DNS attacks cost finance firms millions of pounds a year

The average cost of recovering from a single DNS attack is £711,069 – $924,390 for a large financial services company a new survey.

The costs of restoring services after a DNS (Domain Name System) attack are higher for financial services firms than for companies in any other sector.

According to a survey of 1,000 large financial services firms in Europe, North America and Asia Pacific, the average cost of recovering from a single DNS attack is $924,390 for a large financial services company.

The survey, carried out by network automation and security supplier EfficientIP, and its subsequent 2018 Global DNS threat report found that the average cost of recovery for such finance firms had increased by 57% compared with last year.

It also revealed that financial services firms suffered an average of seven attacks each last year, and 19% of them were attacked more than 10 times.

The survey found that finance firms took an average of seven hours to mitigate a DNS attack and 5% of them spent a total of 41 working days mitigating attacks in 2017. More than a quarter (26%) lost business because of the attacks.

The most common problems caused by DNS attacks are cloud service downtime, compromised websites and internal application downtime.

“The DNS threat landscape is continually evolving, impacting the financial sector in particular,” said David Williamson, CEO at EfficientIP. “This is because many financial organisations rely on security solutions that fail to combat specific DNS threats.

“Financial services increasingly operate online and rely on internet availability and the capacity to securely communicate information in real time. Therefore, network service continuity and security is a business imperative and a necessity.”

Types of DNS attack include:

Zero day attack – the attacker exploits a previously unknown vulnerability in the DNS protocol stack or DNS server software.
Cache poisoning – the attacker corrupts a DSN server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack. Cache poisoning may also be referred to as DNS poisoning.
Denial of service – an attack in which a malicious bot sends more traffic to a targeted IP address than the programmers who planned its data buffers anticipated someone might send. The target becomes unable to resolve legitimate requests.
Distributed denial of service – the attacker uses a botnet to generate huge amounts of resolution requests to a targeted IP address.
DNS amplification – the attacker takes advantage of a DNS server that permits recursive lookups and uses recursion to spread the attack to other DNS servers.
Fast-flux DNS – the attacker swaps DNS records in and out with extreme frequency in order redirect DNS requests and avoid detection.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

ICO issues maximum £500,000 fine to Facebook

ICO issues maximum £500,000 fine to Facebook

 

The UK privacy watchdog has confirmed that Facebook has escaped a fine of more than $1bn under the GDPR, but will face the maximum under the DPA for failing to protect users’ personal information

The Information Commissioner’s Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law involving Cambridge Analytica that affected 87 million users, including nearly 1.1 million Britons.

In July, the ICO issued a Notice of Intent to fine Facebook as part of a wide ranging investigation into the use of data analytics for political purposes.

After considering representations from the company, the ICO has issued the fine to Facebook and confirmed the amount, which is the maximum allowable under the laws that applied at the time the incidents occurred.

The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded a quiz app, but were simply “friends” with people who had.

Facebook also failed to keep the personal information secure because it did not make suitable checks on apps and developers using its platform. These failings meant one developer, Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge.

A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica which was involved in political campaigning in the US, the ICO said.

Even after the misuse of the data was discovered in December 2015, the ICO found that Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, the ICO said Facebook did not suspend the company from its platform until 2018.

The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.

Elizabeth Denham, information commissioner mentioned that she feels that facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. She felt that a company of its size and expertise should have known better and it should have done better.

This fine was served under the Data Protection Act 1998. It was replaced in May by the new Data Protection Act 2018, alongside the EU’s General Data Protection Regulation (GDPR). These provide a range of new enforcement tools for the ICO, including maximum fines of £17m or 4% of global turnover.

Facebook considered these contraventions to be so serious they imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of their main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.

Facebook’s work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which their society is based.

A further update on the ICO investigation into data analytics for political purposes will be on 6 November, when the information commissioner will give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select Committee.

In July, the ICO published an interim progress update on its investigation and also published a partner report, Democracy disrupted? Personal information and political influence, looking at the broader policy issues identified during the investigation along with findings and the ICO’s recommendations for future action.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

 

 

How Malwarebytes was founded PT2

How the Malwarebytes company started and grew.

How the Malwarebytes company started and grew.

