For organisations of all sizes, the financial repercussions of a data breach or cyber-attack are now impossible to ignore. According to the Center for Strategic and International Studies the estimated annual losses from cyber-crime in 2017 reached £291 billion.
It is easy to see how the costs all add up. Investigating and closing a breach, legal and public relations costs, the damage to share price, and the loss of business resulting from a damaged reputation all contributes to a perfect storm for organisations.
Additionally, the downtime that many businesses experience in the wake of an attack can be the most costly – for example the cumulative productivity losses resulting from 2017’s WannaCry ransomware attack alone was approximately $4bn.
As a result, organisations are becoming more concerned, and are now investing in so-called ‘cyber insurance’ as a line of defence. Specifically, Cyber Liability Insurance Cover (CLIC), which covers a broad range of costs that an organisation may experience in the event of a breach or cyber-attack – for example the cost of downtime, legal costs, and cyber extortion.
The problem with such an approach is that businesses are placing their bets on a reactive solution to a set of existing issues in terms of data protection. When we think about preparing for the worst, or ‘cyber-insurance’ in the classical sense, there are a number of key proactive strategies that businesses should take to reduce the likelihood of disaster, significantly reduce the cost of a security incident, and therefore reduce their inherent reliance on insurance pay-outs should the worst come to the worst.
Ransomware came to the forefront of the public’s attention in 2017 as it became the cybercriminal’s method of choice for extracting money from victims and causing chaos. Whilst the potential costs for businesses who fail to prepare for such attacks are high, the lion’s share of financial loss from a ransomware attack can be prevented by implementing a smart backup and disaster recovery strategy.
The golden rule with ransomware is to never pay the ransom – not only will the business’s money contribute to funding further criminal activity, but there is no guarantee that the perpetrators will honour their agreement to decrypt the data upon receipt. With all systems, applications, and data backed up regularly to multiple redundant locations, including the cloud, businesses can gain peace of mind that their data will be available at any time and that they will be able to avert disaster.
Aside from the timely backing up of critical data, the ability to recover that data instantly is even more imperative due to the astronomical costs of business downtime. Affected systems can take hours to be restored using legacy solutions, so in order to mitigate downtime, businesses should proactively be implementing recovery technology which allow users to access and use files and applications from the backup on-demand, as if nothing happened. This is the only way in which true business continuity, and therefore financial stability, can be achieved in a crisis.
Whilst downtime is costly, so too are the potential fines if businesses fail to comply with upcoming laws such as General Data Protection Regulation (GDPR). Compliance is a tricky issue, but what is clear is that relying on insurance pay-outs after the fact is not an adequate response to the new data protection landscape. To help facilitate compliance, businesses must gain visibility of any and all data within their organisation, where it resides and how it is protected. Only then can businesses identify crucial vulnerabilities and compliance issues, and be in the position to better govern and control their environments.
Prevention is better than cure
“The truth is that you won’t be able to stop every threat and you need to get over it”. These are the words of Earl Perkins, research vice president, during the Gartner Security & Risk Management Summit last year. Whilst this may strike fear into the hearts of many, as outlined above, the impact of these threats can be vastly reduced.
Of course, some form of cyber-insurance may be beneficial as a last resort strategy, but for minimal capital outlay, businesses can bolster their resistance by investing beforehand and taking a ‘prevention is better than cure’ approach. Businesses must look to reduce their financial reliance on insurance pay outs by reducing risks beforehand and preparing for the worst- this is cyber-insurance in the classical sense.
A holistic disaster recovery and threat prevention strategy can provide significant insurance against risk, and help businesses weather any storm that 2018 may bring, without putting all their eggs in one basket and relying on an insurance pay out.