Ransomware is the top cyber risk for business, with new variations such as “double extortion” and compromised business email increasing in frequency, according to a report by Allianz Global Corporate & Specialty (AGCS) insurance. AGCS specializes in risk consulting and property & casualty insurance solutions.
“The cyber risk landscape doesn’t allow for any resting on laurels,” said Scott Sayce, global head of cyber at AGCS, in a statement. “Most companies will not be able to evade a cyber threat. However, it is clear that organizations with good cyber maturity are better equipped to deal with incidents. Even when they are attacked, losses are typically less severe due to established identification and response mechanisms.”
AGCS’s report notes that in 2021, ransomware attacks numbered 623 million, double the figure in 2020. In the first half of 2022, frequency of these attacks dropped 23% globally, but the year-to-date total was still more than the full year totals for 2017, 2018 and 2019. Ransomware damage is expensive, forecast to cost $30 billion globally by 2023. Also, ransomware accounted for more than half of all cyber claims costs in 2020 and 2021.
Double extortion attacks, which increased nearly 500% in 2021, according to CipherTrace, a cryptocurrency intelligence company, add a layer to ransomware attacks. These attacks steal sensitive data from a company, then use it as leverage to demand ransom. Triple extortion attacks extend ransom demands to partners, customers or suppliers of the company they target.
“Ransom demands are now tailor-made, with groups investing resources in establishing the ‘right’ amount and using expert negotiators to maximize their returns,” said Marek Stanislawski, global cyber underwriting lead at AGCS. “As the number of easy targets decreases with improvements in cyber security, they are looking to squeeze more and more profit from successful attacks.”
While the number of easy targets may be decreasing as large companies with more resources build better cyber defenses, small and mid-size companies have less resources and capability to do so. “Small to medium sized companies see their risks increasing with digitalization, but typically would not carry out impact analysis linked to cyber security and the value of the business,” said Sayce.
Business email compromise (BEC) attacks use phishing emails and social engineering to steal user credentials and break into systems, or to trick employees to transfer funds to the attackers. BEC attacks totaled $43 billion in damages globally from 2016 to 2021, according to FBI statistics. These attacks are also making use of more sophisticated means such as virtual meeting platforms and audio or even video deep fakes of company executives to get systems credentials or funds.
“As more and more data is made available online, the focus on social engineering and phishing has increased,” said Tresa Stevens, head of cyber, Tech and media, North America, at AGCS, in a statement.
The AGCS report, “Cyber: The changing threat landscape,” also raises concerns about geopolitical unrest, as in Russia and the Ukraine, and cyber warfare contributing to increased cyber attacks, business interruptions and supply chain disruptions due to cyber attacks, and a lack of Tech-ai” class=”Link”>cybersecurity professionals.