Why Digital Risks Persist

Cyber incidents have become an inevitable cost of doing business in the digital economy, but they don’t have to be business-ending events. The cyber landscape is constantly evolving, and 2022 proved no different. The following key changes in cyber incidents impacted organizations of all sizes this last year.

Small businesses are still a top target. Small businesses remain especially vulnerable to cyberattacks. Even though Coalition data revealed that claims severity decreased by 8% for H1 2022 compared to H2 2021 and claims frequency decreased by 7% over the same period, businesses are not out of the woods yet.

Claims severity remains in the six-figure range at $175,258, a large amount of money for any business to pay, especially for small businesses with lower annual revenue. For small businesses specifically, the average cost of a claim was significantly high, at $139,000.

While many small business owners do not see themselves as targets, threat actors will always go after organizations that appear easier to attack. For example, if a business does not have the resources to patch a known vulnerability quickly, a threat actor can take advantage and exploit it, often through relatively simple means.

The reason is simple: Attacks on small businesses continue to rise due to limited human, financial, and technological resources that can often prevent or ward off attacks before they happen. The irony is that these same businesses often lack the digital infrastructure and financial support needed to recover from an attack quickly, making this a one-two punch situation.

Ultimately, it is crucial for small businesses to take steps to prioritize understanding their cyber risks and decrease their overall risk profiles.

Threat actors continue to exploit the human element. Employees are more aware than ever of cyberattacks. However, many people still are not practicing proper cyber “hygiene” to mitigate these digital threats. As a result, phishing attacks are easy to execute (and easier to overlook), leading to costly incidents.

Threat actors have historically found email easy to exploit. Called a business email compromise (BEC), it’s a simple “click-here” campaign that has always had surprising success. Employees find themselves in a predicament about what to believe and often fall prey to the attack.

When a BEC attack occurs in-office, people can walk down the hall and ask their coworkers about suspicious activity. But with remote work, organizations may not be able to rely on their social safety nets to mitigate these attacks, which is all the more reason businesses must remain vigilant.

According to Coalition’s research, phishing accounted for over half of reported claims and can often lead to funds transfer fraud (FTF) claims. With FTF, threat actors trick employees into making seemingly legitimate business payments, then redirect those payments to their own accounts.

Unlike a ransomware event in which a company may have the opportunity to negotiate with a threat actor, FTF has no such luxury. Instead, FTF claims are particularly tricky to remedy because once the money is routed to a threat actor, the threat actor will start transferring money out of the account in question immediately. With that, the company will watch the ability to recover funds get transferred away, too.

Given this, and due to the ease of the underlying crime, FTF has become one of the easiest ways for attackers to monetize a cybercrime. It is worth noting that transferring the funds out of a receiving account takes time, so companies can recover funds if they move fast, usually within 48-72 hours of the transfer.

To assist in the recovery of funds, a company may seek the help of law enforcement, the organization’s banking partner, or both to freeze the funds. Sadly, while recovering funds is a wonderful feeling, and it may seem like the end of the incident, it’s critical to address the underlying cause.

Education and training are ways to combat these types of cyberattacks, but organizations must use them in addition to other preventative measures—people are only human, after all, and will make mistakes.

Implementing simple, proactive security controls such as multi-factor authentication (MFA) can easily prevent these attacks from occurring in the first place. This extra verification level alerts employees and their organizations to any trespass attempt and will buy organizations time to stop the attack before it escalates. Organizations that understand these risks should implement security controls, like MFA, that are designed to help secure email tools, minimize exposure, and protect employees.

Microsoft Exchange vulnerability still looms large. Microsoft Exchange continued to be an exploitable attack surface in 2022, which remained unchanged from the year prior. In 2021, Microsoft disclosed an exploitable condition, ProxyLogon, found in publicly accessible Microsoft Exchange servers. Then, in August 2021, another vulnerability related to on-premises Exchange, ProxyShell, was discovered. According to Coalition’s report, having an unpatched, on-premises version of Microsoft Exchange increases the chance of a claim for small businesses by a staggering 119%.

Now, in September 2022, researchers published new information about two Microsoft Exchange zero-day vulnerabilities dubbed ProxyNotShell. These newly discovered vulnerabilities are a reason for concern for organizations since, at the time of writing this article, there is currently no patch for the issue.

Keeping the business’ Microsoft Exchange up to date is crucial for mitigating these risks. Companies should also work with their IT teams to apply the required patches as soon as they are made available.

Businesses in the supply chain can fall like dominos. Manufacturing and industrial businesses related to the supply chain continue to top the charts as the most targeted industries. These industries are also some of the last to execute digital transformations, often sitting comfortably with technologies that they have utilized for decades.

Moreover, the pandemic forced many manufacturing and industrial businesses to integrate much of their operational technology (OT) with their informational technology (IT) to keep their operations running. This integration can disrupt existing systems.

These businesses are critical not just to technology supply chains, like semiconductor production, but also across all global supply chains. Any sort of disruption that forces these businesses offline can result in a ripple effect worldwide.

Nonprofits remain vulnerable. In the first half of 2022 alone, there was a staggering 57% increase in claims frequency for nonprofits. This statistic is alarming mainly because the lack of resources these organizations have is likely the cause, rather than threat actors explicitly targeting them in the first place. Threat actors do not care if a business they are attacking is a nonprofit, a small business, or a larger corporation—they are opportunistic and will go for the easiest targets.

Nonprofits often lack the technology and financial resources to remain vigilant to cyberattacks or patch issues. They may push off updates or patches, but by then, the threat actors will already be in the systems and have free rein to wreak havoc. These patches and updates are often relatively easy to apply and should be prioritized. Otherwise, organizations may face downtime, which may negatively impact the people receiving help.

Ransomware is down. Data reveals a slight decrease in both ransomware frequency and severity in H1 2022 compared to H2 2021. But the biggest shift is the decrease in both ransom demands and payments. Demands decreased from $1.3 million in H2 2021 to $896,000 in H1 2022. This data follows other industry research from Coverware and Verizon, showing a decrease in ransomware payment frequency and amounts.

The likely reason for the ransomware decline is that companies have implemented various security controls, such as offline data backups, to restore operations without paying a ransom. Changing attitudes and more resources for insureds to bolster their resilience also contribute to the decrease.

Businesses do not want to pay criminals for access to their own systems, and increased awareness and knowledge of ransomware attacks have put many on the offensive. As a result, they have implemented ways to circumvent the threat actors and restore and rebuild from backups. While claims have decreased, we know that, based on experience, cybercriminals will continually adapt and find new ways to exploit victims.

Findings highlight the fluid nature of digital risks. While 2022 has brought a decrease in cyber claims, it remains to be seen whether this is an actual downward trend or if claims are returning to baseline levels after a dramatic spike due to the pandemic. If the past tells us anything, we know that change is the only consistency in cybersecurity.

Regardless, it’s paramount that organizations take an active approach to managing risk to find stability and protection in this ever-changing cyberthreat landscape. The fluid nature of digital risks highlights the need for an active approach to managing risk.

Claims management needs to adapt to match sophisticated, evolving attack methods and threat actors. We can no longer just pay a claim if an attack occurs. Instead, we must transition to an active process in which claims professionals manage and decrease risks before a claim occurs. This active approach to insurance is necessary to mitigate any sized organization’s risk exposure and remain protected.