According to cybersecurity expert Perseus, 88% of companies have been victims of cyberattacks in the last two years. The latest figures from the Federal Criminal Police Office show that cybercrimes have increased by a further twelve percent in the last year. The war in Ukraine has further increased the potential for risk. GDV and BSI warn in unison. Perseus CEO Kevin Püster explains how companies can protect themselves.
What are cyber risks?
blower: Cyber risks are the risks that arise for a business through its stored digital information and existing IT components. The more important digital devices, technology, processes and data are in daily work, the more devastating the effects if they fail, are damaged or stolen. For example, if a data carrier is accidentally deleted, if a short circuit or fire renders a server inoperable, or an attack by cybercriminals renders the entire corporate network unusable.
How can cyber risks be reduced?
blower: Precautions can be taken against cyber risks and their negative effects. Protection measures against attacks by cybercriminals play a particularly important role. Because such attacks are becoming more frequent, diverse and serious. At the same time, many protection measures against such attacks also reduce the negative effects of other cyber risks. Offsite data backups are useful when cybercriminals have encrypted all company data and also when a fire has damaged the server.
How common are cybercriminal attacks?
blower: Cybercriminal attacks are not just common, they are common, especially in the form of spam or phishing email. Successful attacks are also common. According to a representative study by the digital association Bitkom, cyber attacks in 2020/2021 caused damage to 89 percent of the companies surveyed. The 2021 annual report of the Federal Office for Information Security (BSI) confirms that these types of attacks are on the rise. Among other things, the number of malicious programs grew by around 22 percent compared to the previous year.
Which companies are particularly vulnerable to cyber attacks?
blower: Small and medium-sized businesses (SMEs) are especially vulnerable to cyberattacks. On the one hand, because 99.4 percent of all German companies are SMEs. Small businesses, with up to nine employees, make up the vast majority of these: 81.9 percent.
On the other hand, in small and very small companies, there is often no one who is explicitly responsible for IT security. There is rarely a holistic concept of IT protection or training for employees on the subject of IT security. The technology used (hardware and software) is not always up to date and preparations for possible cyber attacks are the exception rather than the rule. Organizations that meet several of these conditions are particularly vulnerable to cyberattacks and the damage they cause.
What is the biggest cyber threat for SMEs?
blower: By far the biggest threat to cyber security for SMBs is failing to recognize the risks that exist. Because the lower the risk awareness, the less protective measures are taken: cyberattacks are more likely to be successful and less likely to limit damage from the start. The cause of these errors in judgment often lies in the misconception that the company itself is too small and uninteresting for cybercriminals.
However, from the point of view of cybercriminals, any company with an Internet connection is an attractive target. For example, to steal customer data and sell it on the dark web or to spy on access to online banking. Also, any company that needs its IT to work can be blackmailed with encryption software. Many attacks are based on the watering can principle with emails automatically sent to hundreds of thousands of recipients. More complex targeted attacks are also possible if an SME is a supplier company through which cybercriminals hope to gain access to a larger company.
What are the consequences of cyber incidents?
blower: Cyberattacks can incur costs for business failures lasting several days, for hardware and software replacement, for IT services, and for the extra effort to reconstruct lost data using files, for example. Additionally, there may be fines for GDPR violations, contractual penalties, payment defaults, and strained or even terminated business relationships.
If, for example, encryption software locks down all company IT, incoming orders, reservations, appointment calendars, and customer and contact data will no longer be accessible. So many customers and partner companies may not even be informed about failures and delays.
The damage to image and business relationships is further increased by the fact that it can rarely be accurately predicted when regular operations can resume. Because the IT system needs to be thoroughly cleaned, tested, and possibly even reconfigured. The reason for this is that cybercriminals often hide other malware deep within the system to attack again later.
How can companies protect themselves?
blower: In order to prevent cyberthreats in the long term, a holistic concept of cybersecurity is required, which consists of preventive measures, comprehensive emergency management and the correct evaluation of existing cyber risks. Companies should attach great importance to building strong basic IT protection, for example according to BSI specifications. This includes measures to prevent cyber attacks. However, it cannot offer 100% protection against cyber attacks, so measures to limit damage after successful attacks are also part of basic IT protection.
The building blocks of basic preventive computer protection are strong passwords, antivirus programs, firewalls, and prompt installation of updates. Employee training is of great importance, also to successfully defend against the most common cyber-attacks: E-mail attacks that are sometimes very cleverly spoofed. According to a Sophos study, emails were the gateway to 70 percent of successful cyberattacks against businesses.
An emergency plan and data backups are particularly important to limit damage after a cyber attack. The contingency plan allows quick and targeted action as soon as a cyber attack is detected. Up-to-date data backups, at least one of which must be kept separate from the system, ensure that operations can be resumed as quickly as possible after an attack. Cyber insurance can also absorb the financial damage of an attack.
Cyber Insurance: Identifying and Assessing Cyber Risks
blower: Cyber risks are demanding risks that also develop dynamically. New threats constantly change the situation. Cyber insurers currently use questionnaires to assess a company’s risk. Depending on the insurer, a different number of questions are asked about basic IT protection. Increasingly precise questions allow an accurate assessment of risk.
In answering these questions, companies often seek advice. This is where third party service providers like Perseus Technologies can help. At the same time, they can act as an interface between insurance companies and businesses. Making an informed risk assessment and helping companies improve their cybersecurity through consulting, prevention programs and emergency assistance.
How can future insurability be ensured?
blower: In view of the increasing number of attacks and amounts of damage, it is increasingly important to assess risk as accurately as possible. On the one hand for accurate cohort formation, on the other hand to compare how the collected factors affect claims.
To avoid subsequent adjustments in premiums, the insurance conditions must also be more specific and demanding.
Companies that actively minimize their risks are increasingly attractive to insurers. Therefore, more and more insurers promote risk minimization, including through cooperation with service providers such as Perseus. In this context, recurring risk assessments are gaining in importance, among other things to identify positive developments in a company.
For insurance companies and brokers, a standardization of risk assessment would also be desirable to make it easier to compare different offers. For insurers, it would have the advantage of being able to use internal resources more efficiently.