Reducing your cyber risk on the railways

Commentary about the elevated levels of cyber risks to UK industry and online consumers, due to our growing reliance on technology, are common.

The rail industry is no different from any other in this respect, but both as businesses and as individuals, there are effective ways to manage your cyber security.

Aspects of your business insurance and your all-round awareness can be looked at to ensure you reduce your level of cyber risk when using the nation’s railways.

Initial review

Firstly, it is important to review your current business insurance policies and ask yourself some important questions, so you fully understand your cyber gap analysis:

• How has your exposure to risk changed?
• What insurance cover do you currently hold?
• What cover do you need?
• Has your financial exposure changed?
• Are your staff aware of the risks?

Business interruption

• Ask yourself how your business would cope in the event of a cyber-attack and being held to ransom?
• Would your business be equipped to carry on as usual without disruption to your operations and your clients?

With the business world being increasingly reliant on technology it is imperative businesses have robust business continuity plans and procedures in place. Cyber-attacks and commercial crime are not going to go away, they are only ever going to increase.

Data breaches

Ask yourself, would your client data be safe from a data breach in the event of a cyber-attack on your business?

Stricter regulations in terms of Data Protection and GDPR (General Data Protection Regulation) mean that businesses and employees need to be better prepared and better educated as to the risks of cyber-attacks that result in data breaches.

If an employee is using an insecure wi-fi network to access his or her work emails and other work files, then they are opening-up the business to cyber risk. If the business is then hacked, it can result in a hefty fine, not to mention the knock-on problems that could occur, which could include losing clients altogether.

When GDPR was introduced in May 2018, the cap on regulatory fines was significantly increased. In the UK the fine cap increased from £500,000 to 4% of global turnover or €20 million (whichever is the higher figure).

The GDPR also imposes compulsory obligation to notify data subjects within 72 hours where a breach represents a high risk of harm to those affected. For further information about GDPR visit the ICO website

It will be far easier for all businesses to spend time educating their staff about the risks involved and how to avoid them, than it would be to deal with a breach and the consequences associated with that.

What insurance do you currently hold?

• Evaluate what insurance you currently carry. Does it cover you adequately?
• Are you carrying cyber insurance and/or commercial crime insurance at all?

One of the issues with cyber insurance is the understanding of it from the insured’s point-of-view, which is creating a disconnect between the insured and the insurer.

Policyholder’s generally see risks as first party (damage to property and business interruption) and third party (claims and actions by other parties). Because of this they often carry insurance policies for both.

Insurers prefer to view cyber as a separate risk and therefore offer cyber insurance as a separate policy.

This results in cyber liability insurance policies not being purchased by businesses because they simply do not see the need, until it’s too late.

This is where insurers need to be a lot better in their education of the benefits of the product. It is also important for business leaders to take more responsibility and become more aware of cyber as a risk. They need to be more proactive in asking the questions… “Do we need it?” and “How do we benefit?” and “What could happen if we don’t have it?”

What insurance do you need?

Firstly, you need to understand what risks you are exposed to and what mitigations you currently have in place. Mitigations can include; back-ups (onsite and offsite), business continuity plans, physical and digital protections, education and training.

You also need to fully understand the potential cost to your business in the event of a cyber-attack and/or a data breach. What is the worst-case scenario? Would you be able to cover that?

Even if you already carry a cyber insurance policy, you should check it carefully for what cover it provides. Some instances of commercial crime will not be insured under a cyber insurance policy. In which case, a commercial crime insurance policy would also be required.

It is important to discuss your cover with your broker to understand exactly how your policies would respond. If there is a shortfall in cover it might be a good idea to plug the gap.

Staff awareness and the need for constant education and training

Most rail operators offer wi-fi in their carriages. Some operators charge a nominal fee, while others offer this service free of charge. Most wi-fi connections that are provided on our railways are not secure connections.

Instance 1: Wi-fi on trains provides passengers with the opportunity to surf the internet, access emails, catch up on work on their laptops and tablets. All of which are commonly seen across all the rail networks.

What is also seen on the rail networks are people’s laptop screens (showing their current work). In some cases, laptops and tablets can be left unattended as people nip to the toilet or to the buffet car. An innocent act, but one which could open a business up to cyber risk.

Instance 2: More commonly, staff are overheard talking on their mobile phones about work issues, contracts, employees and colleagues, clients, and money. Due to background noise, these conversations tend to be a lot louder than normal to get the message across. Search online for Trigger Happy TV and you’ll get the gist.

Both instances are where all your walls of cyber security and risk mitigation can be breached. This instance does provide an opportunity for staff training and a revision of your business procedures to ensure your staff are fully aware of the risks. This can help ensure your staff act with a greater level of responsibility and ownership.

Cyber insurance and commercial crime insurance provide cover for the modern ways in which businesses operate. For further information and a quotation call 0333 321 1403

Related Articles:

Risks of the modern railroad for rail workers

Tips to protect sensitive data while travelling 

Author Phil Ainley, Marketing Manager