Following two years of high but stable loss activity, 2023 saw a worrying resurgence in ransomware and extortion losses, as the cyber threat landscape continues to evolve. Hackers are increasingly targeting IT and physical supply chains, launching mass cyber-attacks, and finding new ways to extort money from businesses, large and small. It's little wonder that our customers and clients rank cyber risk as their top concern in the annual Allianz Risk Barometer survey.
Ransomware claims activity was up by more than 50% year-on-year in 2023. Meanwhile, so-called Ransomware-as-a-Service (RaaS) kits, where prices start from as little as US$40, have been a key driver in the rising frequency of attacks overall. Gangs are also carrying out more attacks faster, with the average number of days taken to execute one falling from around 60 days in 2019 to four. Most ransomware attacks now involve the theft of personal or sensitive commercial data for, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage. As a global insurer, Allianz Commercial's analysis of large cyber losses (€1mn+) in recent years shows that the number of cases in which data is exfiltrated is increasing – doubling from 40% in 2019 to almost 80% in 2022, with activity in 2023 tracking even higher.
Protecting an organization against intrusion therefore is a cat-and-mouse game, in which cyber criminals have the advantage. Threat actors are now exploring ways to use artificial intelligence (AI) to automate and accelerate attacks, creating more effective malware and phishing. Combined with the explosion in connected mobile devices and 5G-enabled Internet of Things (IoT), the avenues for cyber-attacks look only likely to increase in the future.
At Allianz, our global team of risk engineers regularly monitors the cyber landscape, assisting companies with mitigating emerging risks. Threats currently on our radar include:
Threat actors are already using AI-powered language models like ChatGPT to write code. Generative AI can help less proficient threat actors create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute. We expect an increased utilization of AI by malicious actors in the future, necessitating even stronger cybersecurity measures.
Voice simulation software has already become a powerful addition to the cyber criminal's arsenal. There was the case of the CEO of a British energy provider transferring around US$250,000 to a scammer after they received a call from what they thought was the head of the unit's parent company, asking them to wire money to a supplier. The voice was generated using AI. Deepfake video technology designed and sold for phishing frauds can also now be found online, for prices as low as US $20 per minute.
It is not all bad news though. We might see more AI-enabled incidents in the future, but investment in detection backed by AI should also help to catch more incidents earlier.
Lax security and the mixing of personal and corporate data on mobile devices, including smartphones, tablets, and laptops, is an attractive combination for cybercriminals. Allianz Commercial has seen a growing number of incidents caused by poor cyber security around mobile devices. During the pandemic, many organizations enabled new ways of accessing their corporate network via private devices, without the need for multi-factor authentication (MFA). This also resulted in several successful cyber-attacks and large insurance claims.
Criminals are now targeting mobile devices with specific malware to gain remote access, steal login credentials, or deploy ransomware. Personal devices tend to have less stringent security measures. Utilizing public wi-fi on such devices can increase their vulnerability, including exposure to phishing attacks via social media.
The rollout of 5G technology is also an area of potential concern if not managed appropriately, given it will power even more connected devices, including sophisticated applications – from driverless cars to smart cities. However, many IoT devices do not have a good record when it comes to cyber security, are easily discoverable, and will not have MFA mechanisms, which, together with the addition of AI, presents a serious cyber threat. Even today we see devices with default passwords that are available on the internet.
A growing shortage of professionals will increasingly complicate cybersecurity efforts. The current global cyber security workforce Gap stands at more than four million people with demand growing twice as fast as supply. Gartner predicts that a lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025.
In short, because technology is moving so fast, there are not enough experienced people to keep pace with the threats. It's very hard to get good cyber security engineers, which means companies are more exposed to cyber events. Without skilled personnel, it is more difficult to predict and prevent incidents, which could mean more losses in the future. The shortage of cyber security experts also impacts the cost of an incident. Organizations with a high level of security skills shortage had a US$5.36mn average data breach cost, around 20% higher than the actual average cost, according to the IBM Cost of a Data Breach Report 2023.
Early detection is key to combating emerging cyber threats
Preventing a cyber-attack is becoming harder, and the stakes are higher. As a result, early detection and response capabilities and tools are becoming ever more important. If you have an undetected loophole in your network, it is a potential Achilles heel. And if you do not have effective early detection tools it can lead to longer unplanned downtime, increased costs, and have a greater impact on customers, revenue, profitability, as well as your reputation.
The lion's share of IT security budgets is currently spent on prevention with around 35% directed to detection and response. However, if undetected an intrusion can quickly escalate, and once data is encrypted and/or stolen, the costs snowball – as much as 1,000 times higher than if an incident is not detected and contained early. The difference between a €20,000 loss turning into a €20mn one.
Looking forward, detection tools will be the next logical step for most companies to invest in. Ultimately, early detection and effective response capabilities will be key to mitigating the impact of cyber-attacks, as well as ensuring a sustainable cyber insurance market going forward.
Author: Scott Sayce is the Global Head of Cyber Insurance at Allianz Commercial