IN Allianz 2022 risk barometerAn annual risk analysis study conducted by the insurance company and asset management company Allianz, cyber risk was assessed as the biggest business risk in the world, before natural disasters, business disruptions and pandemic disruptions.
Ransomware, which grew by 93% from 2020 to 2021, is a major concern for cybercrime, but also phishing attacks, network and software vulnerabilities, third-party and vendor security concerns, supply chain security from cyberattacks and general apathy / burnout in the workforce, which has had the ability to contribute to gaps in internal security practices.
Among the reported cyber incidents was a Norwegian media company stop operations at the end of December 2021, due to a security breach in which the perpetrator received the names, addresses and telephone numbers of subscribers. Microsoft was hacked in March 2021leading to negative impacts on more than 30,000 organizations in the United States, including local governments, federal government agencies, and businesses. Cyberattacks show no signs of slowing down in 2022. In February 2022. 83 global data breaches and cyberattacks were reported, representing 5,127,241 broken records.
What are the bad cyber actors?
Historically, cyber attacks have targeted the following industries: healthcare / medicine; banking / credit / financial; government / military; education; and energy / utilities. These industries are preferred targets because of the vital role they play politically and economically.
Health and financial institutions store confidential personal information and financial data that can be exploited. Government / military agencies have critical information that hostile governments want to receive. Educational institutions have research and intellectual property that others want to steal. And infrastructure industries such as energy and utilities are mature targets for service disruptions that could adversely affect large segments of the population.
Depending on your goal, cyber attack techniques for bad actors can vary greatly.
With ransomware, attackers have locked up systems and networks, holding businesses and governments hostage until they pay high fees to get their IT back. Phishing is widespread in the financial services industry, as hackers can make emails to consumers look like they come from consumer banks, causing consumers to transmit sensitive information. Recent attacks on networks and sensitive information have taken place in the government and military sectors in the software supply chain, as third-party software vendors, inadvertently inject malware into consumer networks. In the infrastructure, cyber infiltrators hacked utilities through IoT security cameras that were installed on the premises.
Steps that IT can take
The positive side of the book is that security software and technology practices continue to emerge in an attempt to keep up with new approaches to cyberattacks. Equally important, there are some basic “blocking and dealing” that IT and companies can also implement to ensure that their networks and systems remain strong and secure. Here are five steps:
1. Endpoint management
As more IT migrates to the edges of businesses and IoT devices join networks, there is an increased risk of cyber attacks. This is because many IoT devices and technologies do not have adequate security. It is also more difficult for IT to monitor and control all these decentralized entry points in networks. Edge security software can harden your edge protection if you think you have an edge security exposure.
2. Pay attention to social engineering
Phishing, presenting employees and offering free services and benefits that entice employees to open fake emails or visit infected websites ways in which fraudsters infiltrate networks and import malware.
There are also cases of dissatisfied employees who steal confidential company information and / or sabotage networks, and employees who carelessly share their passwords with others.
IT may hire an external audit firm to conduct regular social engineering audits, including reviews of employee behavior, network usage policies, and network security effectiveness, to determine the soundness of employee security practices. However, the best step IT can take is to work closely with HR to ensure that new employees are trained and existing employees are updated annually on corporate security policies and practices so that employees can they know what is expected of them.
3. Perform regular IT security audits
As standard practice, the IT budget should include funds for an annual company-wide IT security audit and for testing network vulnerabilities and penetration by an external audit firm on a quarterly basis. Social engineering audits must be carried out at least once a year.
These external security audits by a security expert ensure that security policies and methods are up to date. An external audit firm is also a valuable source of information on new security policies and practices that IT may not yet be aware of.
4. Check your suppliers
Security that meets your own internal security and management standards must be in order in every RFP you send to a provider. Third party suppliers can be weak connections
in security that expose your data to others. Always ask the vendor for a copy of its latest IT security audit report. If your provider can’t provide you with a recent report, it’s a good idea to look for another provider.
5. Consider adding cyber risk insurance to your company’s overall liability coverage
As the insurance industry better understands cyber risks, more cyber risk insurance has become available to businesses. It may be worth considering adding cyber risk coverage to your company’s overall lability coverage.
At the same time it should be noted that cyber insurance rates have increased, with reports
on certain business lines will increase by 30% to over 50% in 2021, and some insurance companies deviate entirely from this coverage.
If you haven’t already done so, now is the time to sit down with your insurer to see what it has to offer in terms of cyber risk coverage and whether it makes sense for your organization.
What to read next:
Corporate browsers promise improved security, performance
How CISO is walking on the CEO’s tightrope
The battle of Cyber Insurance with Cyberwarfare