What made Mrs Kleczynski initially more alarmed was that her teenage son had launched the business with a man in his 30s called Bruce Harrison. Marcin and Bruce had been writing software together for more than a year, after they first started talking on anti-virus forums.

“Here’s this 17-year-old kid… he’s this 35-year-old man. Imagine telling your mum?…” says Marcin.

Marcin and Bruce hadn’t actually met in person at the time. Bruce was a computer repairman in Massachusetts, and Marcin was at home in Chicago. They didn’t in fact see each other in the flesh until Malwarebytes was more than 12 months old.

“We didn’t meet until we made our first million about a year after we launched the product,” says Marcin. “Even that was kind of anti-climatic. It was just, ‘Hey, Bruce!’ – We had a handshake and moved on.”

Today Bruce, who is head of research, still lives and works on the US east coast, while Marcin is based in the head office in Silicon Valley. The company now has more than 750 employees, and overseas offices in the Republic of Ireland, Singapore and Estonia. Since 2014 it has secured $80m of investment funding.

Malwarebytes says its software now performs 187 million virus scans every month for individuals and businesses, and is installed more than 247,000 times every day. Like many antivirus companies it operates a “freemium” business model – the basic version is free, but you can then pay for more advanced protection.

While the company has consistently grown strongly, Marcin has learned some hard lessons along the way. The most difficult time was navigating the business through an almost catastrophic period in 2014 where the product glitched on a huge scale.

“We had a false positive which means we detected a piece of malicious software that wasn’t actually malicious at all,” he says.

“Our software ended up mistakenly bringing down hundreds of thousands of computers. We had 911 emergency centres go down, hospitals go down, it was bad. This has happened to every anti-virus company, by the way, but these mistakes can be company killing because you lose trust.

“But we fixed it and got through it. Even today, the system that we created to prevent this from happening again is called ‘The Malwarebytes Extinction Prevention System’ – our engineers have a great sense of humour.”

Carl Gottlieb, a cyber security podcaster, says that despite operating in the “notoriously hostile” antivirus industry “Malwarebytes is thriving”.

“With so many competing vendors, brand awareness is key, and that step which Malwarebytes took to offer a free product years ago is paying dividends, with so many customers knowing the name and already using it in their homes. What Marcin and his team have achieved is impressive to see.”

Still only 29, Marcin says his young age has been an advantage. He encourages other budding teen entrepreneurs to start their own business.

“You’ve heard my story, I started the company when I was living with my parents,” he says. “And then even at college, it was all paid for on a student loan, so I was getting fed. If you’re in college now, instead of going out and getting drunk with your friends, maybe take one night a week just to see if there’s anything you want to work on personally.”

He admits that his university years were harder than his friends’, that he barely passed his degree, and his social life no doubt suffered. However, he’s glad his mum forced him to go. “For one thing, I met my wife there,” he says.

How Malwarebytes was founded PT1

A lot of entrepreneurs have “a moment”. A moment that makes them realise they’re on to something.

start-up company Malwarebytes was less than a year old back in late 2008, but already gaining a good reputation in the cyber security world.

For Marcin Kleczynski it came while he was discreetly working on his antivirus software business from his student digs.

His start-up company Malwarebytes was less than a year old back in late 2008, but already gaining a good reputation in the cyber security world.

Marcin, then only 18, was just about managing to juggle running his start-up with participating in student life at the University of Illinois when he hit a snag.

“I was having some real trouble analysing the latest computer virus, when all of a sudden I get a white page on my screen that says ‘you’ve been banned from the school network due to malicious activity on your desktop’,” he says.

“They’d obviously detected that I had a virus on my computer, but didn’t realise it was deliberate. So I call the university IT helpline, and they send a kid, no older than me. He sits down at my computer and looks at it and says ‘boy you’ve really screwed this thing up’.

“Then, right in front of me, he logs onto my website and downloads Malwarebytes. I didn’t say anything, I stood behind him and watched him fix my computer with my software to get me back online. He left never knowing who I was, but to this day I love that moment.”

By the time Marcin graduated with a degree in computer science in 2012, he had quietly grown Malwarebytes into a business earning a few million dollars a year. All without any of his lecturers having any idea what was taking up his time, and pushing his grades down.

Today the company has an annual turnover of more than $126m, and millions of customers around the world.

