Massive cyber-attack is a wake-up call for small business

By Chris Dougherty, General Manager, Westlawn Insurance
30 November 2016

Late last month, millions of people across the US and Europe were unable to access popular websites such as Twitter, PayPal, Spotify and Netflix following a massive Distributed Denial of Service (DDoS) cyber-attack. A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. In this case, however, the attack targeted a Domain Name Server (DNS) that facilitates the loading of web pages, rather than any particular website.

Australian internet users were also affected by the cyber-attack with The Sydney Morning Herald reporting on 22 October that: “Popular Australian media, banking, insurance, retail and hotel websites experienced outages and interruptions following cyberattacks in the US overnight”.

Among the Australian websites that experienced disruptions were banking sites ANZ, BankWest, NAB and Westpac and media sites such as The Daily Telegraph, and The Sydney Morning Herald. Retail giants Coles and Woolworths were also affected.

Wake up call

Commenting on the cyber-attack, Dynatrance data expert, Dave Anderson, said:

“While not as severe as the US, Australian sites were definitely experiencing performance problems as a result of the DDoS attacks overnight.”

“While it’s a bit unlucky for these Australian sites to have been hit, it’s a wake-up call for everyone with an online presence. You’re on 24 hours a day and these performance issues will be part of the daily digital life ongoing.”

Similarly, cyber risk expert, Fergus Brooks, from risk management company, Aon Australia, said that every business should look at how they could be impacted.

“This is an attack on the infrastructure of the internet itself as opposed to attacking specific companies.”

Cyber threats on the rise

In its 2016 Threat Report, the Australian Cyber Security Centre (ACSC) revealed that between July 2015 and June 2016, CERT Australia responded to 14,804 cyber security incidents affecting Australian businesses.

Of those, 418 involved systems of national interest and critical infrastructure.

And in Europe, a recent survey by Lloyds of London found 92% of European respondents said their company had suffered a data breach in the past 5 years, while 3% said they had “come close”.

Only 5% said they had not suffered a breach or were unaware that they had.

Australian businesses acknowledge the risk

Most businesses today, whether large or small, rely on digital technology for day-to-day operations, for interacting with suppliers and customers and for storing important records such as customer information.

And while many Australian small businesses have been slow to insure against the risk of cyber-attack, this is now beginning to change.

According to a survey by technology company, Symantec, nearly 20% of Australian small businesses plan to take out cyber insurance in the next year. Only 14% of small businesses are covered now.

Symantec’s Cyber Security Survey also revealed that 19% of small businesses experienced a cyber-attack this year and that 20% of businesses with cyber insurance have made a claim.

How cyber insurance can protect your business

Cyber insurance can provide protection against cyber-attacks and other related incidents that can impact your business.

Depending on the insurer and level of protection required, cyber insurance can cover your business for:

  • Privacy breaches – protection against third party claims for loss of personal information, corporate information, employee information, personal information held by service providers. Also defence costs.
  • System damage – cover for lost, damaged or destroyed IT systems, IT records/data, retrieval, repair, restoring or replacing data systems or hardware, external IT, forensic or security consultant costs.
  • Business interruption – loss of profits due to a cyber event.
  • Computer virus & hacking – liability arising from hacker attack or virus, loss or theft of data or data for which you are responsible, attacks by employees or third parties, loss by phishing or denial of service attacks.
  • Computer crime – cover for crime losses including loss of money or property, loss of money or property from service providers’ systems, loss caused by rogue employee or a third party.
  • Breach of statutory duties – from ecommerce business, defence costs and compensation.
  • Extortion – covers payment of ransom, costs of negotiating, mediating due to extortion attempt and crisis management costs to resolve a security threat.
  • Brand & personal protection – public relations costs to protect your business brand or reputation of senior executives.
  • Privacy fines & investigations – includes fines and penalties incurred due to a privacy breach. Cover for defence and investigation costs.
  • Privacy breach notification and loss mitigation – covers breach costs including credit monitoring, identity theft monitoring, data restoration and forensic costs. Includes your legal costs, access to call centre support services. Covers actual or suspected privacy breaches.

Cyber claim case studies

Employee error

A retailer emailed a group of customers to promote a sale with special discounts. The retailer intended to attach a copy of the flyer detailing the discounts but instead attached a copy of a spreadsheet containing a customer list, including names, addresses and credit card information.

The retailer was required to notify all affected customers of the error and offered credit monitoring services. Several affected customers began legal proceedings against the retailer.

The notification and credit monitoring costs totalled $50,000, and the amount to settle the legal proceedings with the retailer’s customers combined with the associated legal costs and expenses totalled $100,000.

Cyber insurance can provide coverage for breach of privacy which includes legal costs indemnification of third parties and crisis management costs.

Computer virus transmission and hacking

A company accountant of a local manufacturer received an email from her boss asking her to transfer $120,000 to a supplier overseas. Because this was a common request, the accountant processed the payment before realising that the tone of the email wasn’t right and the domain name was a single letter off. Upon further investigation, it was found that cyber thieves had infiltrated their systems and grew knowledgeable enough about company dealings to send a convincing phishing email that cost the company.

The company lost the $120,000 and incurred costs to secure their IT system.

Cyber insurance can provide coverage for the loss of money caused by phishing scams and the costs to secure IT systems.

Source: CGU Insurance Limited.

Contact Westlawn about cyber insurance

To learn more about insurance to protect your business from cyber-attack, contact Westlawn Insurance Brokers today.

Copyright © 2016

See also Cybercrime on the rise: how to protect your business