In the Allianz Risk Barometer 2022, an annual risk analysis survey conducted by insurance and asset management firm Allianz, cyber risk was rated as the world’s top business risk, ahead of natural disasters, business interruptions, and pandemic disruptions.
Ransomware, which increased 93% from 2020 to 2021, was a major cyber crime concern, but so were phishing attacks, network and software vulnerabilities, concerns about third party and vendor security, the safety of the supply chain from cyber attack, and a general apathy/burnout in the workforce that had the ability to contribute to internal security practice lapses.
Among the cyber incidents reported, a Norwegian media company had to shut down operations in late December, 2021, because of a security breach in which the perpetrator obtained names, addresses and phone numbers of subscribers. Microsoft was hacked in March of 2021, resulting in a negative impact to over 30,000 organizations across the United States, including local governments, federal government agencies, and businesses. Cyber attacks have shown no sign of slowing down in 2022. In February, 2022, 83 global data breaches and cyber attacks accounting for 5,127,241 breached records were reported.
What Bad Cyber Actors Are Targeting
Historically, cyber attackers have targeted the following industries: healthcare/medical; banking/credit/financial; government/military; education; and energy/utilities. These industries are favored targets because of the vital roles they play politically and in the economy.
Healthcare and financial institutions house confidential personal information and financial details that can be exploited. Government/military agencies have critical information that hostile governments want to obtain. Educational institutions have research and intellectual property that others want to steal. And infrastructure industries like energy/utilities are ripe targets for service disruptions that can adversely impact large segments of the population.
Depending on their purpose, the attack techniques of cyber bad actors can vary widely.
With ransomware, attackers have locked up systems and networks, holding businesses and governments hostage until they pay large fees to get their IT back. Phishing is pervasive in the financial services industry, because hackers can make email messages to consumers look like they are coming from the consumers’ banks, causing the consumers to surrender sensitive information. In the government and military sector, recent attacks that penetrate networks and sensitive information were perpetrated in the software supply chain, with third-party software providers inadvertently injecting malware into the networks of users. In infrastructure, cyber infiltrators have hacked utilities through IoT security cameras that were installed on the premises.
Steps IT Can Take
On the plus side of the ledger, security software and technology practices continue to emerge in an effort to keep pace with new cyber-attack approaches. Just as significantly, there is some basic “blocking and tackling” that IT and companies can also apply to ensure that their networks and systems remain healthy and secure. Here are five steps:
1. Manage endpoints
As more IT migrates to the edges of enterprises and IoT devices join networks, there is increased risk of cyber-attacks. This is because many IoT devices and technologies lack adequate security. It’s also more difficult for IT to monitor and control all these decentralized entry points into networks. Edge security software can harden your edge security if you feel you have security exposure at the edge.
2. Pay attention to social engineering
Phishing, impersonating employees, and offering free services and benefits that entice employees to open bogus emails or visit infected websites are all ways that scammers penetrate networks and import malware.
There are also cases of disgruntled employees who steal confidential company information and/or sabotage networks, and employees who carelessly share their passwords with others.
IT can hire an outside audit firm to perform regular social engineering audits including reviews of employee behaviors, network usage policies, and network security performance to determine the soundness of employee security practices. However, the best step that IT can take is to work closely with HR to ensure that new employees are trained and existing employees are annually refreshed on corporate security policies and practices so employees know what is expected of them.
3. Perform regular IT security audits
As standard practice, the IT budget should contain allocations for an annual corporate-wide IT security audit and for network vulnerability and penetration testing by an outside audit firm on a quarterly basis. Social engineering audits should be performed at least every other year.
These outside security audits by an expert security firm ensure that security policies and methods are up to date. An outside audit firm is also a valuable source for information about new security policies and practices that IT may not be aware of yet.
4. Vet your vendors
Security that meets your own internal security and governance standards should be a line item on every RFP that you send to a vendor. Third-party vendors can be weak links in security that expose your data to others. Always ask a vendor for a copy of its latest IT security audit report. If the vendor is unable to furnish you with a recent report, it’s advisable to seek out another vendor.
5. Consider adding cyber risk insurance to your company’s general liability coverage
As the insurance industry better understands cyber risks, more cyber risk insurance coverages have become available to businesses. It might be worth considering adding cyber risk coverage to your company’s general lability coverages.
At the same time, it should be noted that cyber insurance rates have increased, with reports of certain lines of business going up by 30% to over 50% in 2021, and some insurance companies are shying away from this coverage altogether.
If you haven’t already, now is the time to sit down with your insurer to see what it offers in the way of cyber risk coverage, and if it makes sense for your organization.