Born in Poland in 1989, Marcin moved to the US with his family when he was three, settling in Chicago.

As a gaming-obsessed teenager, he’d accidentally got a virus when he was 14, and learned everything he needed to know about computer bugs from internet forums and a “For Dummies” book.

Formally launching Malwarebytes in January 2008 when he was just 18, it grew quickly, and he decided that starting university in September of that year would just slow him down. His mother had other thoughts.

“The business was becoming real, and so I went sheepishly to my mum and said ‘I don’t think I’m going to go to school’,” says Marcin. “Fifteen seconds later we were packing my stuff and I was going to school.”

CYBER 139 PASSED PDSC ASSESSMENT

CYBER 139 are very pleased to have passed the PDSC Digital Aware Assessment.

CYBER 139 are very pleased to have passed the PDSC Digital Aware Assessment.

Cyber 139 have demonstrated that we have implemented measures that are appropriate to own level of risk. Applicants are assessed by certified cyber security professionals through BSI.

Organisations who choose to participate in the new scheme will be able to obtain a certificate. These certificates are endorsed by the Police and BSI.

Cyber crime is a growing threat to organisations with over a third having suffered at least one cyber attack or breach in the past 12 months. The good news however, is that the overwhelming majority of cyber crime can be prevented by taking a few simple steps.

To help reduce your vulnerability to cyber crime, the Police Digital Security Centre (PDSC) and the British Standards Institution (BSI) have developed a new certification scheme to help your organisation understand where it is at risk and what you can do to protect yourself, your customers and suppliers.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

IoT security legislation needed

Suppliers of internet connected devices are largely failing to improve the security of their products, exposing users to privacy risks, so there is no choice but to legislate in this area, says a researcher

 Suppliers of internet connected devices are largely failing to improve the security of their products, exposing users to privacy risks, so there is no choice but to legislate in this area, says a researcher

 

Most suppliers notified of security and privacy issues in their smart products are “intransigent” and make no effort at all, according to security researcher Ken Munro, senior partner at Pen Test Partners, which specialises in the security of internet of things (IoT) devices.

Munro has  spent the past five years fighting manufacturers of smart products and trying to influence behaviour and make products more secure, but, by and large, he says himself, that he has failed, because the security of smart devices is actually getting worse.

Munro and his colleagues have exposed the security vulnerabilities in a range of IoT devices, including Samsung smart TVs, door locks on Mitsubishi Outlander vehicles, the Cayla interactive doll, the iKettle and the Swann home security camera.

While some of the larger brands, such as Ring, now owned by Amazon, and BB-8 toy makers Sphero, licensed by Disney, have been good about responding to security vulnerability reports, Munro said most suppliers are startups or bigger brands buying in third-party products.

These organisations typically do not have the resources, and it has never been on their radar to do security – that’s why Munro thinks they need to have some big sticks to ensure manufacturers put in some very basic security.

When security vulnerabilities are discovered, Pen Test Partners follows a policy of responsible disclosure to the manufacturers to give them an opportunity to fix it before going public with the findings.

IoT suppliers deliberatly ignore warnings

Munro’s experience with almost every single IoT supplier they have ever disclosed to – and they have done two to three disclosures per week for the past four years – is that they simply ignore him, nothing happens and they carry on selling their product, profiting out of making people vulnerable.

IoT widely used in business context

While IoT is generally thought of in terms of consumer products, he pointed out that some IoT systems are widely used in the business context such as building management systems that control the heating, cooling, door locks and fire alarms.

It is important that businesses think about the IoT devices they have in their environments. The gap between IT and services often creates opportunities for technology to cause problems, and so there are some key questions businesses need to ask suppliers, retailers, hardware manufacturers so you know whether you are buying a good product or one full of security vulnerabilities.

Munro said he was able to buy a controller of a business management system online and was able to find vulnerabilities that could be exploited to discover the password of the embedded server that would enable an attacker to take complete control of the building management system.

According to Shodan, the search engine for embedded devices on the internet, hundreds of these controllers have been put into organisations by third-party installers and put straight on the internet for remote access and control, which means an attacker could do things like unlock doors and set off fire alarms to force an evacuation of a building.

Munro even discovered that some of the devices had been infected with cryto-mining malware to generate cryptocurrencies for cyber criminals.

