AI, IoT & skills shortage to fuel future cyber-attacks

Manufacturing was the most targeted sector for ransomware cyber-attacks and the most extorted industry in 2022, according to IBM Security’s 2023 X-Force Threat Intelligence Index.

Top industries ransomware targeted

Threat actors target weak links in supply chains

Supply chain-enabled ransomware attacks are not new, but they have now become an established part of the ransomware playbook. Increasingly, threat actors are targeting companies in the IT supply chain, as well as companies that hold sensitive data in physical supply chains, in order to demand extortion payments from multiple companies.

Supply chain attacks first hit the headlines in 2019, following an intrusion at the system management company Solar Winds, which marked the start of one of the largest software supply chain attacks in history.

In 2021, a similar attack involving IT management company Kaseya exploited a zero-day vulnerability in the company’s remote management software to carry out ransomware attacks that are thought to have impacted some 1,500 businesses and resulted in a $70mn ransom demand.

In June 2023 a North Korea hacking group penetrated software-as-a-service provider JumpCloud in order to target cryptocurrency companies, according to media reports. Blockchain analytics firm Chainalysis said last year that North Korean-linked groups stole an estimated $1.7bn worth of digital cash across multiple hacks.

Supply chain cyber-attacks were typically associated with sophisticated nation state hacker groups, but increasingly they are being used by RaaS groups to launch mass ransomware attacks.

Much like the recent MOVEit extortion, ransomware gangs are now alive to the opportunities to exploit the interconnectivity of digital and physical supply chains and will target organizations with weak cyber security in order to infiltrate other companies elsewhere in the supply chain, circumventing more robust cyber security.

Mass cyber attacks raise accumulation concerns

2023 has seen several mass ransomware extortion attacks, where RaaS groups exploit vulnerabilities in software and the interconnectivity of digital supply chains to exfiltrate data and demand ransoms from hundreds, if not thousands of companies.

In addition to the recent MOVEit attack, in which the Clop ransomware group used a zero-day vulnerability in widely used file transfer software, RaaS groups have launched other such attacks in 2023.

Earlier this year Clop also used a zero-day flaw in the GoAnywhere file transfer software to steal data from over 130 companies.

In another separate attack, threat actors exploited a known vulnerability in unpatched VMware ESXi servers, compromising 3,800 servers worldwide

AI, IoT & skills shortage to fuel future cyber-attacks

Artificial intelligence (AI) is widely expected to power future ransomware attacks, with automated attack processes, more convincing phishing, and faster malware development. However, it could also enhance cyber security, with more effective and faster detection and threat intelligence.

Threat actors are already using AI-powered language models like ChatGPT to write code.

Generative AI can help less technically proficient threat actors write their own code or create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute.

AI can be used to carry ore automated attacks, as well as develop new techniques to steal or poison data. When you think about the potential to combine AI with the proliferation of the IoT and the speed of 5G, for example, we may have a serious issue on the horizon (see Internet of Things in Insurance and How IoT Technology Reshapes Business?).

Voice simulation software has been a recent addition to the cyber criminal’s arsenal. In 2019 the CEO of a British energy provider transferred €220,000 to a scammer after they received a call from what sounded like the head of the unit’s parent company, asking them to wire money to a supplier. The voice was generated using AI.

In August 2023, researchers at the Google-owned cybersecurity company Mandiant documented the first known instances of deepfake video technology designed and sold for phishing scams.

The going rate was as little as $20 per minute, $250 for a full video or $200 for a training session, although the researchers were unable to confirm that the services they identified on hacker forums were legitimate or whether a deepfake had been used in any scam.

Mobile devices expose personal and corporate data

Lax security and the mixing of personal and corporate data on mobile devices is making for an attractive target for cyber criminals.

Allianz Commercial has seen a growing number of incidents caused by poor cyber security around mobile devices. During the pandemic many organizations enabled new ways of accessing their corporate network via private devices, without the need for multi-factor authentication (MFA). This also resulted in a number of successful cyber-attacks and large claims.

Cyber criminals are now targeting mobile devices with specific malware in order to gain remote access, steal login credentials, or to deploy ransomware.

The roll out of 5G technology is also an area of potential concern. 5G will power more connected devices, including more sophisticated applications, such as driverless or assisted vehicles and smart cities. IoT devices do not have a good track record when it comes to cyber security.

Many IoT devices are not inherently secure, while the sheer number of these devices globally and the addition of AI could result in a very serious cyber threat. Many of these devices are easily discoverable and will not have MFA mechanisms.

Cyber security skills shortage affects cost and frequency

A growing shortage of cyber security professionals will increasingly complicate cyber security efforts, potentially increasing the chances of successful attacks in the future.

The current global cyber security workforce gap stands at 3.4 million people, according to the ISC2, non-profit member organization for cyber security professionals, with demand for cyber professionals growing twice as fast as supply.

