As recently as five years ago, cyber risk was widely perceived as a technological challenge. Protected by firewalls and virus protection software – not to mention the company IT department’s benign oversight – workers rarely worried about their cyber safety.
Today’s cyber crime landscape is vastly more sophisticated and challenging than it was just a few short years ago. Blunt-edged mass efforts to steal information have been eclipsed by hacktivists seeking to disrupt business and commerce on a global scale.
The Global Risks Report 2019 published by the World Economic Forum in partnership with Zurich Insurance Group cites technology as one of the greatest global risks in terms of both impact and likelihood for 2019 – second only to environmental risks.
“As the internet evolves, the nature of cyber risks is fundamentally changing.” says Lori Bailey, Global Head of Cyber Insurance for Zurich. “Cyber risks are no longer just an IT concern, nor are they limited to certain sectors of an organization.”
The figures make for stark reading. The Ponemon Institute reported that last year the average total cost of a data breach was $3.86 million, which was a 6.4% increase over 2017. Recent studies suggest a major cyber-attack could cause financial losses on the same level as Hurricanes Katrina and Sandy.
Meanwhile organized crime has invested in the development of new techniques, such as the weaponization of artificial intelligence, to open up a new frontier of criminality.
“A lot of bad actors are increasingly using AI to expedite their search for vulnerabilities in their search for targets,” adds Bailey. “All the more reason, then, for businesses to be using AI to protect themselves.
“Because criminals are getting more sophisticated, we have to utilize that same platform to make ourselves more resilient. “Nothing is ever going to exceed the human mind’s ability to see things that machines can’t, but AI can certainly make a huge contribution to the process.”
Getting ahead of this challenge has forced a paradigm shift for insurance companies, replacing the traditional model of risk transfer to one which that emphasizes end-to-end cyber resilience, including risk identification and threat protection, as core functions.
This is necessitated by the sheer scale of the challenge, which is accelerated by the increased adoption of advanced technology and digitalization.
The benefits of digital adoption are undisputed and it is essential for a business to digitalize should they want to remain competitive and efficient. Yet the impact of cyber risk pervades nearly every aspect of our lives.
“We've got a better understanding of holistic cyber risk – I think people understand that it's not just a technical issue anymore,” says Paige Adams, Zurich’s Group Chief Information Officer.
“You can have the best security tools in place but the human element is really the last mile – and it's the one that can make or break us.
“Sometimes we refer to employees as our human sensors for cyber threats and that's really true. Because a strategy which doesn't employ that security awareness and have it go hand in hand with the technical components is a short sighted, incomplete strategy.”
Even as advanced malware and AI continue to push “crimeware” technological boundaries, another sinister threat that’s recently seen a sharp increase is business email compromise, or BEC. Rather than relying on malware or links to malicious websites, which can be easily detected by many of today’s advanced cyber threat tools, BEC uses sophisticated social engineering, involving reconnaissance techniques such as mining social media profiles, to create painstakingly targeted, realistic phishing e-mails.
“With the technology on the rise to allow malicious elements to mine that information more efficiently, I think the problem is only going to get worse,” adds Adams.
Spear phishing continues to be the most widely-used infection vector, accounting for over 70 percent of malicious attacks in 2017. While technology to detect and block these attacks continues to get more effective, it often requires a wary recipient to recognize the most sophisticated of these targeted phishes that are specially crafted to evade traditional cyber defensive technology.
With the challenge on such an epic scale, insurers and policymakers may be left with no choice but to consider the feasibility of government-backed reinsurance schemes, similar to those addressing natural catastrophes and terrorism. This would require increasing cooperation on global governance.
“To protect the integrity and reliability of cyber space, governments, the private sector and society must work closely together in a multi-stakeholder approach” concludes Zurich’s Lori Bailey. “Global cyber governance could also be improved via the use of informal networks to allow national cyber governance entities to interact, create trust, increase coordination, and facilitate joint responses.”
“This approach would mirror the coordination among central bank governors, which proved successful during the financial crisis.”
This is high on the agenda for the World Economic Forum’s Global Centre for Cybersecurity, which is working with multiple stakeholders - including Zurich Insurance Group - to establish a common taxonomy through which information about cyber-attacks – and what can be done to protect against them – is freely shared.
Only once that happens can we truly say the cyber threat is under control.