Scott Sayce, Global Head of Cyber at Allianz Commercial
The newly released Allianz Risk Barometer revealed that Cyber incidents such as ransomware attacks, data breaches, and IT disruptions are the biggest worry for companies globally, as well as in the United States, in 2024. The 13th annual business risk ranking incorporates the views of 3,069 risk management experts in 92 countries and territories including CEOs, risk managers, brokers and insurance experts.
Following two years of high but stable loss activity, 2023 saw a worrying resurgence in ransomware and extortion losses, as the cyber threat landscape continues to evolve. Hackers are increasingly targeting IT and physical supply chains, launching mass cyber-attacks, and finding new ways to extort money from businesses, large and small. It’s little wonder that companies rank cyber risk as their top concern (36% of responses – 5% points ahead of the second top risk) and, for the first time, across all company sizes, large (>US$500mn annual revenue), mid-size ($100mn+ to $500mn), and smaller <$100mn), as well.
It is the cause of business interruption that companies fear most, while cyber security resilience ranks as firms’ most concerning environmental, social, and governance (ESG) challenge. It is also the top company concern across a wide range of industries, including consumer goods, financial services, healthcare, and telecommunications, to name just a few.
Ransomware on the rise
By the start of the next decade, ransomware activity alone is projected to cost its victims $265bn annually. Activity surged by 50% year-on-year during the first half of 2023 with so-called Ransomware-as-a-Service (RaaS) kits, where prices start from as little as $40, a key driver. Gangs are also carrying out more attacks faster, with the average number of days taken to execute one falling from around 60 days in 2019 to four.
Most ransomware attacks now involve the theft of personal or sensitive commercial data for the purpose of extortion, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage. Allianz Commercial’s analysis of large cyber losses (€1mn+) in recent years shows that the number of cases in which data is exfiltrated is increasing – doubling from 40% in 2019 to almost 80% in 2022, with 2023 activity tracking even higher.
The power of AI (to accelerate cyber-attacks)
AI adoption brings numerous opportunities and benefits, but also risk. Threat actors are already using AI-powered language models like ChatGPT to write code. Generative AI can help less proficient threat actors create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute. An increased utilization of AI by malicious actors in the future is to be expected, necessitating even stronger cyber security measures.
Voice simulation software has already become a powerful addition to the cyber criminal’s arsenal. Meanwhile, deepfake video technology designed and sold for phishing frauds can also now be found online, for prices as low as $20 per minute.
Mobile devices expose data
Lax security and the mixing of personal and corporate data on mobile devices, including smartphones, tablets, and laptops, is an attractive combination for cyber criminals. Allianz Commercial has seen a growing number of incidents caused by poor cyber security around mobile devices. During the pandemic many organizations enabled new ways of accessing their corporate network via private devices, without the need for multi-factor authentication (MFA). This also resulted in a number of successful cyberattacks and large insurance claims.
The roll-out of 5G technology is also an area of potential concern if not managed appropriately, given it will power even more connected devices. However, many IoT devices do not have a good record when it comes to cyber security, are easily discoverable, and will not have MFA mechanisms, which, together with the addition of AI, presents a serious cyber threat.
Security skills shortage a factor in incidents
The current global cyber security workforce gap stands at more than four million people, with demand growing twice as fast as supply. Gartner predicts that a lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025. Shortage of skilled workforce ranks joint #5 in the top concerns of the media sector and is a top 10 risk in technology in the Allianz Risk Barometer.
It is difficult to hire good cyber security engineers, and without skilled personnel, it is more difficult to predict and prevent incidents, which could mean more losses in the future. It also impacts the cost of an incident. Organizations with a high level of security skills shortage had a $5.36mn average data breach cost, around 20% higher than the actual average cost, according to the IBM Cost of a Data Breach Report 2023.
Early detection is key
Preventing a cyber-attack is therefore becoming harder, and the stakes are higher. As a result, early detection and response capabilities and tools are becoming ever more important. Investment in detection backed by AI should also help to catch more incidents earlier. If companies do not have effective early detection tools this can lead to longer unplanned downtime, increased costs and have a greater impact on customers, revenue and reputation. The lion’s share of IT security budgets is currently spent on prevention with around 35% directed to detection and response.
SMEs the increasing sweet spot
For smaller and mid-size companies (SMEs), the cyber risk threat has intensified because of their growing reliance on outsourcing for services, including managed IT and cyber security providers, given these firms lack the financial resources and in-house expertise of larger organizations.
As larger companies have ramped up their cyber protection, criminals have targeted smaller firms. SMEs are less able to withstand the business interruption consequences of a cyber-attack. If a small company with poor controls or inadequate risk management suffers a significant incident, there is a chance it might not survive.
Businesses can take a proactive approach to tackling cyber threats by ensuring their cyber security strategy identifies their most crucial information system assets. Then, they should deploy appropriate detection and monitoring software, both at the network perimeter and on endpoints, often involving collaboration with cyber-security service partners, to uncover and nullify threats attempting to gain network access.
To view the 2024 Allianz Risk Barometer, please visit: Allianz Risk Barometer
