Many smaller organizations are turning to cyber risk insurance, both to protect against the cost of a cyber incident and to use the extensive post-incident services that insurers provide
If we were to stop people on the street and ask for words to describe the people involved in the world of cyber, there would, undoubtedly, be many words used. I am confident they would include: innovators, entrepreneurs, millionaires, geeks – and criminals. The latter, of course, refers not to those in the legitimate cyber world, but to the scammers and fraudsters that we often describe as cybercriminals.
Many cybercriminals are, unfortunately, all of the words above – innovators, entrepreneurs, millionaires (maybe), geeks – and, obviously, criminals. For starters, they possess an amazing ability to turn their focus to a current news story and adapt campaigns to hit inboxes within hours, something that a typical company takes days or weeks to achieve.
In a way, they’re also agile innovators, changing their modus operandi quickly and effectively whenever profits wane. The evolution of ransomware is a prime example: from extorting individual consumers or single devices, to disrupting entire businesses, exfiltrating data and threatening to sell or expose it, all the way to reporting a company to a financial regulator for not disclosing a cyber incident when they refused to pay an extortion demand. Cybercriminals, or at least some of them, are innovative in their thinking and entrepreneurial in their passion to make money.
Here are a few figures to help illustrate the point: cybercrime is expected to cost businesses $10.5 trillion in 2025. This astronomical figure includes the profits made by cybercriminals through various means, be it by defrauding a consumer or holding a hospital to ransom having disrupted their operational status. The threat to business is real and increasingly makes headlines – an example of this is the recent ransomware attack on Change Healthcare that caused their parent company to report that the incident cost them $900 million, and expects this to potentially rise to $1.6 billion.
These figures are scary, and while enterprises may be able to absorb these costs, smaller businesses could find themselves in a predicament of not financially surviving. Smaller organizations are by no means immune from cyberattacks; for example, Finham Park School located in Coventry, UK, with a student population of 1,500 has been hit three times by cyberattackers.
This blog is the second of a series looking into cyber insurance and its relevance in this increasingly digital era. The opening blog is available here. Learn more about how organizations can improve their insurability in our latest whitepaper, Prevent, Protect. Insure.
Human behavior is a major factor in cyberattacks, with most successful attacks starting with some form of social engineering. For 15 years, the “use strong passwords and don’t click on links” message has been pushed by national cyber protection organizations across the globe with limited success. Cybercriminals continue to perfect the art of deception and successfully dupe their victims into giving up credentials, transferring funds, or executing malware attached to an email. Cybersecurity awareness training does provide a reminder to staff on the dangers, but any major change of behavior is likely to require a new generation of employees who are educated in cyberthreats and best practices to avoid them.
Another major issue for many IT and cybersecurity teams is the never-ending deluge of vulnerability disclosures. Every device and instance of software needs regular patching, and sometimes in a rush due to the disclosure of a vulnerability that is actively being exploited. The CVE database of known vulnerabilities continues to grow year on year, and coupled with all organizations using more devices and software, this makes patch management a significant challenge. Automating patch management does alleviate the issue to a degree, but every organization likely has an unknown, unpatched device connected somewhere, and the cybercriminal only needs to find it to exploit it.
The landscape becomes more complex as both defenders and attackers turn to automation and AI tools to enhance effectiveness. Defenders have been using AI for some period of time, for example to sift through vast amounts of data, identify anomalies, prioritize alerts, and automate responses. Meanwhile, attackers are benefiting from development tools to build and obfuscate malware, the crafting of content for phishing campaigns and such like. While no specific example of an AI-generated attack (i.e., where AI autonomously conducts all stages of an attack without human intervention) has been published, it’s reasonable to say that cyberattacks are AI assisted.
This is why many smaller businesses and organizations are turning to cyber risk insurance, both to protect against the cost of a cyber incident and to use the extensive post-incident services that insurers provide. As adoption of cyber insurance grows, it’s likely to be viewed similarly to how any unexpected threat is, such as fire and theft. The increased cybersecurity requirements demanded by insurers may lead to significant enhancements to cybersecurity posture. However, cyber insurance may also signal to cybercriminals that the organization is willing to pay ransoms as it’s not at their own cost.
My associate, Peter Warren, an award-winning investigative journalist, writer, and broadcaster, has conducted a number of interviews on the topic of the future cyberthreat that companies may face, specifically how AI may change the threat landscape. The podcast can be found below…
Learn how cyber risk insurance and how cyber risk cover, combined with advanced cybersecurity solutions, can improve your chance of survival if, or when, a cyberattack occurs. Download our free whitepaper: Prevent. Protect Insure, here.