In recent days, he said Pen Test Partners have been working on third-party car alarms. They believe that over five millions cars can be located, unlocked and the engine started and driven away, so in general, IoT security is a train wreck.

The UK has so far stopped short of regulation, electing instead to publish a Secure by Design voluntary Code of Practice (CoP) in October 2018 that was developed by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC).

While the final version of the CoP is largely unchanged from the draft version, it has been revised to ensure compliance with the EU’s General Data Protection Regulation (GDPR) and the UK’s new GDPR-aligned Data Protection Act to facilitate regulatory implementation in future.

Initial IoT draft did not address refusal to follow guidelines

The CoP is a great start, but there is still more to be done, he would like to see fresh primary legislation in the IoT arena in the UK, but this will take time. It would also be reasonable to let the CoP guidance ‘bed in’ with manufacturers. If they don’t start to change behaviour, that would be the time for regulation.

Munro believes giving consumers the right to return vulnerable smart products for credit will create financial incentives for manufacturers to improve security, as will retailers committing to not stocking vulnerable smart tech, backed up by trading standards legislation. He would also like to see manufacturers delivering product security updates for the foreseeable life of the product.

Munro thinks demonstrating security in a product will actually drive sales because if someone can buy a smart thermostat and know it is secure, that will increase sales in the market.

The proposed European Cybersecurity Act, however, covers only corporate and medical devices, including critical national infrastructure, but is currently voluntary for consumer devices, he said.

Munro finds it to be a  real shame, because consumer devices are as much of threat because they have shown how attackers could aggregate smart thermostats and take the electricity grid. He thinks they have to bring in regulation – they have no choice. It is simple, and they could learn so much from that, it would enable them to say this is what they want, and then they can start to build up the next layer of accreditations and the next layer of regulation – but they should do the basics first.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

 

Nearly half of UK firms hit by cyber phishing attacks

Nearly  half of UK businesses have been compromised in the past two years using phishing attacks, despite high levels of cyber awareness and training.

Nearly  half of UK businesses have been compromised in the past two years using phishing attacks, despite high levels of cyber awareness and training.

Phishing attacks aimed at stealing legitimate user credentials have been used in the past 24 months to compromise 45% of UK organisations, according to research on behalf of cyber security firm Sophos.

Just over half (54%) of more than 900 IT directors polled in Western Europe said they had identified instances of employees replying to unsolicited emails or clicking on links contained within them, revealed a poll conducted by Sapio Research.

The study revealed that larger businesses are most likely to have been compromised by phishing attacks, despite also being most likely to conduct phishing and cyber threat awareness training.

Although businesses in the UK fell victim to phishing attacks at a similar rate to those in France (49%) and the Netherlands (44%), those in Ireland performed significantly better. Just 25% of Irish respondents said they had fallen victim to phishing in the past two years.

Across all respondents, 56% of companies employing between 500 and 750 people were identified as phishing victims in the past two years, while two-thirds (65%) had identified instances of employees replying to unsolicited emails or clicking on links contained within them.

By comparison, just 25% firms with fewer than 250 people and 36% of organisations with between 250 and 499 employees had been compromised by phishing in the same period.

Half of firms with fewer than 250 people offered training to help employees spot attacks, compared with 78% of those with between 500 and 1,000 people. And 79% of UK companies conduct regular cyber threat awareness training already, while 18% said they plan to offer it in the future.

Adam Bradley, UK managing director at Sophos, said criminals are adept at using social engineering to exploit human weakness, so while well-trained employees are an excellent deterrent, even the best user can slip up.

According to Bradley, phishing is one of the most common routes of entry for cyber criminals. As organisations grow, their risk of becoming a victim also increases as they become more lucrative targets and provide hackers with more potential points of failure.

Given the frequency of these attacks, organisations that don’t have basic infrastructure in place to spot people engaging with potentially harmful emails and whether their systems are compromised are likely to encounter some really significant problems.

Organisations should block malicious links, attachments and imposters before they reach users’ inboxes, said Bradley, and use the latest cyber security tools to stop ransomware and other advanced threats from running on devices even if a user clicks a malicious link or opens an infected attachment.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Businesses warned to prepare for cyber security extortion campaigns

Directors, lawyers and doctors are the top extortion targets of cyber criminals, researchers tracking  sextortion attempts reveals.

