Cyber risks facing Surveyors: is your business prepared?
26 March 2020
Unpredictable and fast-moving, a ransomware attack will test business resilience.
Ransomware is the fastest growing cyber-crime and a significant risk to businesses in all industries and of all sizes, many of which do not have a comprehensive recovery plan or staff training procedures in place to reduce this risk.  Criminals are taking advantage of this lack of preparedness, causing substantial disruption and damages, for financial gain.
Ransomware: What it is and how it can impact business
Ransomware is a type of malicious malware that can encrypt, delete or steal files, preventing the user from accessing their data or computer until a ransom payment is made.  It is important for businesses to be aware of how ransomware can infect a computer system. The most common channels include the following:
- unsolicited emails containing downloadable malware attachments
- unpatched software vulnerabilities in operating systems, web browsers, browser plug-ins or applications
- data transfer between computers via USB memory sticks.
According to The Economist, data has become the world’s most valuable resource and the dependency on integrated technology systems for highly efficient operations make businesses vulnerable to a cyber-attack.  In the 2019 Cybercrime Report by Cybersecurity Ventures it predicts that ransomware damages will cost $20 billion globally by 2021 and that a business will fall victim to an attack every 11 seconds.  During a ransomware attack sensitive commercial data and personal data held on employees and clients is exposed to uncontrolled risk – this is a key concern given the increased sensitivities surrounding GDPR fines. In addition, due to ransomware’s paralysing effect on IT systems, business competitiveness can be impacted due to a lack of productivity, data control, financial loss and long-term reputational damage.
Risks to surveyors
Awareness of ransomware and other cyber related threats has grown as a result of high-profile attacks across a number of industries. Surveyors are not immune to this threat and should be aware of the risks in terms of what they need to protect and their potential vulnerabilities. It is important for surveyors to be prepared due to the proposed new Data Handling and Prevention of Cybercrime Professional Statement, which will require all RICS professionals and regulated firms to comply with a set of compulsory responsibilities, to ensure necessary precautions are in place to prevent a data breach. 
This statement will impact surveyors, particularly in terms of valuations as large quantities of data are analysed and recorded which must be stored securely.  As surveyors often handle high value transaction data and have access to client databases, third-party data, as well as a property’s security and management systems this makes surveyors an attractive target for cyber-criminals. Due to low investment into cyber-security infrastructure and a lack of training amongst employees, businesses are vulnerable to a cyber-attack. In addition, emerging technologies such as the use of drones and BIM (Building Information Modelling) have the potential to be hacked just like other computer systems. If such systems are being used on high value projects, a ransomware attack would cause maximum disruption and could result in the theft of client money and other sensitive data. It is for this reason that surveyors should have a comprehensive Professional Indemnity Insurance (PII) policy as well as a cyber-risk Insurance policy in place to cover these liabilities and to prevent heavy financial losses.
As ransomware attacks become more sophisticated, surveyors must take a proactive approach to cyber-risk management. This is not only important to maintain business continuity but also for stakeholder management, not least in terms of maintaining excellent relationships with contractors and clients.
Risk Management: Steps to take
Cyber risk will be unique to each business and therefore risk management and awareness of what each surveyor or business has to protect is key. In case of attack it is important that an effective recovery and communications plan, together with a comprehensive cyber insurance policy has been firmly established.
Other steps to take include:
- Back up your data
- Use antivirus software and activate your firewall to ensure network security
- Regularly patch your operating systems and applications;
- Control the use of USB drives and Memory Cards.
- Third-party risk management.
In our Cyber Security Guide we outline additional steps to take:
- Secure passwords policy and two-factor authentication
- Restricted user access and management of user privileges
- Cyber Essentials Certification
- A cyber insurance policy.
Recent figures show that 90% of data breaches are a result of human error.  Examples of cyber security threats caused by human factors include: poor password security, mis-delivery of sensitive information and accidentally clicking on malicious links and attachments in emails.
Surveyors must ensure that their employees receive training to improve and support their cyber security strategy. The National Cyber Security Centre (NCSC) provides 10 Steps to Cyber Security plan and a number of free online training tools for businesses:
- Having plans in place should things go wrong: test and practice your business cyber incident response using the 'Exercise in a Box' tool.
- Reducing cyber incidents caused by employee behaviours: educate your employees using the 'Top Tips for Staff' training tool.
- Managing third party cyber security risk: set out security measures for suppliers and partners, and train your staff in procurement roles on how best to protect commercially sensitive information using this online course.
Cyber Risk Insurance
As the threat and regulatory landscape evolves and the cost of cyber claims increase, a cyber-risk insurance policy is an important part of your risk management and resilience strategy. Cyber Insurance with its unique service led proposition can provide critical incident response expertise. Whilst Cyber Insurance will not protect you from an attack, it allows for some of the financial risk to be transferred and assist with mitigating disruption.
For more information please visit our cyber insurance webpage.
Kathryn is responsible for Howden’s cyber offering, working with a number of businesses to manage cyber risk and implement the right risk transfer solutions. Kathryn is an ACII qualified Chartered Insurance Broker - and with over 10 years’ experience in the industry, there isn’t much she hasn’t seen.