Business security
Many smaller organizations are turning to cyber risk insurance, both to protect themselves against the costs of a cyber incident and to take advantage of the comprehensive post-incident services that insurers offer
July 31, 2024
•
,
4 minutes reading
If we stopped people on the street and asked for words to describe the people involved in the world of cyber, many words would undoubtedly be used. I am convinced that these will include innovators, entrepreneurs, millionaires, nerds – and criminals. The latter obviously does not refer to those in the legitimate cyber world, but to the scammers and fraudsters we often describe as cyber criminals.
Many cybercriminals are unfortunately all of the above words: innovators, entrepreneurs, millionaires (maybe), nerds and of course criminals. For starters, they have the amazing ability to focus their attention on a breaking news story and customize campaigns to land in inboxes in hours, something that takes a typical company days or weeks.
In a sense, they are also flexible innovators, changing their modus operandi quickly and effectively when profits decline. The evolution of ransomware is a good example of this: from extorting individual consumers or individual devices, to disrupting entire companies, to exfiltrating data and threatening to sell or disclose it, to reporting a company to a financial regulator for failing to disclose a cyber incident when they refused to pay an extortion demand. Cybercriminals, or at least some of them, are innovative in their thinking and enterprising in their passion for making money.
Here are a few figures to illustrate this point: Cybercrime is expected to cost companies a lot of money $10.5 trillion by 2025. This astronomical figure includes the profits made by cybercriminals in various ways, whether it be by defrauding a consumer or bailing out a hospital, disrupting their operational status. The threat to business is real and increasingly making headlines. An example of this is the recent ransomware attack on Change Healthcare, which resulted in the parent company reporting that the incident cost them $900 million. This could potentially amount to $1.6 billion.
These numbers are frightening, and while enterprises may be able to absorb these costs, smaller businesses may find themselves in a dire situation where they cannot survive financially. Smaller organizations are by no means immune to cyber attacks; For example, Finham Park School in Coventry, Great Britain, has a student population of 1,500 hit three times by cyber attackers.
This blog is the second in a series on cyber insurance and its relevance in this increasingly digital age. You can find the opening blog here. Read more about how organizations can improve their insurability in our latest whitepaper, Prevent, protect. To ensure.
Human behavior is a major factor in cyber attacks, with most successful attacks starting with some form of social engineering. For fifteen years, the message of “use strong passwords and don’t click on links” has been promoted by national cyber protection organizations around the world with limited success. Cybercriminals continue to perfect the art of deception, successfully attempting to trick their victims into providing their login credentials, transferring money, or executing malware attached to an email. Cybersecurity awareness training does remind staff of the dangers, but any major behavioral change will likely require a new generation of employees trained in cyber threats and best practices to avoid them.
Another major problem for many IT and cybersecurity teams is the endless stream of vulnerability disclosures. Every device and copy of the software needs patches regularly, and sometimes urgently due to the disclosure of a vulnerability that is being actively exploited. The CVE database of known vulnerabilities continues to grow year on year, and combined with the fact that all organizations are using more and more devices and software, this makes patch management a significant challenge. Automating patch management solves the problem to some extent, but every organization likely has an unknown, unpatched device plugged in somewhere, and the cybercriminal just needs to find it to exploit it.
The landscape is becoming more complex as both defenders and attackers turn to automation and AI tools to increase effectiveness. Defenders have been using AI for some time, for example to sift through large amounts of data, identify anomalies, prioritize alerts, and automate responses. Meanwhile, attackers are taking advantage of development tools to build and obfuscate malware, creating content for phishing campaigns and the like. While no specific example of an AI-generated attack has been published (i.e., where AI carries out all stages of an attack autonomously without human intervention), it is fair to say that cyber attacks are AI-enabled.
This is why many smaller businesses and organizations are turning to cyber risk insurance, both to protect themselves against the costs of a cyber incident and to take advantage of the comprehensive post-incident services that insurers provide. As cyber insurance adoption increases, it is likely to be viewed in the same way as any unexpected threat, such as fire and theft. The increased cybersecurity demands imposed by insurers could lead to significant improvements in cybersecurity. However, cyber insurance can also signal to cyber criminals that the organization is willing to pay a ransom, because this is not at their own expense.
My collaborator, Peter Warren, an award-winning investigative journalist, writer and broadcaster, has conducted a number of interviews on the topic of the future cyber threat that companies may face, specifically how AI could change the threat landscape. The podcast can be found below…
Learn how cyber risk insurance and how cyber risk coverage, combined with advanced cybersecurity solutions, can increase your chances of survival if or when a cyber attack occurs. Download our free whitepaper: Prevention. Protect Insure, here.
