The UK Government’s annual Cyber Security breach survey has found that four in ten businesses have experienced a cyber security breach or attack in the last 12 months with 77% of businesses reporting that cyber security is a high priority for their directors or senior managers going forward1. Here, we analyse the survey in more detail and look at why COVID-19 has presented an opportunity for cyber criminals.

If I said boot sector, metamorphic, polymorphic, overwrite, resident, direct action and space filler would you know what I was talking about? I doubt it. Why? Because new cyber threats evolve daily, making it almost impossible to remain one step ahead of cyber-criminal activity.

The words above are different types of computer virus, with viruses being a mere subset of the many cyber-threats that exist. Some other, more familiar types of threats include botnets, malware, spoofing, phishing, ransomware, spyware, trojan horses and worms; each of which, contain thousands of items and methods. The cyber-security giant Kaspersky identified over 33 million unique malicious items in 2020, with over 173 million malicious URLs recognised within the report.1 The Common Vulnerabilities and Exposure (CVE) system is a publically accessible reference list which highlights known security vulnerabilities within commonly used applications and operating systems, such as services offered by Adobe and Microsoft. The number of new vulnerabilities identified each year has followed a general upward trend since 1988, with 17,992 new vulnerabilities identified in 2020, and culminating in a grand total of 180,171 vulnerabilities identified by the end of 2020.2

Cyber-attacks have become more frequent and the latest Government Cyber Security Breaches Survey report shows that cyber security breaches are a serious threat to all types of businesses and charities. Among those identifying breaches or attacks, their frequency is undiminished, and phishing remains the most common threat. Four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%). Three-quarters (77%) of businesses say cyber security is a high priority for their directors or senior managers. These are key findings in the UK Government’s annual Cyber Security Breaches Survey.3

This year, fewer businesses are identifying breaches or attacks than in 2020 (when it was 46%), while the charity results are unchanged. This could be the result of a reduction in trading activity from businesses during the pandemic, which may have inadvertently made some businesses temporarily less detectable to attackers this year.3

COVID-19 seen as an opportunity for cyber criminals

More than a quarter of the incidents which the UK's National Cyber Security Centre (NCSC) responded to over an 18 month period between September 2019 to August 2020 were COVID-19 related, according to its latest annual report.

In 723 incidents of all kinds (close to a 10% rise on the previous period), 194 were COVID-19 related and whilst some of the incidents related to countering nation-state attacks, most were criminal in nature. GCHQ disclosed that it had thwarted 15,354 campaigns that had used coronavirus themes as a "lure" to fool people into clicking on a link or opening an attachment containing malicious software. Some involved fake shops selling PPE (personal protective equipment), test kits and even vaccines.4

Cyber threats are as prevalent and credible as any other threats we face. You would never leave your front door unlocked and the windows open when you go to sleep. Yet, these equivalents are being played out, online, every day for millions of people and businesses.

If you think it sounds scary, you’re right, it is, but it really is a case of “the best defence is a good offense” and being proactive in your approach does strengthen the odds in your favour. The knowledge and services offered by the Cyber Risk Management Practice at Gallagher can assist in building robust security processes and procedures around your internal systems, as well as providing accreditation status to identify the strength of your people, processes and technology.

Cybersecurity at a glance

At its core, cybersecurity is the ongoing development of protecting systems, networks and programs from digital attacks. The attacks are usually orchestrated to access information, but also can purely be for destructive or disruptive purposes. When successful, the cybersecurity implemented by an organisation has multiple layers of protection spread across all infrastructure. This is only possible when PPT (people, processes and technology) are all in agreeance, complementing one another, to minimise the risk of an attack.

Will it affect me?

You may have a preconception of security breaches only occurring in major institutions, like the Twitter hack in July 2020, in which high profile accounts tweeted out a bitcoin scam5. Or maybe the NHS ransomware attack in 2017, which was part of the wider global WannaCry ransomware attack. The attack cost the NHS £92m and was the cause of 19,000 cancelled appointments6. These highly publicised events skew public opinion that this is a problem for big corporates. Why would hackers care about other businesses? In short: they do.

Each day we see organisations of all sizes in all sectors dealing with cyber-attacks and data breaches. Chances are, if you have a website, use online cloud services, remotely log in to work from home and/or use your work email address for personal services then your business will have a so-called “broad surface of attack”, a term used to describe the avenues a malicious user can explore and potentially exploit.

Fundamentally, three technological entities need to be considered, protected and monitored within organisations. Endpoint devices (smartphone, computers, routers etc.), networks (LAN, WAN, remote logins) and the cloud (Office 365, G-suite).

People are the problem… and the solution!

However it’s not just technology that can be attacked, people are just as susceptible to being compromised, usually without even knowing it. Hackers are adept at using social engineering to extrapolate vital information from people within organisations in an attempt to launch an attack. Have you ever filled in one of those quizzes on social media where you list a plethora of personal information about yourself and share it amongst a number of friends? Those seemingly innocuous posts could actually be revealing intimately personal information about you to hackers, in an attempt to try and guess passwords and answer any security questions on accounts.

Sometimes though, your credentials are already out there. Though the number of reported breaches may have declined last year, the number of breached records skyrocketed, according to a report released7 by security firm Risk Based Security (RSB).The volume of publicly disclosed data breaches fell by 48% in 2020 compared with the previous year, leading to 3,932 in total. However, the volume of records that were compromised by these breaches jumped by 141% to a whopping 37 billion, the largest number seen by RSB since 20058.

1. Kaspersky Security Bulletin 2020 Statistics

Conditions and Limitations
This note is not intended to give legal or financial advice, and, accordingly, it should not be relied upon for such. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. In preparing this note we have relied on information sourced from third parties and we make no claims as to the completeness or accuracy of the information contained herein. It reflects our understanding as at 20/05/2021, but you will recognise that matters concerning Covid-19 are fast changing across the world. You should not act upon information in this bulletin nor determine not to act, without first seeking specific legal and/ or specialist advice. Gallagher accepts no liability for any inaccuracy, omission or mistake in this note, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein. No third party to whom this is passed can rely on it. Should you require advice about your specific insurance arrangements or specific claim circumstances, please get in touch with your usual contact at Gallagher.