Directors, lawyers and doctors are the top extortion targets of cyber criminals, researchers tracking  sextortion attempts reveals.

Cyber criminal groups are promising rewards of £276,300 a year on average to accomplices who help them target high-worth individuals with extortion scams research reports.

The reward promises are even higher for accomplices with network management, penetration testing and programming skills, according to researchers at risk protection firm Digital Shadows.

One threat actor, the report said, was offering £600,000 a year, with add-ons and a final salary after the second year of £840,000.

The main method of cyber security extortion where criminals deem potential victims to be particularly vulnerable is so-called “sextortion”.

Digital Shadows tracked a sample of sextortion campaigns and found that from July 2018 to February 2019 over 89,000 unique recipients faced around 792,000 extortion attempts.

An analysis of bitcoin wallets associated with these scams found that sextortionists could be reaping an average of £414 per victim.

The campaigns follow a similar pattern, the researcher found, in which the extortionist provides the target with a known password as “proof” of compromise, then claims to have video footage of the victim watching adult content online, and finally urges them to pay a ransom to a specified bitcoin address.

However, the researchers said other campaigns can be even more sinister, with one spam campaign from December 2018 claiming that recipients will be “killed” if they did not pay.

Extortion is in part being fuelled by the number of ready made extortion materials readily available on criminal forums, the researchers said, adding that these are lowering the barriers to entry for wannabe criminals with sensitive corporate documents, intellectual property and extortion manuals being sold on by more experienced criminals to service aspiring extortionists for less than £10.

In one example, seen by Digital Shadows, the guide specifically focuses on a sextortion tactic whereby the threat actor begins an online relationship with a married man and then threatens to reveal details of the affair to his partner unless a ransom is paid.

The guide claims this extortion method is the easiest for “novice”’ threat actors to start with, suggesting they could earn between £230 and £380 per extortion attempt. Dedicated subsections exist on criminal forums for this type of dating scam.

Even greater levels of sophistication could be around the corner, the researchers warn, if so-called “crowd-funding” schemes take off.

In April 2018, threat actor “thedarkoverlord” stole documents belonging to the insurance provider, Hiscox, including files related to the 9/11 attacks in the US. The threat actor hoped to play on the public’s appetite for 9/11-related controversy and encourages people to raise funds to view the documents. Currently this campaign has amassed around £8,904.

Crowdfunding models such as this, the researchers said, allow extortionists to raise funds from the general public rather than relying on victims giving in to ransom demands. Organisations dealing with inflammatory or sensational information should therefore consider how they would respond if an attacker opts for this course of action, they said.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Making the UK the safest place to live and work online

Government, industry and individuals all have to play their part in enhancing cyber security practices

We all watched a few weeks ago as the chancellor set the new Budget, pledging an extra £1bn to boost UK defences, including cyber security. Add to that the proposed internet safety laws and new regulations around the collection and use of personal data, and in many ways we are on the right path to keeping the UK as a safe place to live and do business online.

But it is always worth reminding ourselves, whether we represent government, industry or the individual, of the key part we all have to play in creating the skills, practices and expectations of a safe online and working environment.

The objective of government should be to help create an environment in which industry and individuals are encouraged to expect and deliver good cyber security, and where the UK has the cyber skills and workforce it needs. This can be achieved through the levers available to government – legislation, policy and incentives.

One area where the government is leading on such efforts in the UK is in establishing new “secure by design” measures, encouraging manufacturers to embed security into the design of new technology rather than as a bolt-on or afterthought.

The Department for Digital, Culture, Media and Sport (DCMS) says there are expected to be more than 420 million internet-connected devices in use across the UK within the next three years, with the risk of poorly secured devices leaving people exposed to large-scale cyber attacks.

Such secure-by-design codes of practice, developed by the DCMS and the National Cyber Security Centre alongside industry, are not only key in driving innovation in technology, but in creating trust between government, industry and individuals through the development of products and services that keep people safe.

The role of government is also to set an example. According to EY’s 2018-19 Global information security survey, half of all local authorities in England still rely on unsupported server software.

In the face of emerging global cyber threats, and as the gatekeepers to our essential services, effective cyber security can only be tackled with the relevant technology and training rolled out across public sector departments, agencies and bodies to protect our critical assets.

