Associations, Blog

Cyber-risk: What is it and How Can Associations Protect Themselves?

Figures revealed by the Financial Conduct Authority’s head of technology, resilience and cyber, Robin Jones, in a speech on 25 January 2018, show that a total of 69 material cyber incidents were declared to the FCA in 2017 – an increase from 38 in 2016 and 24 in 2015. That’s a rise of more than 80% last year alone!

Those numbers may seem insignificant when viewed in the context of ONS statistics that suggest there are about 1.9m incidents of cyber-related fraud each year. And, that the National Cyber Security Centre recorded over 1,100 reported attacks last year. That is until you take into account the requirement to report material cyber incidents to the FCA imposed on regulated financial services.

In these cases ‘material’ means attacks that lead to a significant loss of data, or the availability or control of IT systems; that affect a large number of customers; or result in unauthorised access to, or malicious software present on, the company’s information and communications systems. So, if cyber-attacks are a big deal in the tightly regulated area of financial services – a sector that you might expect to be exceptionally resilient – then how much of a problem are they for SMEs, trade associations, charities, and institutions?

Considering the rewards for cybercrime surpass most other forms of criminal activity. It is low risk, high reward, and it is relatively easy and cheap to be a cybercriminal. And technology is so integrated into our lives that 93% of business is conducted online. Then the problem is probably bigger than we imagine!

In fact the National Cyber Security Centre sees it is a tier one threat, next to terrorism. With sixty-six percent of small businesses having been the victims of cyber-attack or phishing campaigns last year, costing each one an average of £3000, according to some estimates. So, that puts most of us in the frame for a potential attack. But have we anything of value worth stealing?

What could happen? Email inaccessible. Other systems failures, including payroll, accounting, and ordering. Account information lost. Money and goods stolen. Data lost or compromised. Strategic plans and trade secrets stolen. The list goes on!

But what of the impact? Apart from the operational impact, lost earnings, inability to support customers and suppliers, and the need to repair systems? Ransom demands and extortion can lead to the loss of money and goods that are vital to your ability to continue trading. With the potential knock-on effect of lost competitive advantage, and damage to brand image. Plus, with the advent of more stringent GDPR requirements, the potential for regulatory penalties and fines!

So what are the threats to my business, what are my vulnerabilities, and are there any counter measures I can put in place? Phishing attacks, that involve emails claiming to be from reputable companies, try and trick staff into revealing personal or company information, such as passwords and credit card numbers, are some of the most common, and are best detected by training and vigilance.

Ransomware – software designed to block access to a computer system until a sum of money is paid – and malware, specifically designed to disrupt, damage, or gain authorized access to a computer system (which can sit on your system for up to 230 days before activation), along with a distributed denial of service, are the most common threats. Regularly updating anti-virus software and completing patching regimes are the first line of defence. But, outdated operating systems like Windows XP are particularly vulnerable because they are not supported or updated and are therefore liable to attack.

More practical measures to combat insider threats involve awareness training. Disabling USBs and other unnecessary hardware, separating user accounts, removing software, and implementing administration rights, can all be effective in overcoming insider threats and mistakes. Above all, switch on your human firewall and develop a cautious secure mind-set.

But what if I need extra help? That generally comes in two forms. The first line of defence are the expert services of a specialist IT support company that will assess your systems, recommend and install defensive barriers, and devise pro-active company security protocols. They may also test the vulnerability of your system periodically using simulated attacks; suggest and monitor staff training programmes; and use heuristic filters to protect against as yet unknown threats.

The second line of defence – cyber insurance – may seem like shutting the stable door after the horse has bolted. Far from it. Although insurance is no substitute for vigilance it can offer a valuable safety net if the worst happens. From a single point of contact through to restoration and recover services, practical help from insurers will also include legal assistance and forensic services (from specialists like Xenace). And, not forgetting that your finances and reputation will suffer – public relations cover!

But, before we leave the subject of finances, what does insurance cover? Losses could involve simple theft of funds, but might also result from hackers accessing data and demanding a ransom to release it, and income lost when viruses paralyse systems. But the knock on effect could also extend to fines and penalties incurred through data protection non-compliance, legal action by customers following accidental loss of data, and interruptions caused by the paralysis of third party providers.

At first glance Cyber-crime might appear to be a nuisance, and a distraction, from the daily routine of running a membership body. But it can quickly spiral out of control, causing untold damage, not only to finances, but also to brand image, reputation, and member confidence. So prevention in the form of technical expertise is most definitely best. But if you need a cure then insurance is there to help. Or better still, why not belt and braces?



Michael Hoare

Over twenty years experience managing and leading trade associations. I am a member and past president of the Institute of Association Management (IofAM); and former editor of Association News.