Cyber insurance covers everyone, from individuals and small-to-midsized businesses to cybersecurity experts and chief security officers as well as C-suite executives; however, there remains an undersupply of cyber expertise within the field.
CISA’s regional staff continues to assist its partners in improving their cybersecurity resilience by providing situational awareness, training, outreach services and technical assistance.
Cybercriminals are looking for new ways to extort money
Cybercriminals are always searching for new ways to extort money from businesses and individuals alike. Their methods may involve exploiting data breaches to access sensitive information that they will then encrypt and hold hostage; some even threaten to sell online, which could prove devastatingly damaging for a business’ reputation. Unfortunately, as cyber threats grow more sophisticated it becomes harder for organisations to protect their systems and data effectively.
Cyber criminals now possess an arsenal of tools and techniques designed to breach systems more rapidly and efficiently. For instance, they can scan devices using commercial datasets like Shodan that contain known vulnerabilities – or conduct their own scans themselves – then exploit these vulnerabilities to gain initial access into an organization’s networks.
From there, they can target specific areas of a business and obtain sensitive information that could be exploited for financial gain – this may include databases, emails and communication systems. Once gathered, this data can then be used for extortion attacks that can severely harm both businesses and their customers.
Ransomware attacks target sectors including healthcare, government and critical infrastructure – however they can strike any organization using open or accessible data storage or communications systems. It’s therefore critical for companies to prioritize ransomware defense by updating systems, installing backup solutions and considering cyber insurance as soon as possible.
Many victims may be reluctant to pay the ransom, yet others decide to make arrangements with criminals in exchange for lower ransom payments. This strategy can prove dangerous as it opens them up to repeated attacks and places them on criminals’ “payer list”.
As demand for stolen data continues to soar, so too do profits from its sale. Cyber criminals have taken to offering various services related to it such as selling stolen data or providing an attack without investing in their own infrastructure – an increasingly attractive proposition.
Cyber attacks against high-net-worth individuals and family offices have increased significantly in recent years, as evidenced by studies conducted by Barclays Private Bank which indicated that over one quarter of UHNWIs have experienced at least one cyber attack.
The threat of encryption-based ransomware is resurging
Enhancements in cyber security may help combat encryption-based ransomware, but the threat landscape continues to evolve. According to Allianz Commercial’s analysis of large cyber loss incidents from 2023 thus far, data exfiltration incidents appear to be on an upward trend — and 2023 could prove even busier than last year!
One primary driver is ransomware-as-a-service kits, which enable cybercriminals to launch attacks more rapidly and at reduced costs than ever before. Furthermore, attackers are taking advantage of vulnerabilities in third-party vendors in order to gain entry to networks and launch attacks; as Allianz Commercial advises, companies should continuously monitor their extended ecosystem for susceptibility indicators and risk warning signs.
Though cyberattacks have increased recently, organizations are taking steps to enhance their defenses and respond more rapidly to threats. Ransomware payments by victims have declined from an average of $140,000 per incident in 2019 to an estimated average of just $28,000 in 2023.
Cybercriminals have increasingly targeted small businesses due to their limited resources to respond to an attack, according to CrowdStrike’s Small Business Cybersecurity Survival Guide. Small businesses tend to have weaker defenses and a smaller cybersecurity team than larger enterprises; therefore they are more susceptible to attack from cybercriminals. Therefore, it’s recommended that they prioritize their security investments with vendors who offer guidance and tools against common attacks on small businesses.
Given such dire predictions, it should come as no surprise that the World Economic Forum ranked cyberattacks as the top global business risk in their 2023 Global Risk Outlook report. Indeed, 93% of cybersecurity leaders and 86% of business leaders believe a far-reaching cyberattack will occur within two years – an alarming statistic.
Cyber-attacks are becoming more sophisticated
Internet of Things devices, the rising rate of data breaches and AI and machine learning applications that use malware/phishing techniques has put information security on high alert. Cyber attackers possess superior tools to gain entry to organizations by hiding their malicious software within legitimate files or spreading content that misleads, manipulates or amplifies people’s beliefs/attitudes on social media channels such as Facebook.
Attack surfaces have expanded with the proliferation of IoT devices, cloud infrastructure and employee personal mobile phones. Attackers target various targets; money, credit card or personally identifiable information (PII), compute resources or causing disruptions of business operations are among them.
According to the World Economic Forum’s 2023 Global Risk Report, an increasing number of attacks are targeting critical technology-enabled resources and services, including agriculture and water supplies; financial systems; public security measures; transport; energy sources as well as domestic space-based communication infrastructure.
CISA recently issued a Cybersecurity Advisory and co-sealed tabletop exercise in response to this specific threat, while also creating the Water/Wastewater Systems CTEP (Cybersecurity Training and Exercise Program) to increase cybersecurity resilience across its sector.
Recent research by IBM’s X-Force research unit indicates that attacks are also becoming increasingly sophisticated. Their researchers discovered that, on average, attacks have grown both larger and more sophisticated over time; with backdoors accounting for 27% of cases; web shells 18%; adware/BEC/crypto miners/loaders/reconnaissance and scanning tools each accounting for 9% respectively.
Small businesses are especially susceptible to cyber threats, with 48 percent not possessing cyber insurance compared to only 16 percent for larger corporations surveyed in this same study. Geopolitical uncertainty was found to be one of the primary drivers behind corporate concerns about cyberattacks with 73 percent of executives considering any cyber attack as competitive disadvantage.
The cat and mouse game continues
Cybercriminals and their defenders are engaging in an ever-evolving game of cat and mouse that is becoming ever more asymmetrical. Attackers are targeting IT and physical supply chains with ransomware attacks and finding new methods of exorbitant money extortion; using AI technology for faster, stealthier operations than ever. Despite all this activity, security leaders still find themselves struggling to keep up.
More than half of CISOs report difficulty recruiting cybersecurity talent. This talent shortage is made worse by less than one out of seven cybercrimes being reported to law enforcement according to the World Economic Forum’s Global Cybersecurity Outlook 2023.
Barclays Private Bank conducted a study revealing that cyber attacks against ultra-high net-worth individuals and family offices is growing, with one study showing over one quarter of UHNWIs being victims of cybercrime within one year – this averaged out to $1.1 billion USD on average per family.
Cyberattacks against companies have also grown increasingly frequent; according to the 2023 Allianz Risk Barometer, cyber incidents were listed as the number one business risk – ahead of natural disasters and geopolitical instability.
As such, many board members are concerned with their organization’s cybersecurity posture. According to one report, 77% of CEOs view cybersecurity as a core component of their business and potential source of competitive advantage; additionally 56 % of board directors meet monthly or more frequently with their security leaders.
Though this is encouraging news, the need for security talent remains immense. While industry forecasts estimate 1.5 million new security jobs by 2023, this may still not be sufficient to keep pace with ever-increasing threats.
Due to cybersecurity skills being nontransferrable and taking time and money to train for, as well as many security roles requiring advanced degrees requiring highly specialized talent, it can be challenging to find candidates with all necessary expertise. Lack of qualified personnel is particularly acute in the US, according to research conducted by the National Cybersecurity Institute that estimated there are over 750,000 open cybersecurity positions available. Companies are making great strides toward filling this skills gap, with Google investing $10 million by 2023 to secure its supply chain and open source security, while IBM plans on providing 30 million people learning opportunities within technology-related fields, including cybersecurity, by 2030.
