As
an archaeologist, you might not think that the weird and wonderful world of
insurance has much to offer apart from covering the mandatory essential
insurances of your business. The
necessary evils of insurance! You might
not even wish therefore to be aware of
the range of weird and wonderful insurance products which you could choose to
buy!
What
about cyber risks insurance? A great
name for a start - and one probably created to engender an element of fear of
the modern world!
What is it and does it
apply to archaeologists?
Cyber
risks insurance covers your business against any losses relating to damage to,
or loss of information from, IT systems and computer networks. Not immediately relevant to archaeology?
Well,
in my experience, archaeologists are generally ‘early adopters’ of technology –
eager to adapt and apply new scientific techniques to the study of our
past. I myself adapted some dental
imaging technology to the study of Boxgrove handaxes in the 1990s. There is now more image manipulation and
analysis capability in my phone than in the ‘Optimas’ set-up which I
‘developed’ back then!
Anyway,
surveying with a total station, 3D modelling, GIS etc. all create vast amounts
of data and that data is fundamental to your business, to your research, to
your very being!
Do
you back-up all of your data off-site? Of
course you do. Do you keep multiple
back-ups? Of course you do. Do you ustilise secure external servers? Of course you do. Do
you hold client records as well? Is your
website your ‘face to the world’? Do you
use online banking to pay staff? Then
you are a potential target!
Cyber
attacks do happen and they result in:
·
Loss
of data
·
Reputational
damage
·
Breach
of privacy
·
Data
protection issues
·
Business
down-time
A
UK Government survey estimated that in 2014 81% of large corporations and 60%
of small businesses suffered a cyber breach.
The average cost of a cyber-security breach is £600k-£1.15m for large
businesses and £65k-115k for SMEs.
Who might be attacking
you?
· Cyber
criminals interested in making money through fraud or from the sale of valuable
information
· Industrial
competitors and foreign intelligence services, interested in gaining an
economic advantage for their companies or countries – unlikely in the case of
archaeologists, but you never know…….
· Hackers
who find interfering with computer systems an enjoyable challenge
· Hacktivists
who wish to attack companies for political or ideological motives.
· Employees,
or those who have legitimate access, either by accidental or deliberate misuse
Un-targeted
attacks
In un-targeted attacks, attackers
indiscriminately target as many devices, services or users as possible. They do
not care about who the victim is as there will be a number of machines or
services with vulnerabilities. To do this, they use techniques that take
advantage of the openness of the Internet, which include:
· Phishing
- sending emails to large numbers of people asking for sensitive information (such as bank
details) or encouraging them to visit a fake website
· Water
holing - setting up a fake website or compromising a legitimate one in order to
exploit visiting users
· Ransomware
- which could include disseminating disk encrypting extortion malware
· Scanning
- attacking wide swathes of the Internet at random
Targeted
attacks
In targeted attacks, your organisation has
been singled out because the attacker has a specific interest in your business. A targeted attack is often more damaging than
an un-targeted one because it has been specifically tailored to attack your
systems, processes or personnel, in the office and sometimes at home.
Targeted attacks may include:
· Spear-phishing
- sending emails to targeted individuals that could contain an attachment with
malicious software, or a link that downloads malicious software
· Deploying
a botnet - to deliver a DDOS (Distributed Denial of Service) attack
· Subverting
the supply chain - to attack equipment or software being delivered to the
organisation
Does
this really apply to your archaeological business?
According to the UK Government, before
investing in defences, many organisations often want concrete evidence that
they are, or will be targeted, by specific threats. Unfortunately, in cyberspace it is often
difficult to provide an accurate assessment of the threats that specific
organisations face. However, every
organisation is a potential victim.
All organisations have something of value
that is worth something to others. If
you openly demonstrate weaknesses in your approach to cyber security by failing
to do the basics, you will experience some form of cyber attack.
Do you really need it?
As
a business of any size, it is likely you will rely on information technology
(IT) infrastructure to some degree. If
so, you will be exposed to the risks of business interruption, income loss,
damage management and repair, and possibly reputational damage if IT equipment
or systems fail or are interrupted.
As
Archaeologists, you may feel that you are not particularly vulnerable to
attack, but the evidence suggests that it doesn’t matter what sector you work
in – you are open to ‘attack’!
If
any of the following apply to you, then you should read on:
· Do
you hold sensitive customer details such as names and addresses or banking
information?
·
Do
you rely heavily on IT systems and websites to conduct your business?
·
Do
you process payment card information as a matter of course?
Just
think of all that data which you hold within your IT system – all that
excavation and survey data for a start!
How would your business function if that was lost? Clearly off-site back-ups are essential and
cloud storage or storage on secure commercial servers is also common sense but
Cyber insurance would provide the following in the event of a loss:
Compensation
or reparations for your business’s own assets:
·
Loss
or damage to digital assets such as data or software programmes
·
Business
interruption from network downtime
· Cyber
exhortation where third parties threaten to damage or release data if money is
not paid to them
· Customer
notification expenses when there is a legal or regulatory requirement to notify
them of a security or privacy breach
· Reputational
damage arising from a breach of data that results in loss of intellectual
property or customers
·
Theft
of money or digital assets through theft of equipment or electronic theft
In
addition to third parties – ie to cover litigation and costs relating to your
customers / suppliers:
· Security
and privacy breaches, and the investigation, defence costs and civil damages
associated with them
· Multi-media
liability, to cover investigation, defence costs and civil damages arising from
defamation, breach of privacy or negligence in publication in electronic or
print media
· Loss
of third party data, including payment of compensation to customers for denial
of access, and failure of software or systems
Policies
are available with limits from £100,000 to £5m.
It
is certainly worth looking at the UK Government Cyber Essentials Scheme
information:
Call me to discuss your
insurance needs on 0208 2550617 / 07768 865983
A topic which is totally
unrelated to both archaeology and insurance is the Oxford Cambridge Boat Race
which takes place tomorrow. Coverage is
on BBC1 with the Women starting at 4.50pm and the Men at 5.50pm. (And don’t’ forget the Reserve Boat races before and in between as
well). 
Similarly with the
National – though pundits are mostly backing Shutthefrontdoor ridden by AP MCoy
– at 7-1. However, look out for Cause of
Causes at 16-1 and don’t discount a flutter on River Choice currently at 100-1.
