Insurance may not be enough to stop hackers

NEARLY two dozen ransomeware attacks were made against Jersey businesses in the first three months of this year, according to research by just one local IT company.

Logicalis also logged more than seven Office 365 break ins, 21 examples of attackers exploiting vulnerabilities caused by user errors, three DDoS attacks from hackers using company bandwidths, 20 compromised systems because of poor configuration, and 50 examples of hackers using credentials from the dark web to log in.

All told, the Logicalis Security Operations Centre detected 124 cyber-attacks in the Island in three months, which Logicalis say must be a fraction of the real level of attacks.

The message, according to Ricky Magalhaes, Managed Security Services Director at Logicalis, is that companies will loose out if they rely on insurance to cover the costs of those attacks. He fears that up to 80% of businesses would not be covered by their cyber insurance policies in the event of a cyber-attack because they are not following correct security protocols.

‘Many companies think cyber insurance is an alternative to good cyber security practices; however, if you

don’t have correct controls in place, your insurance will not cover you,’ Mr Magalhaes said.

‘Up to 80% of companies with cyber insurance are not following basic cyber security procedures, which means if they suffer a loss, it will be hard for them to claim because they have been negligent.’

Even if the user follows correct procedures and an insurance company pays out, the real costs of a cyber-attack could be well beyond the financial compensation they receive. For example, US drug maker Merck, lost $750m in the NotPetya attacks last year, but received only $275m in insurance.

‘Proper security monitoring, simple procedures such as

using two-factor authentication, and regular training and testing of staff to help prevent security breaches in the first place, are vital, whether you are insured or not,’ Mr Magalhaes said.

‘A lot of cyber-attacks happen because of behaviour of staff, rather than because of the technology, which makes it very hard to assess risks. One thing is certain, though, the risks of cyber-crime are higher than ever.”