 Cyber security awareness

EY’s survey found that 77% of organisations are still operating with limited cyber security and resilience. Asked what they saw as their top vulnerability, 34% of organisations said careless or unaware employees. This underscores the importance of cyber security awareness and culture as key aspects of the defence against cyber attacks.

So what can be done? Even if the board knows that cyber attacks are on the rise, is it prepared to make the necessary investments in people, processes and technology to tackle these issues? The survey is encouraging in this respect, with 53% of organisations saying they have increased their budgets this year and 65% planning an increase next year.

Despite this, most organisations admit they would be unlikely to step up their cyber security practices or spend more money unless they were hit by a breach or cyber incident. So a breach where no harm was caused would not lead to higher spending for most organisations. The problem is that in most cases, harm has been done – it simply has not come to the surface yet.

But there is an opportunity here. Many organisations now regard emerging technologies as a high priority for business growth, which implies that cyber security could, at last, be designed in. That includes more secure cloud and mobile computing, and also enablers such as cyber security analytics, robotic process automation and machine learning, which can provide early detection, prevention and resilience in the event of an attack.

Ultimately, the role of businesses is to protect their enterprise by building effective lines of defence around their business crown jewels, optimising cyber security by leveraging suitable technologies, and embedding cyber security as an enabler, rather than a barrier, to growth.

In an age when we manage most of our lives online, educating the public to be cautious when it comes to operational security can affect individuals positively, both as employees and consumers.

Finally, it is impossible not to mention the cyber skills deficit. With 30% of surveyed organisations saying they still don’t have the skills they need, cyber security must be promoted more strongly as a growing career path.

Government, industry and the individual all have their role to play in this – government in building the education infrastructure for IT; industry in creating the jobs that will encourage the workforce of the future; and individuals by taking the time to understand cyber security.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

 

 

Use of Cyber Security Insurance increasing

The use of cyber security insurance is growing – but one in three companies is still ignoring the benefits.

Use of Cyber Security Insurance increasing

Cyber security insurance adoption is expected to continue to grow, but only 38% of companies polled in the US and Europe have active cyber insurance policies in place, a study has revealed.

Of those insured organisations, 45% purchased cyber security  cover in the past two years, 32% purchased their policy three to four years ago, and only 24% have been covered for more than five years, according to the study by IT industry networking organisation Spiceworks.

Despite the fact that the adoption of cyber security insurance policies to offset the recovery costs associated with security incidents continues to grow, the survey of nearly 600 organisations revealed that many organisations are still not sold on the benefits of cyber insurance and are hesitant to purchase a policy.

However, according to a separate poll in the Spiceworks Community, 11% of organisations without coverage plan to purchase a cyber insurance policy within the next two years.

Cyber security insurance drivers

The study shows that increased priority on security is a top driver of cyber insurance adoption, with 71% of organisations purchasing cyber insurance as a precautionary measure, while 44% cited an increased priority on cyber security as the reason they bought a policy.

The risk of managing large volumes of personal data also drove 39% of organisations to purchase cyber insurance. This is likely to be linked to the growing number of data protection requirements around the world, such as the EU’s General Data Protection Regulation (GDPR). However, less than 15% purchased a policy due to a recent security incident or data breach.

When comparing the prevalence of cyber security insurance policies in North America and Europe, the regulatory environment and impact of new regulations such as GDPR become apparent, the report said.

Only 4% of organisations in North America purchased cyber security insurance because of new data protection regulations, compared with 43% in Europe.

Across both regions, 52% of companies with cyber security insurance have a coverage limit between $1m and $5m, 19% have a coverage limit between $6m and $10m, and 16% are covered for more than $10m. However, the results showed only 7% had ever filed a claim with their cyber insurance provider.

Among the companies that do not carry cyber insurance, the lack of knowledge about cyber insurance was found to be one of the top three reasons why they have not purchased a policy. Some 36% of IT professionals said their organisation was not covered due to a lack of knowledge about cyber insurance, while 41% said it was not a priority at their organisation, and 40% said they didn’t have budget for it.

Additionally, 33% of organisations have not purchased a policy because they are not sold on the benefits, and 20% reported insufficient use cases for cyber insurance, while 12% said they were not confident claims would be paid out.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139