The evolving nature of cyber attacks and how audits can help mitigate risk
Cyber is identified as one of the biggest risks facing businesses, societies, and indeed the financial system. In 2020 alone, there were more than 300 million ransomware attacks worldwide,1 and with reports stating that fire and theft are now less of a threat for businesses compared with cybercrime,2 it is high time that cyber defences were taken just as seriously as normal security systems.
However, it is not just the frequency of these attacks that is causing concern. Cyber criminals are becoming increasingly sophisticated, attacks are becoming larger, and the price to recover data is increasing.3 Inevitably, this means the demand – and cost – for cyber insurance is rising as well.
It is predicted that by 2050, the global cyber market could grow to US$20 billion.4 For the insurance sector, this has to be a wake-up call – businesses need to act now and respond to the rapidly evolving nature of cybercrime because in all likelihood, it is not a case of if you are going to be targeted, but more so when.
Understanding the enemy
For insurers, measuring cyber risks involves understanding multiple factors, from identifying security weakness, right through to predicting the potential frequency, severity and extensivity of an attack. But anticipating how, or even when, an attack is likely to happen is nigh on impossible.
Another factor to understand is the extreme complexity of these risks. An attack is not necessarily contained to the source which was infiltrated; a single cyber-attack on a company can result in the infection of all its customers – whether that’s 100 customers or one million. It is this course of action that allows cyber criminals to penetrate supply chains and cause widespread disruption.
The form in which these attacks take has evolved into new dimensions too. From its infancy stage of phishing emails, methods have now developed to the point where physical damage could be caused. And we’re not just talking about hard drive damage here; just take a look at the – thankfully – foiled cyber-attack where a hacker attempted to poison a Florida state water system earlier this year.5
And the complexity doesn’t stop there. Welcome to a world where deepfake videos have allowed cyber criminals to gain permissions and access sensitive data6; a world where mobile wallets and payment platforms can be infiltrated,7 and where the potential for large-scale attacks on Cloud Service providers are a serious and realistic concern.8
Even “simple” ransomware attacks are no longer just a single hit; they have mutated into what has been termed “double extortion”9 operations, where victims are required to pay two ransom instalments – the first for a decryption key, the second to prevent the release of data.
Building your defences
The media is quick to report cyber attacks, but the focus tends to be on large scale companies hit with eye-watering ransom demands. Small and medium-sized enterprises (SMEs), however, are just as susceptible to these attacks – and they are, in some respects, an even more attractive proposition.
SMEs hold customer data, but despite this, many have low cyber defences in place; and for those which work with large companies, this lack of defence can provide hackers with a potential route into the systems of their larger counterparts.10 So, what steps can be taken to build and check cyber resilience?
Although it might seem obvious, training is the first step. The UK Information Commissioner’s Office reported that in 2019, 90 per cent of UK cyber data breaches were caused by human error.11 That’s potentially 90 per cent of attacks that could have been prevented with staff training.
Of course, not everyone can be a cyber security expert, but businesses – no matter how small – should be working with those who do know what they are talking about. Such experts can provide comprehensive gap analyses and ultimately help a business be proactive about cyber risk.
To understand what cyber risk a company might be carrying, processes, technology and people have to be carefully monitored. It is not just the IT team’s responsibility. Everyone has a role to play, simply because anyone can be a cyber risk.
The cyber risk management approach therefore has to be integrated into a company’s culture, and the first step is an audit. If you do not know where your vulnerabilities lie, you cannot plan effectively and bring in the right defences.
Cyber audits in particular are all about assessing vulnerabilities – from user awareness, risk and compliance assessments, physical security assessments (do you, for example, have multi-factor authentication, firewalls and security keys in place as a basic?). These audits can even calculate what business interruption losses would be if a cyber-attack did occur, because if you know what the consequences are, you can be better equipped to have the right defences and preventative measures in place.
Protecting your digital footprint
Businesses that are proactive in tackling and reducing cyber risk through cyber audits stand the best chance of mitigating the chance of a breach. It is all about understanding both present and emerging threats, so you can take the best course of action, not only to protect policyholders, but to protect your business as well.
With increasing claims and costs surrounding cyber breaches, losses often far exceeded actuarial limits.12 The result has been for many insurers to increase renewal premiums and to lower coverage limits.13
However, by understanding the risk, businesses can demonstrate to their insurers that they not only know what threats they may face, but that they have the necessary defences in place to protect themselves. It is a simple thing that can not only save money now, but in the long-term too.
About the Author
Richard Robertson has 20 years’ experience in information security. He is a specialist in implementing and managing leading IT security technologies into security operation centres as well as designing cyber strategies for global corporations and governments. With this combination of technical knowledge and strategic planning, Richard is able to meet the highest requirements for information asset protection.
Richard is Pro Global’s Head of Information Security, responsible for the businesses’ multinational InfoSec and business continuity plan. He is highly skilled in incident management and response, threat intelligence, vulnerability management and regulatory compliance. Through this, Richard can not only protect against a breach but also provide insight in the points of access.
For more information on Pro Global’s Cyber Audit Services, visit: https://pro-global.com/about/
LinkedIn Profile: https://www.linkedin.com/in/richard-r-b426743/
Pro Global website: https://pro-global.com/about/