A recent report finds that Irish businesses pay out ransoms more frequently than those in other countries, with 25 per cent paying out five times or more to recover their data.
For Irish businesses, the risk of a cyber-attack is not a question of ‘if’ but ‘when’, according to a report from specialist commercial insurance provider Hiscox Ireland.
The Hiscox Cyber Readiness Report 2022 found that 49 per cent of Irish companies have suffered at least one cyber-attack in the past 12 months, up from 39 per cent in 2021.
The cost of dealing with cyber-attacks is putting businesses under increasing pressure, with the median cost in Ireland having doubled to €15,120 per business.
Harnessing energy from the sun in Ireland makes more than just environmental sense
When it comes to sustainability, smart companies will not take the foot off the pedal
Why recognition of prior learning works for business
Businesses need to transform their finance functions in order to compete and add strategic value
At a time of already spiralling business costs, that’s a hit few businesses can afford to ignore, especially as the report also found that the frequency of cyber-attacks in Ireland has increased by 26 per cent over the past year.
“The most common method of entry for Irish ransomware attacks is unpatched servers. Failing to keep software up to date is more common in Ireland than in any other country surveyed.”
<br/>
Globally one in five business respondents reckon a cyber-attack could put them at risk of going out of business.
Not only are cyber criminals becoming more sophisticated, but employers are increasingly aware that attacks have been facilitated by the move to remote and hybrid working, with cyber criminals increasingly gaining access via cloud servers.
More than three in five respondents, 62 per cent, believe their business is more vulnerable to attack as a result of working from home. It’s a risk many are mitigating with specialist cyber insurance policies that help recoup the costs arising from such attacks.
Currently Irish businesses pay out ransoms more frequently than those in other countries, the report finds, with 25 per cent paying out five times or more to recover their data.
“People think that once you get one ransomware attack, you are golden, but that’s not so, they come back,” says David Gallagher, business development manager at Hiscox Ireland, a firm specialising in commercial and personal insurance solutions.
The most common method of entry for Irish ransomware attacks is unpatched servers, which account for 65 per cent of cases. Failing to keep software up to date in this way is far more common in Ireland than in any other country surveyed.
Having good risk management procedures in place, backed by cyber insurance, is the best way to protect your organisation, says Gallagher.
Staff awareness is key. That includes ensuring all personnel look out for so-called ‘spear- phishing’ emails, which invite the recipient to click on a link that looks legitimate, but is not. Once cyber criminals gain access to your systems in this way they can hold them to ransom. If you don’t pay up your customer data can be leaked to the dark web.
“Going forward two factor authentication will be a minimum requirement for cyber insurance.”
“Hackers are aware that people are a little more vulnerable at home. In the office we are all that bit more conscious about what we click on,” says Gallagher, who says that at home, we might be tired and the lines between work and leisure blurred, making the risk of clicking on a spurious link greater.
“Corporate servers are also harder for hackers to breach than cloud servers,” he adds. It’s why all organisations should now have two factor authentication in place, which sends a notification to a second device such as a mobile phone. “Going forward it will be a minimum requirement for cyber insurance,” he points out.
Working from home also increases the likelihood of ‘CEO phishing’, where employees receive an email that looks like it comes from their boss asking them to, for example, change a supplier account number. “Again, because we’re working from home and the boss is too, we can’t check if it’s really from them. That has led to a big rise in claims,” says Gallagher.
Strengthen your defences
Ongoing staff training is a vital line of defence, particularly as 62 per cent of the claims Hiscox handles are attributable to employee error.
Hiscox offers free and constantly updated employee training to small and mid-sized clients through its CyberClear Academy. Depending on how many employees complete it, employers can gain additional benefits such as a lower claims excess – reducing the portion of an insurance claim they must pay themselves.
The company also offers direct support from a team of experts including crisis managers, forensic IT specialists, data protection lawyers and public relations consultants, to protect businesses from the wider fall out of an attack.
Costs quickly add up. If you generate sales online, and your website is down, or compromised, your business will lose revenues immediately, he points out.
On top of that is the cost of finding out what’s going on, including, possibly, bringing third- party expertise in to help.
Where data breaches occur you must notify the data protection commissioner, which could result in penalties. There may be reputational damage, and on top of that, he points out, the risk that customers whose credit card details, or medical information is leaked, will sue.
Counting the cost
The company’s new generation of cyber insurance tools includes the Hiscox Cyber Exposure Calculator, which helps companies understand the full financial impact of a cyber-attack.
In 2021 it introduced an online cyber maturity self-assessment model to help companies understand their cyber security strengths and weaknesses and benchmark against others.
Because major multinationals tend to have very robust systems in place, it is small and medium sized businesses that are most vulnerable. No matter the size of your business, cyber awareness “has to come from the top down,” he adds.
Just don’t think that being small is protection from being attacked. “Cyber criminals are organised business units scouring for vulnerabilities. We know from the HSE and NHS attacks, both of which happened during a pandemic, that these people have no morals. If they find a weakness, they’ll get in,” says Gallagher.
Such high-profile cyber-attacks have helped to grow awareness for all organisations both of the risk of attack and the need to mitigate it. “Have your cyber safety practices in place and have a cyber insurance policy in the background too for peace of mind, just in case it’s needed,” he says.