Technology is an important part of doing business in today's society, however risks come along with the benefits it provides. One of those risks is cyber attacks.
Cyber insurance is not just for big multinational corporations. A number of small and medium enterprises are at risk because they have low security measures, according to a recent report by the Centre for Internet Security.
CERT's Cyber Crime and Security Survey Report 2013 found that there was also an increase in organisations reporting cyber security incidents in 2013, from 56 organisations in 2012 to 76 organisations in 2013. Of the organisations surveyed 95 per cent thought their staff needed to improve their IT security and 91 per cent identified the need for management to improve their IT security skills and practices.
The report assesses the cyber security measures of CERT's partner organisations, cyber incidents they have identified and cyber threat concerns. The 2013 report included responses from 135 partner businesses across 12 industry sectors.
The most common incident reported by organisations in the survey were targeted emails that were linked to virus or worm infections and trojan or rootkit malware. This reinforces survey responses that cyber security incidents did not appear to be random or indiscriminate but instead be targeted at their organisation.
What are cyber security incidents?
Cyber security incidents refer to a range of incidents from viruses to denial of service attacks. The 2013 CERT report defines cyber security incidents as occurrences that "harmed the confidentiality, integrity or availability of a network's data or systems".
One of the first cyber attacks happened in 1972 when an electronic engineering student John Draper figured out that the whistle he found in Cap'n Crunch box was the same frequency that authorised long distance calls.
By simply blowing the whistle into the phone's speaker Draper was able to make the first free long distance call. Since then cyber attacks have escalated. In 2000, 15-year old Michael Calce from Quebec caused an estimated US$1.2 billion in damages to large companies such as Dell, CNN, Amazon and Ebay by shutting down their websites.
The recent Heartbleed bug is an example of the widespread affect of cyber security incidents. The Heartbleed bug was a software vulnerability that meant information encrypted by OpenSSL software could be accessed and leaked.
Is my organisation vulnerable?
Important questions your organisation should ask when considering its cyber attack risk include:
- What are the privacy and data breach laws relevant to the organisation and the market we operate in?
- Does the organisation use fully automated IT systems?
- Is the organisation's main function Business to Business (B2B) or Business to Consumer (B2C)?
- What tangible assets does the organisation have? And,
- Can the organisation operate without them?
The CERT survey asked respondents on the internal and external factors that contributed to cyber security incidents for the organisation. The two main internal factors were staff errors or omissions (57 per cent) and a poor security culture within the organisation. The two main external factors identified were targeted attack (51 per cent) and third-party risks or vulnerabilities (49 per cent).
Even though the number of reported cyber security incidents are increasing in Australia, 61 per cent of organisations do not identify cyber security incidents on their risk register. Possible reasons for this identified by CERT are the need for further awareness of cyber security and the need for CEOs and management to improve their IT security practices and skills.
What is cyber insurance?
Cyber insurance is available for businesses and organisations to cover liability and expenses that may result from cyber security incidents such as unauthorised use or access to electronic and physical data or software in the organisation's computer network or business. It can also provide cover for costs or expenses arising from network outages, viruses, malicious code or computer theft.
Cyber insurance is important because it provides organisations with monetary protection from harmful attacks on their information and systems.