
Percentages of organisations that have carried out the following activities to identify cyber security risks in the last 12 months**
As the frequency and severity of cyber-attacks has grown in recent years, the need for businesses to implement risk controls has become increasingly clear.
Common cyber risk mitigation methods include everything from robust password and user authentication policies, routine software updates and back-ups, to the vital task of educating staff about how to spot phishing risks.
Here are a few ways businesses can reduce their exposure to cyber risks ↓
Strict control over admin accounts
All accounts protected with Multi-Factor Authentication (MFA).
Admin accounts have separate permissions from standard user accounts.
The number of admin accounts is maintained at the absolute minimum.
Credentials to admin accounts should never be shared, and always securely stored (e.g. password manager).
Data back-ups
Full backups should be taken regularly and frozen at least weekly (min. 3-month rolling freeze).
Backups should be isolated from the network to evade malicious encryption during a ransomware attacks (e.g. backup to tape, online or other).
Data restoration of sample critical systems should be performed at least 6-monthly in order to test the integrity of back-ups.
Backups should always be encrypted.
User access
Remote access protected with Virtual Private Network (VPN), accessible only via accounts with Multi-Factor Authentication (MFA) and/or private client certificates.
User accounts to cloud environments protected with Multi-Factor Authentication (MFA) and assigned with unique passwords.
Regular (min. 6-monthly) user phishing tests should be deployed, with additional employee training where appropriate.
Technology stack
All technologies (operating systems, database, application, networking/utilities) should be the latest supported version, fully patched.
Security patches should be applied as quickly as possible, once tested following release by the manufacturers. No more than 14 days after release.
Third-party/cloud apps: assurance sought for effective cyber security protections.
Regular security tests (penetration testing/vulnerability scanning) should be carried out to ensure systems are configured to be secure.
Use network segmented (VLANs) where possible.
Education
Businesses should take the time to educate their employees to help understand;
How to spot common cyber scams such as phishing.
The importance of utilising strong passwords or passphrases.
How to store data securely.
Data encryption
Response planning
In preparation for a cyber-attack, businesses should create a detailed cyber incident response plan.
This includes developing a suitable business interruption policy, incident response playbooks for dealing with key threats, forms for documenting and tracking incidents, and technical guidance on analysing and recovering following an incident.
A new global study of 1,000 Chief Information Officers finds that 82 percent say their organisations are vulnerable to cyber-attacks targeting software supply chains
Why do businesses need cyber insurance?
Robust cyber insurance, backed by strong breach response, will protect businesses against financial losses as a result of a cyber attack or breach, and mitigate the impact that an attack has on the business through a strong restorative support service.
57% of businesses say a data breach has resulted in them having to increase the costs of their products and services***
Our cyber placement strategy involves conducting regular market analysis. Since their product launch, NMU’s proposition has been market leading and continues to develop/adapt to ever-evolving threats to ensure it stays that way.
The NMU cyber insurance solution
Even businesses with extensive risk control measures in place can still be vulnerable to cyber-attacks and data breaches, which is why having comprehensive cyber insurance is important.
The NMU cyber insurance solution provides coverage for a range of first party and third-party risks related to cyber-attacks, offered through a robust policy with strong restorative support services.
We hope that ‘Decoding Cyber’ has improved your understanding of the cyber risks that both you and your commercial clients face. Now more than ever, businesses of all different sizes are looking to their insurance brokers for a robust cyber insurance policy and with the NMU cyber solution, you can provide them with just that.
Get in touch with us
Businesses looking for more information on cyber insurance should contact their insurance broker.
Insurance brokers looking for more information about our cyber insurance solution for their clients can contact their local NMU Development Underwriter.
* Exchange rate of 1.00 USD to 0.79 GBP, correct as of 4 September 2023 09:30 BST
** Cyber Security Breaches Survey 2022 - Department for Digital, Culture, Media & Sport
*** Cost of a data breach 2023 - IBM
The information provided in this content is intended for UK insurance brokers acting on behalf of their prospective or existing clients.
Any description is for general information purposes only and does not constitute an offer to sell or a solicitation of an offer to buy any product. Policyholders who have questions or wish to arrange or amend cover should contact their insurance broker. Insurance brokers can find details of how to contact us here.
Any descriptions of coverage contained are meant to be general in nature and do not include nor are intended to include all of the actual terms, benefits, and limitations found in an insurance policy. The terms of any specific policy will instead govern that policy. Any guidance for UK insurance brokers is intended to provide general information only, and should not be used as a substitute for legal advice.