The Allianz Risk Barometer 2022, an annual risk analysis survey conducted by insurance and asset management company Allianz, ranked cyber risk ahead of natural disasters, business interruption and pandemic disruptions as the top business risk worldwide.
Ransomware, which increased by 93% from 2020 to 2021, has been a major cybercrime problem, but so have phishing attacks, network and software vulnerabilities, concerns about third-party and vendor security, supply chain security from cyberattacks, and more generally Apathy/burnout in the workforce who have been able to contribute to failures in internal security practices.
Among the reported cyber incidents, a Norwegian media company had to shut down operations at the end of December 2021 due to a security breach in which the perpetrator obtained names, addresses and phone numbers of subscribers. Microsoft was hacked in March 2021, negatively affecting over 30,000 organizations in the United States, including local governments, federal agencies, and businesses. Cyber attacks show no signs of slowing down in 2022. In February 2022, 83 global data breaches and cyber attacks were reported with 5,127,241 data records breached.
Which bad cyber actors are targeting
Historically, cyber attackers have targeted the following industries: Healthcare/Medical; banks/credit/finance; government/military; Training; and Energy/Utilities. These industries are preferred targets as they play important political and economic roles.
Healthcare and financial institutions harbor sensitive personal information and financial data that can be exploited. Government/military agencies have important information that hostile governments want to know. Educational institutions have research and intellectual property that others want to steal. And infrastructure industries such as energy/utilities are ripe targets for service disruptions that can adversely affect large segments of the population.
Depending on the purpose, the attack techniques used by cybercriminals can vary greatly.
With ransomware, attackers have locked down systems and networks, holding companies and governments hostage until they pay hefty fees to get their IT back. Phishing is prevalent in the financial services industry, as hackers can make email messages to consumers appear to come from consumers’ banks, thereby tricking consumers into revealing sensitive information. Attacks have recently been launched in the government and military sectors that penetrated networks and sensitive information in the software supply chain, with third-party software vendors inadvertently injecting malware into users’ networks. On the infrastructure side, cyber infiltrators have hacked utility companies through IoT surveillance cameras installed on premises.
Steps IT can take
On the bright side of the ledger, security software and technology practices continue to emerge to keep up with new approaches to cyberattacks. Equally important, there are some basic “blocks and measures” that IT and businesses can also apply to ensure their networks and systems remain healthy and secure. Here are five steps:
1. Manage endpoints
As more IT migrates to enterprise edges and IoT devices connect to networks, the risk of cyberattacks increases. This is because many IoT devices and technologies lack adequate security. It’s also harder for IT to monitor and control all of these distributed entry points into networks. Edge security software can strengthen your edge security if you feel exposed to security risks at the edge.
2. Watch out for social engineering
Phishing, impersonating employees, and offering free services and benefits that trick employees into opening fake emails or visiting infected websites are all methods scammers use to penetrate networks and import malware.
There are also cases of disgruntled employees stealing confidential company information and/or sabotaging networks, and employees who carelessly share their passwords with others.
IT may hire an outside audit firm to conduct periodic social engineering audits, including reviews of employee behavior, network usage policies, and network security performance, to determine the soundness of employee security practices. However, the best step IT can take is to work closely with HR to ensure that new hires are trained and existing employees are refreshed annually on the company’s security policies and practices so employees know what’s up with them is expected.
3. Conduct regular IT security audits
As standard practice, the IT budget should include allocations for an annual enterprise-wide IT security audit and for network vulnerability and penetration testing by an external audit firm on a quarterly basis. Social engineering audits should be conducted at least every two years.
These external security audits by an experienced security firm ensure that security policies and methods are up to date. An external audit firm is also a valuable source of information about new security policies and practices that IT may not yet be aware of.
4. Check your suppliers
Security that meets your own internal security and governance standards should be a line item on every RFP you send to a vendor. Third-party providers can be security vulnerabilities that expose your data to others. Always ask a vendor for a copy of their latest IT security audit report. If the provider cannot provide you with an up-to-date report, it is advisable to seek out another provider.
5. Consider adding cyber risk insurance to your company’s general liability insurance
As the insurance industry gains a better understanding of cyber risk, more cyber risk insurance coverage is available to businesses. It might be worth adding cyber risk coverage to your company’s general liability insurance.
At the same time, note that cyber insurance rates have risen, with reports on certain lines of business increasing by 30% to over 50% in 2021, and some insurance companies are shying away from this coverage altogether.
If you haven’t already, now is the time to sit down with your insurer to see what cyber risk coverage they offer and if it makes sense for your business.
What to read next:
Enterprise browsers promise improved security and productivity
How CISOs walk the tightrope of management
The fight of cyber insurance against cyber warfare