March 8, 2021 by Jason Contant
Businesses falling victim to cyberattacks often don’t realize that the value of data they store is not what’s important to hackers, it’s the value of the data to the company, Crawford & Company (Canada) said in a recent whitepaper.
“It doesn’t matter that you don’t store personal information,” said Neal Jardine, cyber practice leader at Crawford Canada. “It’s not about the data that you store: you are a business that makes money using data and that makes you a target.
“What people don’t realize is that it’s not the value of the data to the hackers that matters — it’s the value of the data to you. What you would pay to get that data back.”
In the past, ransom attacks were the most common type of cyberattack, noted the report, Lessons from a Front Line Cyber Adjuster. But now hackers are using phishing (i.e. sending a fraudulent email, masked as a trustworthy one, that attempts to obtain sensitive information like usernames, passwords, and credit card details) and psychological tactics to breach computer systems.
“Hackers used to be more disengaged and used a ‘spray and prey’ approach with ransomware to extort their victim and commit crimes,” Jardine states in the paper. “But now criminals are targeting employees in influential roles within a company to commit more complex attacks, leading to higher payouts. Through phishing, threat actors can harvest login credentials. Once they have those credentials, they can use them to socially engineer wire transfer fraud events on clients, employees and customers of the insured.”
Examples like these are becoming more common, cyberattacks are growing in number, and the average cost of an attack is increasing, the paper notes. In 2018, the average cost of an event ranged from $44,000 to $162,000 for medium-sized companies (50 to 249 employees) and large companies (250 to 999 employees), respectively, Crawford Canada reported. In 2019, that figure rose drastically to the range of $184,000 to $715,000 for medium-sized and large companies, respectively.
Cyberattacks are becoming more frequent; so much so that criminals are running it like a business, Jardine said. Attackers are developing software so that they can they sell their crimes as a service.
Assessing cyber risk goes beyond looking at the price tag of a security breach, Jardine says. “If a breach happens, the aftershock will permeate the whole business. The risk has to be treated seriously at the boardroom level and throughout the organization because, when a breach happens, it will have a ripple effect throughout the company.”
Companies’ risk managers have to understand the intricacies of their cyber insurance policy, Jardine says. The cyber insurance landscape is in flux, and coverage continues to evolve.
“Historically, cyber coverage was built out of the need for business interruption during the ‘dot-com’ era. Now we are seeing coverage expand to include supply chain interruption and the new attack vectors of threat actors. Eventually, we are likely to see coverage turn to an all-risk product subject to exclusion — but the industry is not quite there yet.”
Feature image by iStock.com/Chainarong Prasertthai