Working with a team is an amazing way to be more than the sum of your parts. When that team includes subcontractors, freelancers or a supply chain the opportunities are multiplied.
With opportunity comes risk and this article is about identifying and reducing exposure to risk. Most exposure can be reduced in-house yet a few steps further and the interconnected world we live in can be managed too.
There's an expectation that businesses are careful rather than reckless. This is the minimum standard expected. Failing to prepare your business to keep delivering will not go down well with customers. They might say they feel sorry for you whilst they are googling or, most likely, looking for recommendations for another supplier. It’s more a case of why risk it than why not!
Simply expecting nothing to go wrong isn’t realistic. Ignoring risks until they appear isn't responsible or prudent. Most people know this yet they get too busy to allocate time. Those that allocate time to stop and think can work their way through it. Sometimes, it is easier to call those that deal with IT, digital files or access to communications and ask what they have already done to protect your business. You'll be surprised, hopefully, at the lengths they are already going to.
Who would you rather do business with?
Imagine you are on the phone in the need of a quick answer. The person at the other end tells you that they're dealing with an unexpected issue and won’t be able to answer your query until 4pm.
Perhaps with another supplier you can’t get through at all. It’s not so urgent yet you need a response the next day. Yet if you call back and still can't get what you need, the pressure to meet a deadline becomes telling. You and the supplier feel the pressure yet there is no resolution. Indeed, you can't thank them, let alone recommend them. And you might have to consider taking your business elsewhere.
Climbing the ranks
On another day, you might be the recipient of such business, more likely if people recommend you. People still recommend those that had issues with service, yet only if they recover well and keep the client informed. Indeed, it can add strength to a relationship if problems are overcome and well communicated.
Sectors that look after data or provide data services such as security, access, or storage can do a lot to protect many businesses at once. Managed Service providers and IT Support providers have been targeted in the US. Files have been encrypted and ransoms demanded. To pay or not to pay, that is the question. Insurers can answer that for their policyholders because they have experience. Unlike directors who have never felt so compromised before. We have many enquiries from IT support companies and managed service providers. Mainly because they can no longer afford to underwrite losses of their clients that have not been looking after themselves.
Professionals like accountants and solicitors have been targeted in the UK because some hold client money, as well as bank details and confidential data. Not all have found their insurance covered them. Indeed, cyber cover is being specifically taken out of Professional Indemnity and other policies because the losses are so high the risk needs to be carefully considered. It has to be applied for and granted, which will probably be subject to new and appropriate conditions.
They are now investing in protection that:
- Quickly determines whether the issue was due to their negligence or bad actors
- Defends them from claims from those that have failed to protect themselves, yet want someone else to pay for their lack of prudence
- Pays clients when their losses were due to the company's negligence
If they are investing in protection, they will be able to fend off claims from those who have been caught out. They will also be able to pay compensation to those that deserve it.
It will eventually become common knowledge that IT companies charge extra for support following data breach issues because more and more people will find out for themselves anecdotally or when their IT is compromised.
Meanwhile, what can be done?
Those who have cloud storage should ensure there is also a backup. The cloud is porous and many have found their files corrupted when the data/file storage provider had a problem. Network settings should be changed on new items that have wi-fi connections.
Check those that you depend on have insurance. If they are a hub, they might have many other losses to consider as well as your own. They might not cope.
The government is releasing a guide on cyber risk shortly. Every business should receive one. Keep in mind that the government do not directly ‘nanny’ businesses often. They are doing it for cyber risk because they realise that the UK economy is in real trouble if there is a large attack and too many businesses are unprepared. They also realise how well connected we are digitally; their own agencies have enough experience of sharing malware unintentionally. They don't want a problem spreading, planning and security can really help. Businesses are expected to look after themselves yet most are burying their heads in the sand about data risk. It’s often found on the ‘too difficult’ list.
Wrap Up: Some businesses have a more important role than others. When they are a hub for many businesses, there is an expectation that they are well prepared and have contingency plans in place. When things go wrong, those that have been prudent, communicate well and are resilient will survive and go on to thrive as their stock rises.
Top Tip: Mobile devices should be encrypted. Most devices come with encryption apps; they need to be switched on.
* This article is a guest blog post by our friend Jason at Cobine Carmelson. If you'd like to check that your cyber insurance is fit for purpose, please contact Jason quoting the code PENSAR0120.