The Australian Census 2016 has been thrown into disarray by a cyber-attack which shut down the Australian Bureau of Statistics website just as millions of people were sitting down to complete their online details.
Head statistician David Kalisch said the ABS had been a victim of a distributed denial of service, or DDOS. Such attacks are designed to cripple target websites by flooding them with useless internet traffic so that requests from legitimate users cannot be serviced, causing the “denial” of service.
DDOS attacks are generally launched by cyber-criminals using “botnets”, also known as “zombie armies”.
These are groups of computers infected with malware that are remotely controlled by cyber-criminals, generally without the owners’ knowledge. They are sold or rented out every day over the ‘dark web’, a vast encrypted network where criminals do business online.
Botnets change hands here for just a few dollars, and can be used to attack a website from multiple points at once in a massive synchronised hit.
A global risk
DDOS attacks are very common worldwide. Over 15 per cent of UK small businesses were hit by DDOS attacks last year - and they are so easy to launch that even a child can do it.
“A denial of service attack could be driven by financial gain, or to put competitors out of business – if your website is down, you can’t do business,’’ says Gerry Power, CGU’s senior underwriter for Professional Risks.
“It could be because people don’t believe in the product you’re selling – for example, you could be selling something someone doesn’t agree with online. Or it could be extortion, where cyber-criminals say ‘we’re holding your website hostage until you pay us’.”
With so many small businesses relying on their internet presence to trade, the implications of being offline for days or even weeks can be catastrophic. Unable to do business, they are unable to make a profit and meet expenses.
Increasingly these days, multiple businesses are reliant on each other’s online system to trade, and financial losses can spread to multiple clients and suppliers (imagine the ramifications if, for example, eBay’s systems were to crash).
And, as the Australian Bureau of Statistics is now discovering, the damage to one’s reputation or brand can also be devastating.
Few small businesses have the expertise and resources available to larger organisations to deal quickly with a cyber-attack. And unfortunately, few have even given much thought to how they would deal with such a disaster were it to occur.
This is despite the fact that, internationally, the proportion of cyber-attacks aimed at small businesses is on the rise. Over 40 per cent of all cyber-attacks in 2015 were targeted at businesses with less than 250 employees.
The federal government estimates almost 700,000 Australian businesses have experienced a cybercrime, and 60 per cent of these attacks were on SMEs, with an average cost per attack of over $275,000.
“All small businesses must have a business continuity plan or disaster recovery plan that is up to date and tested – and the key people who need to implement it know what to do right away,’’ says Power.
“But that’s the failure of SMEs - many of them don’t have a BCP if something like this was to happen.”
This is where cyber-insurance can help.
Mitigating the risk
A cyber-policy can protect businesses against the direct costs of cyber-attacks such as lost profits, as well as other costs such as defending claims from third parties.
Other risks business owners should consider insuring against include the costs of lost, damaged or destroyed IT systems and data, the costs of negotiating due to an extortion attempt, and fines and penalties incurred due to data privacy breaches.
A cyber-policy can also provide businesses with cover that will help protect their image, for instance through PR consultants who can help mitigate damage arising from a business’ website not being available, while also covering damage to the personal reputation of executives like CEOs.
An insurer with a good incident response capability can make all the difference in the event of a cyber-crisis too.
CGU’s cyber incident response team is on standby 24/7 to assist clients in need. Their capabilities include a breach coach service to assist clients who are experiencing a DDoS attack.
With cybercrime on the rise worldwide and attacks such as that on the Census 2016 so easily launched, cyber-insurance is becoming a must-have for more and more businesses.