Some 70% of organizations say they do not have enough cyber security staff to be effective. Gartner predicts that a lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025.

Global cyber security workforce gap

The shortage of cyber security experts also impacts the cost of responding to a cyber incident. According to the IBM Cost of a Data Breach Report 2023, organizations with a high level of security skills shortage had a $5.36mn average data breach cost, around 20% higher than the average cost.

Cyber claims frequency: stabilization trend

Cyber claims frequency picked up again during the first half of 2023, although improved cyber security over the past two years has helped control first party losses and improve the overall quality of risk.

The attackers are now back, and focused again on Western economies, with more powerful tools, enhanced processes and attack mechanisms

Following a significant spike in ransomware losses in 2020 and 2021, the frequency of cyber insurance claims stabilized last year, reflecting improved cyber security and risk management actions among insured companies — such as the use of multifactor authentication or more effective backup strategies which made encryption-based ransomware less effective and reduced the business interruption impact.

At the same time, law enforcement agencies targeting ransomware gangs and the Ukraine Russia conflict are thought to have curtailed the activities of threat actors.

Ransomware groups have changed tactics, with an increase in data exfiltration, and mass cyber-attacks that have exploited weaknesses in IT supply chains.

The MOVEit mass cyber-attack, which affected over a thousand companies earlier this year, for example, contributed to the increase in the frequency of claims in 2023, affecting multiple policyholders simultaneously.

Number of cyber-related claims per year

Ransomware and extortion-based attacks remain the largest source of cyber insurance claims by volume and frequency, accounting for more than 80% of claims from standalone cyber policies alone.

Cause of loss by value of cyber claims

Based on the analysis of 3,366 claims worth €612mn (including the share of other insurers)

Privacy and liability risks on watch

In addition to extortion claims, there has also been an uptick in the number of data privacy claims in the US, related to biometric information, such as voice or fingerprint data, as organizations increasingly capture this to improve online security.

Many track personal information such as location, health or behavior, as part of their product and service offering, or to aid sales and marketing.

The US does not have federal law covering data privacy, but a number of states have implemented strict laws, such as the California Privacy Rights Act and the Illinois Biometric Information Privacy Act (BIPA). Meanwhile, the number of data privacy and data breach class action lawsuits continues to rise as plaintiffs see this as a potentially lucrative and expanding area of litigation.

Data exfiltration drive up cyber insurance claims costs

More sophisticated attacks and inflation are increasing the cost of large cyber losses. The size and complexity of an organization and its IT infrastructure is a key factor contributing to the cost of large cyber claims.

Once a cyber-attack progresses past a certain point, the combination of first party restoration costs, business interruption and third-party liability easily result in a large loss.

Business interruption remains the key loss driver for ransomware attacks, as it does for many forms of cyber-attack — Allianz analysis shows that it accounts for 50% of all cyber-related losses by value.

Allianz analysis of a number of larger insurance industry cyber losses (>€1mn) between 2019 and the end of the first half of 2023 shows that the proportion of cases in which data is exfiltrated increased from 40% in 2019 to 77% in 2022, with 2023 on course to surpass this.

Along with this increase in data exfiltration, first party recovery and response expenses are increasing, while the cost of notification and third-party liability can also be significant.

The average cost of a data breach in 2023 was $4.45mn, a 15% increase over three years, according to the IBM Cost of a Data Breach 2023 report.

Allianz analysis of claims notifications shows that breaches that were not detected and contained early, and therefore ultimately involve data exfiltration, can be as much as, or even more than, 1,000 times more expensive than those that were.

Exfiltration incidents carry a higher reputational risk and are a bigger drain on the resources of the company and leadership, making effective data breach response critical.

Allianz analysis of a number of larger insurance industry cyber losses (>€1mn) between 2019 and the end of the first half of 2023 shows that the proportion of cases becoming public increases from year to year. In 2019 this totaled 60%, rising to 85% in 2022, with 2023’s total on course to surpass this.

Early detection is key to combating emerging cyber threat

The vast majority of cyber-attacks are contained quickly and, if insured, often fall within policy deductible levels, or are not even notified.

According to Allianz analysis, just 2% of claims drive the overall loss amount, and in almost all cases these would have benefited from early detection.

Good data management is essential to mitigating the impact of data exfiltration attacks, as are a growing number of specialist services.

Prevention drives frequency, while detection determines severity. Some 90% ofincidents are contained early, and most cases stay within policy retention levels. However, if the attack is not stopped in the early stages, we rarely see them being caught during the next stages. Once the attacker has exfiltrated and encrypted it is too late and becomes very expensive.

The key to avoiding damaging cyber-attacks and mitigating losses is to detect an attack in its early stages, according to Daum. “With growing reliance on outsourcing and data flows between companies, and with the potential use of artificial intelligence by threat actors, protecting the perimeter of an organization will no longer suffice.

……………

FULL report — https://beinsure.com/global-cyber-security-trends/

More Reviews — https://beinsure.com/