Businesses risk being ‘distracted’ from the ceaseless nature of cyber risk, according to a new report published today by specialist insurer Beazley.
The number of business leaders citing cyber risk as their main concern fell from 34% last year to just 27% this year, the research says. In contrast, 26% of leaders surveyed think tech obsolescence and the threat of new technology is their biggest concern, with another 24% believing it to be IP theft.
Paul Bantick, Group Head of Cyber Risks at Beazley, says: “These threats are fast-evolving and unfamiliar, with many companies being caught on the back-foot when dealing with the risk. For the insurance industry, working with clients to help them tackle these challenges is vital to ensuring businesses operate in as safe an environment as possible.”
Despite the complex risk landscape, many business leaders still feel confident about their chances in the event of a cyber incident. Almost three-quarters (74%) said they were ‘very prepared’ or ‘moderately prepared’ for such an attack – although this is down from 80% last year.
The way industry insiders perceive threats does not always correlate with the actual threat landscape, and indeed there are still some strong threats facing businesses. One of the most prominent is the risk of ransomware attacks, which are on the rise. On average, Beazley says that 13% of company losses are caused by ‘fraudulent instruction’ – up six percentage points from 2020.
Is Russia-Ukraine war still a cyber threat?
Geopolitical events and social factors have a massive impact on the cyber threat landscape. Criminals adapted their approach during the pandemic, when the world of work was turned on its head, and supply chain vulnerabilities have also caused them to increase pressure on the manufacturing sector – which replaced financial services as the prime target for the last two years running, according to IBM X-Force.
So, when Russia invaded Ukraine in February 2022, experts warned that it would lead to a spike in malicious activity. “A number of prominent cyber gangs split over their allegiances when the conflict started,” Beazley says in the latest report. “This may have led to a reduction in the number of ransomware attacks, but it hasn’t led to a reduction in cyber incidents.”
In fact, Russian-sponsored cyber attackers increased their targeting of NATO countries by over 300% last year, Beazley says. As the war continues, more organisations and businesses could find themselves in the line of fire.
Meghan Hannes, Head of US Cyber & Tech Underwriting Management at Beazley, explains: “The frequency and severity of cyber risks has fallen as the Ukraine-Russia conflict split cyber gangs. However, this isn’t a new normal and the situation is becoming uglier by the day as new threat actors emerge and look to make up lost profits. Cyber protection cannot be a blind spot for businesses in 2023.”
Too small for cyber insurance?
There is no doubting the scale of cyber risk; according to Cybersecurity Ventures, cyber crime is predicted to cost businesses US$10.5tn globally by 2025, representing a 300% increase on 2015 levels. Yet business leaders often perceive the threat level to be diminishing.
Amid a cost-of-living crisis and high inflation, where corporate budgets are being put under immense pressure, small-and-medium-sized businesses (SMEs) report feeling increasingly helpless against the risk of cyber attack.
Firms with revenues between US$250,000 and US$1m feel six percentage points less prepared to deal with cyber risks than they did in 2022; while some criminal groups are using SMEs’ security systems as a training ground for new hackers.
Paul Bantick continues: “Business leaders are finding it a struggle to keep up with the constantly evolving cyber threat. Worryingly, they appear less concerned by cyber risk than a couple of years ago. This could be because they have been lulled into a false sense of security as the war in Ukraine led to a temporary reduction in the ransomware threat level when a number of cyber gangs splintered, but this situation is only temporary.
“As the MOVEit hack has proved, the bad actors are always looking for new ways to attack with tactics ranging from third-party supplier attacks to more sophisticated social engineering and phishing attack techniques. Businesses of all sizes and across all industries cannot afford to take their eye off the ball, just at a moment when cyber criminals are starting to look to make up for profits lost over the past 18 months.”