Day zero – it’s time to prioritize cybersecurity

Companies that haven’t already done so need to invest in cybersecurity and make it an organizational priority.

With cybercrime on the rise and the cyber insurance market hardening, it’s more important than ever for businesses to be aware of current trends and ensure they have good cybersecurity hygiene.

Current trends

In the 2020/21 financial year, the Australian Cyber ​​​​Security Center confirmed that self-reported losses from cybercrime amounted to over $33 billion. This is an increase of almost 15% in ransomware cybercrime reports compared to the previous year.

Things seem to be getting worse.

Insurance brokers Aon forecast that the global cost of cybercrime is estimated to total between $2 trillion and $6 trillion per year in 2022. These costs include business interruption, theft, data destruction, increased vendor costs (such as legal fees, cyberattack response services, public relations services). and ransom negotiators) and the cost of restoring compromised data and systems.

Allianz Insurance Risk Barometer report lists cyber incidents such as cybercrime and data breaches as the top concern for businesses globally in 2022. This edged out business interruptions, natural disasters and pandemic outbreaks.

The concern over cybercrime is not only shared by businesses and risk management experts. In 2021, the United States, United Kingdom and Australia published a joint cybersecurity council, which pointed out that there had been an increase in incidents of sophisticated and high-impact ransomware. A worrying trend in the United States is that cybercriminals seem to be moving away from the “big game” hunt (i.e. Colonial Pipeline Company and Kaseya Limited) and towards targets in the corporate market.

Regulators are watching

Regulators are increasingly interested in cyber, which has created an environment of heightened risk for organizations and their directors and officers.

In his August 2021 Corporate Planthe Australian Securities and Information Commission (ASICs) has listed cyber resilience and the security of regulated entities among its top priorities. This follows the initiation of legal proceedings by ASIC in August 2020 against the Australian Financial Services License (AFSL) holder, RI Advice Group Ltd, in what has been dubbed Australia’s first cybersecurity case. ASIC alleges that RI Advice breached its AFSL obligations by failing to implement adequate policies, systems and resources that were reasonably appropriate to manage cybersecurity and cyber resilience risks. The case is scheduled for trial in April 2022 and the outcome will provide useful insights into the court’s approach and the cybersecurity expectations of AFSL holders.

In November 2021, the Australian Prudential Regulation Authority (ARPA) published a Press release Warn directors that the need for ongoing board due diligence in cyberspace is greater than ever. APRA expects boards to have the same level of confidence when dealing with cybersecurity issues as when dealing with other business issues.

Regulators’ interest in cyber has coincided with an increase in the frequency, impact and sophistication of cyberattacks.

How did it happen?

Historically, cybercriminals have infiltrated systems using compromised credentials, often obtained through “phishing”, which is when malicious emails sent by a malicious actor are used to trick an individual into share sensitive information such as usernames and passwords.[1] Once inside a network, cybercriminals have perpetrated various types of attacks, including ransomware deployment, data theft, and social engineering fraud.

As organizations have developed defenses against traditional methods of network compromise, the cybercrime economy has evolved in sophistication. Cybercriminals are increasingly using “0-day exploits” to attack organizations. A 0-day exploit occurs when malware is deployed to exploit a vulnerability in software or an application used by a business or consumer to immediately launch an attack. A recent widely publicized example is the log4j incident which affected millions of computers worldwide using online services.

Defending against 0-day exploits presents challenges. Applications and programs often require updates to fix vulnerabilities. Typically, there is a lag between when a vulnerability is identified, when a patch is developed, and when organizations install the patch. This provides a window of opportunity that cybercriminals take advantage of. Once inside a network, infiltrators may be able to install additional malware to facilitate long-term access to a victim’s environments.

Zero-day exploits are just one example of the evolving cybercrime space and why companies need to invest and make cybersecurity an organizational priority.

Impact on the insurance market

Current cybercrime trends have had a significant impact on the cyber insurance market.

Swamp Reports that cyber insurance pricing in the United States has increased by an average of 96% year over year. They consider that the increase in rates is mainly due to:

  • a significant increase in loss ratios due to the increasing frequency and severity of ransomware demands;
  • an increase in supply chain attacks and software exploits, meaning that a single event can affect multiple policyholders;
  • the demand for reinsurance capital remaining higher than the available supply; and
  • available capital, which has led some insurers to reduce the amount of capital deployed on a given risk in order to limit the exposure of their own portfolio.

The hardening of the cyberinsurance market increases the importance of risk selection and underwriting criteria for insurers.[2] In fact, insurers may refuse to issue a policy on the grounds that your business is not doing enough to protect against cyber incidents. For example, several insurers now require that multi-factor authentication be enabled for all users logging in remotely.

Current trends clearly show that it is more important than ever for companies to invest and have a cybersecurity plan.

What should I do?

Investing in cybersecurity systems and training employees is the best defense against cybercriminals.

the Microsoft Digital Defense Report 2021 states that the best way to minimize the impact of attacks is to practice good cyber hygiene, implement architectures that support “zero trust” principles, and ensure cyber risk management is built in in all aspects of your business. Zero trust principles assume that hackers are already in your system and therefore no user should be inherently trustworthy without proving their identity.

Microsoft suggests that basic security hygiene protects against 98% of cybercriminal attacks. He considers basic safety hygiene to include:

  • enable multi-factor authentication, making it harder for threat actors to use stolen or phished credentials;
  • enforce least-privilege access, which limits user access with just-in-time and just-enough access, adaptive policies based on risk and data protection;
  • keep your applications up to date to mitigate the risk of software vulnerabilities or exploits;
  • use anti-malware services; and
  • Implement information protection best practices such as applying privacy labels and data loss prevention policies.

While investing in cybersecurity systems is essential, the quality of the systems depends on the people using them.

Training employees on cyber risks and your company’s security protocols is paramount. It’s not enough to treat cybersecurity as something standalone within your IT or security team.

About Donald J. Beadle

Check Also

NCSC releases supply chain cybersecurity guidance

Image source: The National Cyber ​​Security Center (NCSC) and a number of international partners …