The recent ransomeware attacks have brought cyber security – and cyber insurance – into sharp focus for SMEs. No more was it something that happened to someone else. It became real.
“The reality is that all organisations need to be thinking about cyber, and not only that – but they need to be thinking of it as a jigsaw puzzle,” says Dan Weis, certified ethical hacker and penetration tester at Kiandra IT.
“One very important piece of that puzzle is insurance, that speaks for itself, but it’s just one piece of the puzzle and it is important to note that it is a post incident solution.
“Prevention is better than cure and there are many other puzzle pieces that companies need to address, to reduce their cyber exposure.”
He points out that 53 per cent of all email globally is spam or spear phishing related, based on Symantec’s latest Internet Security Threat Report, and according to Verizon’s 2017 Data Breach Investigations Report, 81 per cent of all hacking-related breaches leveraged stolen or weak passwords.
So, part of that jigsaw puzzle solution should include staff awareness training, having the necessary technical controls in place, making sure systems are well maintained, and knowing how to identify and respond to a breach, Weis says.
Indeed, the recent WannaCry and Petya ransomware exploited a Windows vulnerability and succeeded in accessing many organisations’ computers because many Windows users had not installed the security patches Microsoft had released.
While WannaCry had little impact in Australia, Petya a month later, affected local offices of global law firm DLA Piper and Hobart’s Cadbury factory whose parent company Mondelez was hit.
Weis says for brokers what they need to emphasis to SME clients is that size does not matter to hackers. “Are weak passwords and phishing attacks risks that just affect big business? Definitely not, and in a lot of cases the SME market is utilised to launch attacks against the larger companies and avoid detection for the bad guys.”
“And, don’t think that malicious cyber-attacks are only launched by sophisticated cyber-criminal groups. The reality is that with modern hacking tools and applications you don’t need to be a specialist to cause severe damage in an unsecured network,” he warns. “A security breach could be initiated by a disgruntled ex-employee, a bored teenager, or someone trying to gain information on one of your clients via your systems. Hacking tools are widely accessible and are designed to cause maximum destruction or compromise large number of systems, covertly.”
Dan Weis will be presenting at the NIBA Convention in September and talking about these topics and more. Delegates will come away from the session with a checklist and all the information needed to facilitate these conversations with clients, and work with them to generate what their cyber risk profile looks like, enabling them to produce their own cyber puzzle.