The changing cyberthreat landscape
Learn why small and medium-sized companies are now the ‘sweet spot’ for digital crooks.
Given cybercrime incidents are now estimated to cost the world economy in excess of $1 trillion a year — around 1% of global GDP — it is no surprise that cyber risk regularly ranks as a top customer concern in the Allianz Risk Barometer, our annual survey identifying the top business risks around the world (including finishing number one in the 2022 edition).
Indeed, AGCS’ insurance industry claims analysis shows that external attacks are responsible for more than 80% of the value of the 3,000 cyber-related claims we have been involved with over the past five years around the globe.
In response to the challenging loss environment of recent years, the insurance industry is more diligently assessing clients’ cyber risk profiles and clarifying coverage areas in a bid to incentivize companies to improve cybersecurity and risk management controls.
Our experience shows a number of companies still need to improve their frequency of IT security training, cyber incident response plans and cybersecurity governance. Incident response is critical as the cost of a claim quickly escalates once business interruption kicks in.
It is clear that organizations with good cyber maturity are better equipped to deal with incidents. It is not typical for us to see companies with strong cyber maturity and security mechanisms suffer a high frequency of “successful” attacks. Even where they are attacked, losses are usually less severe.
The good news is that we are now seeing a very different conversation on the quality of cyber risk than we were a few years ago and are therefore gaining much better insights as the cyber insurance market matures. Insurers have a role that goes beyond pure risk transfer, helping clients adapt to the changing risk landscape and raising their protection levels. The more we can partner with our clients the more losses will hopefully reduce in the future.
Small and mid-sized companies an increasing sweet spot for hackers
All companies, across all sectors, are now exposed to ransomware attacks, although small- and mid-sized companies are proving a more attractive target for cybercriminals as larger companies beef up their cybersecurity.
Cybersecurity, rather than sector focus, is now the key driver for cyberattacks. The most attractive targets for cybercriminals traditionally have been large organizations, where they can get the most financial gain for reasonable effort. With these organizations investing heavily in security, the focus is gradually shifting to small- and mid-sized firms. The current real sweet spot is a mid-sized business with weak controls, risk management and cybersecurity in place. That is what cybercriminals like most.
Large companies are better positioned to mitigate the growing threat landscape than smaller companies, which often lack the resources to invest in cyber security and risk management. Small to mid-sized companies see their risks increasing with digitalization, but typically would not carry out impact analysis linked to cybersecurity and the value of the business.
Even larger companies can have vulnerabilities and blind spots. In around 80% of AGCS cyber insurance claims, involving companies with an annual turnover in the triple-digit millions, a significant flaw in the security of the insured led, or contributed, to the eventual loss.
BEC incidents rise in the ‘deep fake’ era
Business email compromise (BEC) attacks have been on the rise, made easier by the growing availability of data, “deep fakes” and the shift to remote working.
Targeting businesses large and small, BEC attacks can be impactful events, leading to financial loss or more damaging cyberattacks. BEC attacks can come in different flavors, but typically criminals will use phishing emails and social engineering to steal user credentials or trick an employee to make an unauthorized transfer of funds.
BEC is attractive to criminals because they can achieve a big payoff for a relatively low investment of time and resources. Between June 2016 and December 2021, BEC scams globally totaled $43 billion, according to the FBI. There was a 65% spike in scams between July 2019 and December 2021 alone.
BEC attacks continue to grow more sophisticated and targeted, with criminals now using virtual meeting platforms to convince victims to transfer funds or to collect information on day-to-day operations. Increasingly, these attacks are supplemented by artificial intelligence (AI) enabled “deep fake” audio or visuals that mimic senior executives on the telephone or during online meetings. Last year, criminals used “deep fake” audio to clone the voice of a company director in order to mislead a UAE bank employee into making a $35 million fraudulent transfer.
Data stolen during double-extortion ransomware attacks, and then shared by criminals, is also driving the increase in BEC attacks. Data leak sites offer searchable indexed data that enables cybercriminals to search for specific types of data, enhancing social engineering. After analyzing ransomware leak sites, Accenture found that an estimated 91% of ransomware victims incurred subsequent data disclosures.
Cybercriminals will continue to evolve their strategy for business email compromise. We continue to see claims in the U.S. from business email compromise, despite increased awareness of cybersecurity and efforts to educate employees on phishing. If anything, the risk of attacks is growing. As more and more data is made available online the focus on social engineering and phishing has increased.
Scott Sayce is global head of cyber and group head of The Cyber Centre of Competence at Allianz Global Corporate & Specialty based in London.
Opinions expressed here are the author’s own.
Related: