Preparedness helps prevent pandemic-fueled cybercrime

Businesses that had their hands full keeping cybercriminals out of their systems before the COVID-19 pandemic took hold are now seeing attacks on new fronts. Remote workers are tempting targets for the thieves looking to steal information from companies or lock up their systems and demand big sums to release it.

The pandemic unleashed a blizzard of online scams and phishing expeditions, ransomware and phony websites trying to lure users into clicking on malicious links or entering sensitive information. No one is expecting the criminals to stop anytime soon and, in fact, their efforts will likely intensify, experts note.

“A further increase in cybercrime is highly likely in the near future,” according to Interpol. “Vulnerabilities related to working from home and the potential for increased financial benefit will see cybercriminals continue to ramp up their activities and develop more advanced and sophisticated modi operandi.”

Individuals have increasingly been the targets of cyberattacks as the pandemic caused lockdowns and workers began connecting from remote connections, according to statistics compiled by cybersecurity company CYE. In April of 2020, individuals were targeted in 35% of the attacks, up from 19% a year earlier. Healthcare organizations also saw a sizeable jump as targets, reaching 16% of the total in April, up from 12% in 2019.

The challenge for organizations that are likely targets for cyber crime is, of course, how to prevent it. As history has shown, that’s a difficult proposition. And in the new age of working that COVID-19 has created, the stakes are very high.

Failure is expensive

Failing to protect systems can be expensive, as a report by the Ponemon Institute shows. While the average cost of a breach has declined slightly since 2019, it’s still a big number at $3.86 million. The report, which is based on interviews with 3,211 individuals and studies of 507 companies, revealed that having a remote workforce increases the average cost by nearly $137,000.

Lost business is the biggest cost factor in a breach, averaging $1.52 million or 40% of the cost, according to the report. Larger enterprises are the worst hurt, with those with more than 25,000 employees reporting an average breach cost of $5.52 million. Companies with fewer than 500 workers averaged $2.64 million.

Preparedness pays off

The biggest cost-saver for organizations hit by cyber attacks comes from work done before the incident. Those with an incident response team and extensive testing of their response plans could save more than $1.2 million, according to the Ponemom Institute. Testing through tabletop exercises or simulations in an environment such as a cyber range can help teams respond faster and potentially contain a breach sooner.

Automated security solutions with artificial intelligence, machine learning, analytics and automated incident response capabilities are good investments in the battle against cyber thieves. Systems without such automated features experienced breach costs that were 95% higher than at organizations that had them in place, the Ponemon Institute reported.

Many data breaches occur because cloud security settings are misconfigured or credentials are compromised. Other vulnerabilities less common but just as serious are weaknesses in third-party software that allow a hacker access, phishing attempts and the acts of a malicious insider.

The spike in attacks during the pandemic has highlighted the need for preparedness. The rise of remote work makes responding to a potential data breach much more difficult, according to 76% of organizations surveyed in the “Cost of a Data Breach” report released earlier this year by IBM Security. The cost of a data breach attributed to remote working would be higher than otherwise, 70% of the respondents said.

The ransomware challenge

Among the most chilling breach scenarios occurs when a user powers up only to discover that the system is being held hostage to criminals demanding a ransom to release it. There are, however, steps companies can take to prepare for and recover from ransomware attacks.

Ransomware attacks are a high-reward, low risk activity that don’t require a lot of expertise and effort to execute. Ransomware toolkits are easy to apply and are available on the dark web. In many countries, companies underestimate this threat and it is important that Boards and senior management understand how to manage potential ransomware attacks.

Zurich recommends carrying out a business impact analysis to identify which business processes, systems and data are the most valuable and need to be secure from the threat of ransomware attacks. This step is the first of a five-dimension approach to managing cyber risk, mirroring a strategic framework developed by the National Institute of Standards and Technology in the U.S. The remaining dimensions call for companies to:

• Protect. Use technology-based solutions to detect and block corrupted or malicious traffic. Training of employees is particularly effective in reducing such attacks as phishing campaigns.
• Detect. Adopt continuous monitoring solutions that spot anomalous activity.
• Respond. No matter how well employees are trained or how vigilantly systems are monitored, a malicious link will at some point be activated. An incident response plan will trigger actions to be taken. These plans should be regularly tested.
• Recover. Continuously back up critical systems and data and have a recovery plan in place.

Cyber risk is here to stay and no amount of risk management will completely eliminate it. By 2021, cybercrime damages could reach $6 trillion, according the World Economic Forum’s Global Risks Report 2020, produced in collaboration with Zurich. With figures that staggering, there’s no time to waste in taking a vigorous approach to managing the risk and transferring some of it to insurers or other risk-funding mechanisms, in order to fully benefit from the growth opportunities that the digital world has to offer.

By Paige Adams, Chief Information Security Officer, Zurich Insurance Group