Cyber-attacks on the rise
Businesses are increasingly at catastrophic risk from cyber-attacks, according to research from our partner Hiscox. They explain why it pays to be prepared.
The last year has been tough for businesses: the turmoil of the pandemic and the uncertainty of lockdown restrictions have taken centre stage, but during this period many firms have faced another threat – increasingly sophisticated cyber-attacks.
Solicitors will be all too familiar with the threat faced from cyber criminals – as handling sensitive personal information, documents and client money means law firms are particularly vulnerable to attack.
In 2018, the Solicitors Regulation Authority (SRA) reported that over £11 million of client money was stolen by cyber criminals in 2016 to 2017, mostly through phishing attacks, data breaches, ransomware and supply chain compromise.
Our recent Hiscox Cyber Readiness Report shows the changing landscape of cyber-attacks over the last 12 months and indicates that firms are facing increasingly diverse types of threats.
The survey features responses from over 6,000 businesses of varying size, providing a snapshot of attitudes towards cybercrime and demonstrating how important it is to improve defences.
This year’s report showed that the number of businesses reporting attacks had increased from 38% to 43%.
In the UK, 69% of respondents who suffered attacks said it had happened more than once during the last year.
The attacks are also likely to be critical to the survival of many firms. Globally, one in six businesses said they felt that the survival of their business was at risk from cyber-attacks.
Steve Ridley, cyber underwriting manager at Hiscox UK, says: “What we’ve seen this year is a difference in the size of cyber-attacks. The median cost of a cyber-attack is about £10,000, but it could be much bigger. The largest breach reported in the survey in 2020 caused a loss of just under £500,000. For a small company, that is a large amount of money and a risk that needs to be taken seriously.”
So, how do firms combat that problem? “Firms might want to hire someone or use an external expert,” adds Ridley. “But it’s clear that companies do need consider the risk and their response.”
According to the survey, the most common routes criminals used to gain access to businesses had shifted this year.
The first point of entry had been corporate-owned servers for 37% of respondents. Cloud-based servers came second (31%), followed by company websites (29%) and employee errors, including phishing scams (28%).
For UK firms, there were a variety of first points of entry, with the country scoring above average on attacks as a result of phishing (32%), attacks on corporate-owned mobile devices (28%) and attacks on company websites (30%).
UK businesses also ranked highly in terms of virus outbreaks and loss of encrypted data, although they performed well in their ability to deal with these attacks.
The survey found that ransomware continues to be a problem, with phishing emails being the main starting point. However, only around one in six of businesses who reported suffering a cyber-attack said the attack had come in the form of a ransom demand.
For professional services business, such as law firms, corporate servers were cited as being particularly susceptible to attacks.
Lack of protection
While attacks had increased over the last year, a minority of firms (27%) had standalone insurance in place to protect them, although 34% had coverage as part of another policy.
Larger organisations were more likely to have insurance cover and scored well in our ranking of firms ready for such attacks.
The Hiscox Cyber Readiness Model categorises businesses into three groups in terms of cyber readiness: cyber novices, intermediates and experts. This categorisation allows us to see which type of cyber-attacks were most successful and what businesses need to do prevent against losses.
“Experts had fewer ransomware attacks, fewer fell victim to phishing emails, and when they were hit, they recovered more quickly,” says Ridley.
Larger firms appear to recognise the importance of having expertise to deal with cyber threats, with 33% recognised as cyber experts by our model.
However, smaller businesses with under ten employees were more likely to rank as cyber novices, with 62% of respondents saying they had little expertise in cyber threats.
“It may well be easier for larger organisations to spend on improving their cyber-crime proficiency – be it through hiring experts or training staff – but companies of all sizes would benefit from improving their resilience”, says Ridley.
“Building that resilience and having expertise isn’t going to guarantee companies aren’t attacked, but it means they’re less likely to fall victim to an attack and, if they do, they should be able to bounce back more quickly,” adds Ridley.
“It’s not just about avoiding the problem, but about minimising the impact and increasing resilience. The more prepared you are, the safer you are going to be.”
Hiscox is a Law Society partner and now provides personal cyber insurance, as an addition to your current home insurance policy.
Find out more about their insurance or call 0800 840 2781. Law Society members save 12.5% on home insurance.