What’s your plan to survive a cyber-attack?


How embarrassing. 

Your IT infrastructure is packed to the hilt with security features and looked after by a crack team. But you’ve been hit by a cyber-attack and the network’s in lockdown. No one can do a stroke of work and business has ground to a halt…which means a red light to revenue too. So, it must be IT’s fault, surely? The buck stops with them for failing to anticipate the threat and protect the system better. 

Not so. 

Cyber-attacks are growing not only in number but in complexity as hackers get more devious. That means no one’s safe. And when security-savvy companies like Microsoft, Boeing and Sony are being hit, what hope is there for the rest of us? 

No place to hide 

It’s not just the big boys that hackers are going after, either. SMEs, public sector bodies and contractors are fair game too. Scarily, the Department of Culture, Media and Sport reports nearly half of the UK’s 5.5 million businesses suffered an attack or a breach last year. 

Sure, you can follow best practice and make systems as protected as they can be. But it’s entirely possible to be caught out if hackers discover a new vulnerability in a piece of software. Or if an employee clicks on a bogus email link and floods your network with malware. 

That makes a cyber-attack more a case of ‘when’ than ‘if’ for any business. And the bad news is that they can prove damagingly costly – both to your reputation if there’s a data breach, and to your bottom line in terms of regulatory fines, legal action and lost income. 

Hard numbers 

The proof’s in the figures.   

Hiscox surveyed over 3,000 SMEs in the UK, Germany and America and found the average cost of a cyber-attack is nearly £26,000.   

That’s a financial kick in the teeth many companies simply can’t recover from.   

If you haven’t got one already, a recovery plan is essential to get things back up and running as quickly as possible – without going bankrupt in the process. 

Because, unfortunately, dealing with the aftermath of a cyber-attack isn’t just about fixing the IT. There’s a ton of other stuff to do, too. 

Starters orders 

However, IT is where it starts. 

First you need to stop the attack. Then you need to found out what happened, fix the damage and restore systems as completely as possible. All of that takes time and money. 

In the meantime, your usual way of doing business will be in tatters, so profits will suffer. And if your clients get in touch through a phone system that works hand-in- hand with your IT, you’ll also be out of reach. 

What if you’ve lost data and it hasn’t recently been backed up? That can spell disaster. All the work will have to be done again – if you can remember what it was in the first place. And what if cyber criminals are holding your files to ransom? Do you negotiate with them, pay up, or what? 

Data danger 

Customer or staff personal data has high currency on the dark web. If hackers have managed to get hold of it through you, you’re in real trouble. 

A data breach like that means you’ll have to tell the Information Commissioner’s Office (ICO). It’s likely to launch a time-consuming investigation and clobber you with a hefty fine. You’ll also have to tell the affected people about the breach.  

What’s worse is that all this is set to get, well, worse. The new General Data Protection Regulation, which goes live May 2018, imposes strict new rules for handling and storing EU citizens’ data. If the ICO thinks you haven’t been playing ball, it can impose a fine up to €20 million or 4% of your annual revenue – whichever is more. 

Courting disaster 

People whose private information has been exposed, and who may well have suffered financial loss because of it, will want compensation. They’ll take you to court – which means a chunky bill for solicitors, legal costs, damages etc. 

That’s a lot for anyone to get their head round. Especially when there’s a business to run at the same time. It’s probably why our survey of 500 UK SMEs revealed nearly one in five owners lose sleep worrying about cybercrime. 

The plan’s the thing 

The key thing, then, is to have a recovery plan. That’s where cyber insurance helps.   

It kicks in immediately, pretty much as soon as you call your broker in fact. It provides rapid computer forensics and help, and stand-in kit so your business can keep functioning. If one’s needed, you get an expert to deal with ransom situations too. 

When there’s been a data breach, cyber insurance takes care of liaising with the ICO and deals with any investigation. It also pays to tell anyone affected by the breach and provides credit monitoring. 

If compensation claims follow, cyber insurance pays your legal costs and picks up the tab for any damages awarded. 

Crucially, it covers lost revenue while your business is unable to function as normal, and pays for PR crisis management to help defend your battered reputation. That way, you stand more of a chance of having a business to go back to once calm has been restored. 

Tough medicine 

Frighteningly, our research also discovered 74% of SMEs haven’t put aside any budget to deal with the aftermath of a cyber-attack, while 43% have no plan in place for what to do when they’re hit. 

If your business falls into that category, it’s probably time to face facts and plan for the worst. The kind of ‘worst’ that cyber insurance can take the sting out of.  

Sarah Adams, Cyber Insurance Specialist at PolicyBee  

Image Credit: Alexskopje / Shutterstock