Following two years of high but stable loss activity, 2023 saw a worrying resurgence in ransomware and extortion losses as the cyberthreat landscape continues to evolve, writes Scott Sayce, global head of Cyber Insurance at Allianz Commercial.
Hackers are increasingly targeting IT and physical supply chains, launching mass cyberattacks, and finding new ways to extort money from businesses both large and small. It’s little wonder that our customers and clients rank cyber risk as their top concern in the annual Allianz Risk Barometer survey.
Ransomware claims activity was up by more than 50% YoY in 2023.
Meanwhile, so-called ransomware-as-a-service (RaaS) kits – where prices start from as little as $40 – have been a key driver in the rising frequency of attacks overall.
Gangs are also carrying out more attacks faster, with the average number of days taken to execute one falling from around 60 days in 2019 to just four. Most ransomware attacks now involve the theft of personal or sensitive commercial data increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage.
As a global insurer, Allianz Commercial’s analysis of large cyber losses (more than €1-million) in recent years shows that the number of cases in which data is exfiltrated is increasing – doubling from 40% in 2019 to almost 80% in 2022, with activity in 2023 tracking even higher.
Protecting an organisation against intrusion, therefore, is a cat-and-mouse game in which cybercriminals have the advantage. Threat actors are now exploring ways to use artificial intelligence (AI) to automate and accelerate attacks creating more effective malware and phishing. Combined with the explosion in connected mobile devices and 5G-enabled Internet of Things (IoT)), the avenues for cyberattacks look only likely to increase in the future.
At Allianz, our global team of risk engineers regularly monitors the cyber landscape assisting companies with mitigating emerging risks. Threats currently on our radar include:
The power of AI (to accelerate cyberattacks)
Threat actors are already using AI-powered language models like ChatGPT to write code. Generative AI can help less proficient threat actors create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute. We expect an increased utilisation of AI by malicious actors in the future necessitating even stronger cybersecurity measures.
Voice simulation software has already become a powerful addition to the cybercriminal’s arsenal. There was the case of the CEO of a British energy provider transferring around $250 000 to a scammer after they received a call from what they thought was the head of the unit’s parent company, asking them to wire money to a supplier. The voice was generated using AI. Deepfake video technology designed and sold for phishing frauds can also now be found online – for prices as low as $20 per minute.
It is not all bad news though. We might see more AI-enabled incidents in the future, but investment in detection backed by AI should also help to catch more incidents earlier.
Mobile devices expose personal and corporate data
Lax security and the mixing of personal and corporate data on mobile devices including smartphones, tablets, and laptops is an attractive combination for cybercriminals. Allianz Commercial has seen a growing number of incidents caused by poor cybersecurity around mobile devices.
During the pandemic, many organisations enabled new ways of accessing their corporate network via private devices without the need for multi-factor authentication (MFA). This also resulted in several successful cyberattacks and large insurance claims.
Criminals are now targeting mobile devices with specific malware to gain remote access, steal login credentials, or deploy ransomware. Personal devices tend to have less stringent security measures. Utilising public wi-fi on such devices can increase their vulnerability including exposure to phishing attacks via social media.
The rollout of 5G technology is also an area of potential concern if not managed appropriately, given it will power even more connected devices including sophisticated applications – from driverless cars to smart cities.
However, many IoT devices do not have a good record when it comes to cybersecurity, are easily discoverable, and will not have MFA mechanisms which, together with the addition of AI, presents a serious cyberthreat. Even today we see devices with default passwords that are available on the Internet.
Cybersecurity skills shortage affects the cost and frequency of incidents
A growing shortage of professionals will increasingly complicate cybersecurity efforts. The current global cybersecurity workforce gap stands at more than 4-million people with demand growing twice as fast as supply. Gartner predicts that a lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025.
In short, because technology is moving so fast, there are not enough experienced people to keep pace with the threats. It’s very hard to get good cybersecurity engineers which means companies are more exposed to cyber events.
Without skilled personnel it is more difficult to predict and prevent incidents which could mean more losses in the future.
The shortage of cybersecurity experts also impacts the cost of an incident. Organisations with a high level of security skills shortage had a $5,36-million average data breach cost – around 20% higher than the actual average cost, according to the IBM Cost of a Data Breach Report 2023.
Early detection is key to combating emerging cyberthreats
Preventing a cyberattack is becoming harder and the stakes are higher. As a result, early detection and response capabilities and tools are becoming ever more important. If you have an undetected loophole in your network it is a potential Achilles heel.
And if you do not have effective early detection tools it can lead to longer unplanned downtime, increased costs, and have a greater impact on customers, revenue, profitability, as well as your reputation.
The lion’s share of IT security budgets is currently spent on prevention with around 35% directed to detection and response. However, if undetected, an intrusion can quickly escalate and once data is encrypted and/or stolen, the costs snowball – as much as 1 000-times higher than if an incident is not detected and contained early. The difference between a €20 000 loss turning into a €20-million one.
Looking forward, detection tools will be the next logical step for most companies to invest in. Ultimately, early detection and effective response capabilities will be key to mitigating the impact of cyberattacks, as well as ensuring a sustainable cyber insurance market going forward.