The takeaway from the Hiscox Cyber Readiness Report 2019 is that Cybercrime can happen to us all. It’s a real threat that can have crippling effects on businesses in both the short term, as they can lead to the loss of valuable data and resources, and in the long term, as it often results in the breakdown of existing client relationships and the ability to attract new ones.

Hiscox reported that, of the 5,400 small, medium and large businesses surveyed, 55% had faced an attack this year, up from 40% last year. This being a global survey featuring the UK, Germany, the US, Belgium, France, the Netherlands and Spain, the insurer was able to establish a number of worrying home truths:

1. UK firms have the lowest cyber security budgets;

2. UK firms are least likely (joint with the US) to have a “defined role for cyber security” on their staff; and

3. the average cost of a cyber attack in the UK is £187,000.

For those that haven’t experienced an attack, Yogesh Agarwal[i], a business advisor who specialises in protecting organisations against cyber-crime, has written an account of a cyber-attack on one of his clients’ business below, from the perspective of the business owner:

One late evening, our IT administrator called telling me we were hit by ransomware, something similar to the attack on the NHS. All computer and server screens on our production network had the same message:

 “your systems and data have been encrypted. Pay 25 bitcoins to get your systems back”. 

25 bitcoins was about £200,000 at that time, so the technician was in our office within the next 30 minutes, disconnecting the network cables, shutting down the systems and, where possible, salvaging back-ups.

 The following morning, we arranged for the rescue team to be on-site by 9.00 AM and within a couple of hours of investigation, gathering evidences and salvage attempts, they gave us an initial briefing.

In short:

• the doors to our networks were readily accessible;

• we were punished for not upgrading our systems;

• the back-ups were not as regular as we thought they were; and for us

• there was no decryption key available to reverse the situation

Frustratingly, we already knew about some of the issues with our systems and that they were getting dated now (even in just 5 years!). We knew this and had the upgrade budgeted for the new year, just after we completed a major client project.

By now, the rescue team were busy reported the incident and the recovery efforts to Action Fraud, the Information Commissioner’s Office (the “ICO”) and to the local cybercrime branch; whilst dealing with police and preparing incident report for the clients. Our support mailbox was already piling up and the phones continued to ring with customers complaining about issues in accessing our platform. 

As our focus was getting the business back up and running, we decided to implement an automated response to client emails. The rescue team, however, had a different idea. Instead, they insisted I personally called all key clients, made them aware of the situation, responded to every email I received, apologised for any trouble caused, and remained open and realistic with them about how soon we were likely to be up and running.

This was the right approach and critical as a number of clients, including several larger ones whose services were completely down, started threatening us with legal action and blaming us for incompetence. On request, I even personally briefed a client’s board – this was a humbling experience and one I would like to avoid in the future. I was able to divert members of our support team to start dealing with the queries around service-level agreements, compensation for loss of business, our liability towards protecting their data, and whether clients themselves needed to report to the ICO.

80% of our clients were back up on our platform after a week but it took longer, and at a far greater expense, to secure our largest client’s data and rebuild their trust. Fortunately, none of our clients left us as a result of the attack and our relationships remain strong. It was a sobering experience. We were naïve; we believed it would not happen to us, “we are too small”. Had we been better prepared or been aware of the basic cyber security essentials we would have been better protected and saved ourselves monetary and reputational damage.

Cybercrime can bring a host of legal issues. Simple steps like implementing a cybersecurity policy and making sure it is part of the employees’ terms and conditions, cybercrime training for employees (so they are aware of the kind of threats the business may come up against), and ensuring appropriate insurance is in place to deal with an attack, should all be considered by business and then implemented as soon as possible. New regulations, such as the Data Protection Act 2018 and the General Data Protection Regulations (“GDPR”) have prompted action, eight out of ten UK business say “they are making changes”. But as seen above, future security upgrades are no defence against current attacks.

To speak to Jacob: jmontague@clarkslegal.com

[i] Yogesh Agarwal (CA, CFE, CISA, CRISC, CCSK) Director, Information Assurance, yogesh@rightcue.com