What cyber insurance claims tell us about cyber risk today
This year’s Global Risks Report from the World Economic forum identified cybersecurity as the biggest short-term economic risk society faces. The report has a somewhat patchy record in predicting the biggest threats on the horizon, but with cyberattacks surging in recent years, this is surely one that is beyond dispute.
"Misinformation, cyberattacks, targeted strikes and resource grabs are on the rise," the report says. "States and non-state actors alike will likely engage in more dangerous cyberattacks, and these attacks will become more sophisticated."
Given this growth, it’s perhaps no surprise that the cyber insurance market is predicted to reach $22.5 billion by 2030 as organizations seek to limit their exposure to the growing risk of cyberattacks. As the sector becomes larger, however, the claims data also provides us with some interesting insights into the nature of cybersecurity itself.
Reading the exhaust
That’s certainly the aim of the recently published Cyber Insurance Claims Report from the leading cyber insurance provider Coalition. The company analyzed claims data from around 50,000 North American customers during the first half of 2021 to understand the changing nature of cybersecurity today.
"If the events of the past year are any indication, cyber risk is set to become the defining risk of our age," the company says. "With the escalation of ransomware and other cybercrimes impacting everything from critical infrastructure to the corner store, one thing is clear: addressing cyber risk matters for everyone."
A number of key trends have emerged in this time that illustrates the changing nature of cybercrime today.
Firstly, there has been significant growth in cybercrime in the first six months of 2021, with the biggest culprit being business email compromise (BEC) incidents, which are up 51% compared to the same period last year. The report reminds us that whereas sexier technologies may get a lot of press, email remains the dominant attack surface for the majority of organizations. The next most common form of attack was funds transfer fraud (FTF), which grew 28% year on year.
Given the publicity attracted by the likes of the REvil attack on Acer in March, it's perhaps also no surprise that ransomware attacks have become more popular again after there was a slight dip in numbers during the second half of 2020. Perhaps most importantly, not only are the number of ransomware attacks rising but also the size of the ransoms demanded, with the average demand growing by 170% to $1.2 million. The authors believe this is largely because the business impact of ransomware has grown, which has emboldened criminals to demand higher payouts.
The changing nature of work was also creating an increased cybersecurity risk, both for individuals and their employers. For instance, the authors highlight how our remote lifestyles during Covid have meant an increase in digital transactions, such as electronic funds transfers, which provide opportunities for criminals to exploit processes that have been made up on the fly.
The Coalition data shows that the average theft has risen by an incredible 179% during 2021 and now stands at $326,264.
The almost overnight requirement for remote work to be facilitated en-masse meant that most organizations rushed through decisions, with security vulnerabilities an inevitable consequence.
"Many organizations turned to remote access protocols and tools such as Microsoft Remote Desktop (RDP) to facilitate remote work," the authors write. However, left exposed to the internet, these access points have become favored targets of criminals. The number of organizations with RDP enabled when they applied for insurance nearly doubled from the first half of 2020 to 2021."
No target too small
It's also interesting to note that while high-profile cyberattacks on huge organizations grab the headlines, criminals are increasingly targeting smaller companies, with attacks on firms with less than 250 employees has grown by 57% year on year. This is not only due to the less sophisticated defenses employed by smaller firms but also the increase in automated tools used by attackers that have meant that attacks on smaller organizations are profitable.
"While many things have changed since our last report, there was one constant: organizations continue to be targeted by criminals because they have made poor technological choices, often exposed to the public internet, that makes them targets," the authors conclude.
This underlines the fact that becoming a victim of cybercrime is by no means inevitable. Instead, the data reveals that most cyberattacks today remain fairly unsophisticated and can be rebuffed with the right defenses. With phishing, exploitation of remote network access points, and unpatched software likely to continue to be targeted in the year ahead, the onus is on security managers to ensure basic controls are in place to secure email, enable multi-factor authentication, and frequently patch software.