Abstract
The general consensus about the Covid-19 pandemic, as it relates to information security, is that it has been a huge headache, opening up opportunities for cyber criminals. But the fifth edition of insurance firm Hiscox's annual report suggests that there may be a silver lining.
It's undeniable that the shift to working from home has presented organisations' IT departments with serious challenges. VPNs have never been in such heavy demand before. Just implementing the infrastructure to allow large numbers of employees to connect securely has meant long days for tech support.
But it's not all about technical issues. The mixing of home life and work life creates a dangerous blend. While one would like to think that employees would apply the lessons and habits learned during corporate security training to their personal use of technology, the reverse is more likely to be true. People typically demonstrate less caution and scepticism when it comes to, say, personal emails. Or they may just lower their guard when working in the informal setting of their homes.
Cyber criminals have not been slow to exploit this. There has been a barrage of Covid-themed phishing and ransomware emails. And the more persistent and dangerous attackers have been using targeted emails – for example, purporting to come from the victim's organisation or phoney LinkedIn messages – to spread malware, often with the ultimate intention of attacking the networks of the person's employer.
So where's the silver lining? According to Hiscox it lies in the attention that firms are now paying to security. In the introduction, Gareth Wharton, Cyber CEO at Hiscox, writes: “Despite the difficulties presented by the Covid-19 pandemic, firms have intensified their fightback by devoting more resources and focus than ever to cyber resilience.”
Outcomes of cyber attacks (respondents chose all that applied).
Source: Hiscox.
It's a shame that it took a plague costing so many lives to get security high enough on organisations' to-do lists, but at least it's a crumb of comfort.
Another lesson to be learned from the pandemic – one we all already knew but which apparently need to be constantly underscored – is that attackers hit you at your weakest spot. Yes, it's obvious. Phrases along the lines of ‘defenders need to protect everything while attackers need only one flaw’ are practically a mantra chanted at security conferences. Yet the weak spots introduced by the working-from-home trend seem to have caught many organisations by surprise. As Wharton says: “Our experience as an insurer has shown that consistent standards across all areas of security are essential if the hackers are not going find a way in.”
Inevitably, ransomware features heavily in this report. It was already on the rise before the pandemic and has only thrived since lockdowns and widespread feelings of insecurity have encouraged people to drop their guard. According to Hiscox, just over half the firms (58%) hit with ransomware paid the ransom – a figure that rises to 71% in the US. The more than 6,000 firms surveyed by Hiscox that paid handed over a total of $7.3m, with the median amount being $11,900 and the largest single payment $94,900. It's no wonder that ransomware is popular among cyber criminals.
However, while ransomware hogs the headlines, it would be dangerous to take our eye off the ball when it comes to other threats. Overall, Hiscox has seen the proportion of firms attacked rise from 38% to 43%, year-on-year, with many suffering multiple attacks. In terms of outcomes from those attacks, malware infections still top the charts. Business email compromise comes second – another threat category that is seeing significant growth. And old favourites like distributed denial of service (DDoS) continue to represent a major menace to enterprises.
Consistent with previous editions of the report, Hiscox confirms that the larger the organisation, the more likely it is to be attacked. Whether that rule holds for successful attacks is debatable, given that bigger firms generally have more resources to throw at defending themselves. In fact, the report says that smaller organisations suffered the greatest financial losses, proportional to the size of the business. Favourite target sectors remain technology, media and telecoms (TMT), financial services and energy.
Attackers keep coming back, too. The report states: “More than a quarter (28%) of firms that suffered cyber attacks were targeted more than five times in the past year. Nearly half (47%) of enterprise-scale firms that were attacked found themselves fending off the hackers six times or more. A third (33%) had to do so more than 25 times.”
It would be interesting to see more in-depth analysis of this phenomenon than the Hiscox report supplies. For example, were the organisations that were attacked multiple times successfully breached? And if they were, did they adequately fix the issues that resulted in the breaches?
Given that the report is about cyber readiness, just how ready are organisations to deal with attacks? Hiscox concludes that most organisations are at a fairly mature stage when it comes to technology, but lack sufficiently skilled people to back that up. In spite of the many breaches, nearly two-thirds (64%) of firms describe themselves as ‘very confident’ of their cyber readiness. Maybe we still need to learn a few more lessons.
The report is available here: www.hiscox.co.uk/cyberreadiness.