Organizations face a multitude of risks at any given time, yet the top cause of stress for business leaders, for the third time in four years, remained cyber risks. Given mounting concerns, the demand for risk mitigation efforts and Cyber & Privacy Insurance policies have drastically increased.
While security tools and training have become much more advanced in their effectiveness, so have criminals—raising the threat of ransomware, social engineering, and other digital attacks on businesses.
Gartner predicts that by 2025, 45 percent of organizations worldwide will have experienced attacks on their software supply chains. Even very small businesses with hyper-local profiles are at risk, assuming their data is important to them.
There are many tools that bad actors use to gain access to data, often using multiple tactics until they find one that works. Bad actors can leverage control of this data over any organization using ransomware, which is the most common form of cyber danger. Ransomware is illegal activity where a criminal or criminal enterprise gains access to personal or corporate data and threatens or permanently block access to it unless a ransom is paid off.
The average financial impact of a ransomware attack in the U.S. is $400,000. Ransomware is especially dangerous because not only is a ransom sought, but the criminal still has access to the data they stole in the first place.
The second and third most common types of cyberattacks that cause financial losses are from business email messages and hacking into IT systems and networks. A simple, often harmless-looking email opened by a team member can lead to serious data breaches and back-door access. That’s why one of the most common triggers for a cyberattack is through employees.
Human error can occur because an employee is often multitasking, unaware of potential threats and/or not properly trained in cyber protection techniques. Employees can also be a target of bad actors through social engineering, defined as the psychological manipulation of people into performing actions or divulging confidential information. Hackers and criminals will target employees emotionally with urgent messaging designed to motivate them to click on an illicit link or engage in a similarly damaging action.
Although less common, employees can engage in purposeful criminal activity by accessing employer data, often for revenge and/or financial reasons.
While all industries are at risk, some are specifically targeted
Any organization that maintains a large amount of sensitive data, including personal social security numbers and corporate trade secrets are at risk. Financial institutions and healthcare are among the most targeted industries because companies in both sectors usually have implemented robust protection infrastructure to help thwart attacks. This is especially true for financial institutions, where breaches are uncommon.
Bad actors often target larger healthcare organizations with multiple locations, hospitals, clinics, etc., because all they need is one entry point, or weak spot to gain access to information.
Accounting and law firms produce reams of data that include employee tax records, real estate transactions and personal information, making them frequent targets for social engineering and hacking. Firms in these industries, even sole proprietorships, should ether have a dedicated cyber security expert or trusted third-party firm to oversee their cyber protection.
Technology firms are at risk because of the amount of intellectual property information available. Educational institutions and local governmental entities are also at high risk in part because they often have a less sophisticated IT process compared to for-profit SMBs.
Educational institutions are also a target because of the large amount of devices deployed and the fact that students do not always have the same level of training as adults.
Consider a full range of controls to improve protection
Among the important controls organizations should put in place to increase cyber protection are:
- Updated antivirus and antimalware software
- Email and website filtering programs
- Robust vulnerability management plan that ensures the inclusion of timely protections and patches
- Proper access controls for all employees
- Cyber security awareness training for employees
- Appropriately configured and protected legacy systems
- Updated encryption of data during transmission and when stored
Above all, organizations should invest in detailed and up-to-date staff training in security awareness and knowledge. Many carriers will recommend or provide training professionals or materials for their clients.
SMBs need to carefully research potential third-party IT and cyber security vendors for quality, reliability and knowledge. When a partner is found, contracts should be carefully worded to confirm expectations. Internal controls only work if any third-party vendors providing service also confirm their own due diligence.
High-profile cyberattacks result in significant financial and reputational damage
Large-scale cyberattacks highlight how common and damaging these incidents are. There have been nearly 700 major security breaches in 2023 as of August, with more than 600 million records breached. The average cost of a data breach reached $4.45 million in 2023.
MGM Resorts International was targeted with a social engineering cyberattack in September 2023 that disrupted its resorts and casinos around the U.S. It began with a social engineering attack of the company’s IT help desk and resulted in fraudulent charges being added to customer credit cards associated with their MGM rewards account, among other issues.
The fallout from the SolarWinds hack in 2020 by suspected Russian criminals is still reverberating globally. The illegal back-door access had been several months in the making when the file transfer software breach was discovered in late 2020.
Benefits of cyber insurance are extensive
Cyber insurance helps organizations properly address a breach in a variety of ways. Most carriers offer coverage that provides the following benefits:
- Credit monitoring services for any impacted clients/customers following a breach (often up or more than one year)
- Notification and communications services and costs (such as direct mail notifying stakeholders and clients of a breach or the hiring of a crisis communications firm)
- Response and recovery consultation services
- Forensic investigation services (which not only provides information on how a breach but how to prevent a similar act in the future)
The process of cyber security may become even more challenging in the months and years to come because of the presence of artificial intelligence and voice recognition tools that bad actors could use to increase their chances of accessing organizational IT systems and data.
The bottom line is that nothing can fully replace an effective risk management process that is constantly improving that organization’s risk profile. Such a process should follow up on potential vulnerabilities and updates while establishing comprehensive phishing and cyber security training. Combined with purchasing the proper amount of cyber insurance to protect your organization in the case of a breach, an organization will be well-positioned to weather future attacks.
Contributors: Laura McCormick, Associate Vice President, Regional Practice Group Leader, Professional, Burns & Wilcox; Ryan Ascenzo, Senior Broker, Professional Liability, Burns & Wilcox Brokerage; Allison Arnold, Broker, Professional Liability, Burns & Wilcox; Aaron Buck, Chief Information Security Officer, Corporate Vice President, H.W. Kaufman Group
This commentary is intended to provide a general overview of the issues contained herein and is not intended, nor should it be construed, to provide legal or regulatory advice or guidance. If you have questions or issues of a specific nature, you should consult with your own risk, legal, and compliance teams.