As an archaeologist, you might not think that the weird and wonderful world of insurance has much to offer apart from covering the mandatory essential insurances of your business. The necessary evils of insurance! You might not even wish therefore to be aware of the range of weird and wonderful insurance products which you could choose to buy!
What about cyber risks insurance? A great name for a start - and one probably created to engender an element of fear of the modern world!
What is it and does it apply to archaeologists?
Cyber risks insurance covers your business against any losses relating to damage to, or loss of information from, IT systems and computer networks. Not immediately relevant to archaeology?
Well, in my experience, archaeologists are generally ‘early adopters’ of technology – eager to adapt and apply new scientific techniques to the study of our past. I myself adapted some dental imaging technology to the study of Boxgrove handaxes in the 1990s. There is now more image manipulation and analysis capability in my phone than in the ‘Optimas’ set-up which I ‘developed’ back then!
Anyway, surveying with a total station, 3D modelling, GIS etc. all create vast amounts of data and that data is fundamental to your business, to your research, to your very being!
Do you back-up all of your data off-site? Of course you do. Do you keep multiple back-ups? Of course you do. Do you ustilise secure external servers? Of course you do. Do you hold client records as well? Is your website your ‘face to the world’? Do you use online banking to pay staff? Then you are a potential target!
Cyber attacks do happen and they result in:
· Loss of data
· Reputational damage
· Breach of privacy
· Data protection issues
· Business down-time
A UK Government survey estimated that in 2014 81% of large corporations and 60% of small businesses suffered a cyber breach. The average cost of a cyber-security breach is £600k-£1.15m for large businesses and £65k-115k for SMEs.
Who might be attacking you?
· Cyber criminals interested in making money through fraud or from the sale of valuable information
· Industrial competitors and foreign intelligence services, interested in gaining an economic advantage for their companies or countries – unlikely in the case of archaeologists, but you never know…….
· Hackers who find interfering with computer systems an enjoyable challenge
· Hacktivists who wish to attack companies for political or ideological motives.
· Employees, or those who have legitimate access, either by accidental or deliberate misuse
In un-targeted attacks, attackers indiscriminately target as many devices, services or users as possible. They do not care about who the victim is as there will be a number of machines or services with vulnerabilities. To do this, they use techniques that take advantage of the openness of the Internet, which include:
· Phishing - sending emails to large numbers of people asking for sensitive information (such as bank details) or encouraging them to visit a fake website
· Water holing - setting up a fake website or compromising a legitimate one in order to exploit visiting users
· Ransomware - which could include disseminating disk encrypting extortion malware
· Scanning - attacking wide swathes of the Internet at random
In targeted attacks, your organisation has been singled out because the attacker has a specific interest in your business. A targeted attack is often more damaging than an un-targeted one because it has been specifically tailored to attack your systems, processes or personnel, in the office and sometimes at home.
Targeted attacks may include:
· Spear-phishing - sending emails to targeted individuals that could contain an attachment with malicious software, or a link that downloads malicious software
· Deploying a botnet - to deliver a DDOS (Distributed Denial of Service) attack
· Subverting the supply chain - to attack equipment or software being delivered to the organisation
Does this really apply to your archaeological business?
According to the UK Government, before investing in defences, many organisations often want concrete evidence that they are, or will be targeted, by specific threats. Unfortunately, in cyberspace it is often difficult to provide an accurate assessment of the threats that specific organisations face. However, every organisation is a potential victim.
All organisations have something of value that is worth something to others. If you openly demonstrate weaknesses in your approach to cyber security by failing to do the basics, you will experience some form of cyber attack.
Do you really need it?
As a business of any size, it is likely you will rely on information technology (IT) infrastructure to some degree. If so, you will be exposed to the risks of business interruption, income loss, damage management and repair, and possibly reputational damage if IT equipment or systems fail or are interrupted.
As Archaeologists, you may feel that you are not particularly vulnerable to attack, but the evidence suggests that it doesn’t matter what sector you work in – you are open to ‘attack’!
If any of the following apply to you, then you should read on:
· Do you hold sensitive customer details such as names and addresses or banking information?
· Do you rely heavily on IT systems and websites to conduct your business?
· Do you process payment card information as a matter of course?
Compensation or reparations for your business’s own assets:
· Loss or damage to digital assets such as data or software programmes
· Business interruption from network downtime
· Cyber exhortation where third parties threaten to damage or release data if money is not paid to them
· Customer notification expenses when there is a legal or regulatory requirement to notify them of a security or privacy breach
· Reputational damage arising from a breach of data that results in loss of intellectual property or customers
· Theft of money or digital assets through theft of equipment or electronic theft
In addition to third parties – ie to cover litigation and costs relating to your customers / suppliers:
· Security and privacy breaches, and the investigation, defence costs and civil damages associated with them
· Multi-media liability, to cover investigation, defence costs and civil damages arising from defamation, breach of privacy or negligence in publication in electronic or print media
· Loss of third party data, including payment of compensation to customers for denial of access, and failure of software or systems
Policies are available with limits from £100,000 to £5m.
It is certainly worth looking at the UK Government Cyber Essentials Scheme information:
(https://www.gov.uk/government/publications/cyber-essentials-scheme-overview) which outlines basic basic cyber security hygiene standard to help organisations protect themselves against common cyber attacks.
Call me to discuss your insurance needs on 0208 2550617 / 07768 865983