Cyber remains one of the most significant, growing risks facing UK business with attacks increasing year on year. We are currently in the midst of what some are calling the fourth industrial revolution and as we become more reliant on digital infrastructure and online distribution channels, this threat is set to increase.
The insurance industry is playing a key role in cyber risk protection by developing products and providing risk management advice to help clients protect against this threat. Yet there is a still a long way to go in educating people within our industry and also our clients.
Government research published in 2015 found that 22% of small businesses admit they “don’t know where to start” with cyber security. This highlights the vital role that the insurance industry needs to play in helping clients understand their exposure and implement best practice cyber security, such as the government backed Cyber Essentials scheme.
Cyber Essentials has been developed as part of the UK National Cyber Security Programme and provides businesses of all sizes with clarity on good basic cyber security practice and how to protect against the most common cyber threats.
At Asta we take cyber security very seriously and have received Cyber Essentials Plus accreditation, which involved our systems being tested by an external certifying body. We also have ISO 27001 certification, underlining how seriously we take information security. ISO 27001 provides requirements for an information security management system (ISMS) and provides a framework which helps us identify, analyse and address information risks.
ISO 27001 requires senior management buy in and it is essential for the business to have an awareness programme. Asta’s executive are fully supportive of IT security initiatives and we are embedding a culture of cyber resilience within our organisation. Educating employees on the risks is a crucial part of protecting the business as people are the weakest link in the security chain. Cyber awareness should not be viewed as a tick box exercise but as part of an employee’s ongoing training.
Yet protection is only one part of being resilient. Cyber-attacks are becoming more prevalent and management need to realise that it is a case of ‘when’ not ‘if’ their business will suffer from a successful attack. Businesses need to ensure they have a tried and tested recovery response plan in place to reduce the impact of an attack on future trading. The focus needs to be on the depth of the defence structure; many layers of security controls are required for a strong security posture. Clients, employees and trading partners need to be assured by the knowledge that the business can continue as normal, or with minimal disruptions in the event of an attack.
Cyber-attacks are no longer a futuristic nightmare but a harsh reality. It is vital that businesses implement the right infrastructure to minimise this threat, ensure employees receive ongoing training to recognise suspicious emails and that a robust recovery plan is in place to minimise the disruption caused by a hack and help the business resume trading as quickly as normal.