How risk managers can tackle cyber threats as boardrooms get distracted by other risks

The economic impact of cybercrime on businesses across the globe continues to reach new levels.

In fact, the cost is predicted to reach US$12.43 trillion by 2027, according to data from Statista, compared to just $0.7trillion in 2017.

Despite this, boardroom focus on cyber risk appears to be diminishing, according to a report from Beazley.

The specialist insurer’s latest Risk & Resilience report: Spotlight on: Cyber & Technology Risks 2023, shows how perceptions around cyber risks are changing the global business risk landscape.

The perceived threat of cyber risk to global business leaders peaked in 2021 at 34%.

Over the past two years, it has dropped to just 27%. In 2024, it is predicted to remain at 27% whilst business preparedness for this risk continues to decline.

As cyber fears decrease, the technological risk landscape has fragmented, with executives nearly as concerned about the perceived threat posed by disruptive new technologies, such as AI.

”The economic impact of cybercrime on businesses across the globe continues to reach new levels, with the cost predicted to reach US$10.5 trillion by 2025.”

Failing to keep pace with technology and adapting to new innovations is an issue that 26% of global business leaders identified as their key technological concern, yet resilience to this threat is on the decline and more than a fifth (21%) of all businesses feel they cannot maintain the pace of change.

Leaders are also turning their attention to other concerns such as the risk of theft of their intellectual property (IP) with 24% of business leaders ranking it as their top risk in 2023, more than double what it was in 2021 (11%).

IP theft has also become the cyber and technology risk for which businesses across the world feel least prepared, with more than one in four businesses (26%) reporting they feel ill-equipped to mitigate this risk.

What does this mean for risk managers?

The worrying decline in interest from boards when it comes to cyber risk, should sound alarm bells for risk managers.

After a relatively quiet end to 2022, the frequency of global cyber-attacks rose in Q1 2023, with notable month-to-month increases in incidents.

Resurgent cybercriminal organisations are also taking advantage of new technologies.

An example of this is the use of Artificial Intelligence, as it makes it easier for ‘deep fake’ emails, photographs and videos to be created that can be used to make spear phishing attacks more credible.

”Cyber risk fatigue could be creating a risk blind spot for some businesses, or they are being distracted by other risks on their radar.”

As cyber criminals are becoming more sophisticated, risk managers are likely to experience a possible uptick in the severity and frequency of attacks on their organisations.

Jad Nehme, client experience manager, cyber risk at Beazley said: ”We are seeing cyber-criminal gangs in Russia and Ukraine re-grouping as the criminals look to recoup lost profits, following a pause in activity at the start of the conflict.

”However, our data shows that C-suite concerns around the cyber threat are dropping. Conversely, their perceived resilience to this threat has not strengthened, instead, it has fallen to 74%, down from 80% just last year.

”Revealing that cyber risk fatigue could be creating a risk blind spot for some businesses, or they are being distracted by other risks on their radar.”

What steps can risk managers take to minimise, mitigate or transfer the threats?

Good basic security hygiene is essential.

Risk managers must take basic steps such as securing what is exposed to the internet and visible to threat actors, and enabling multi-factor authentication.

This is a good start to help prevent most opportunistic attacks.

It’s also important that any web applications are built with security in mind, and it’s good practice to run penetration testing to identify weaknesses before threat actors do.

Cloud environments require special attention as configuration mistakes are easy to make, and consequences are often catastrophic.

”The benefits of a Defence in Depth strategy are borne out in our underwriting and claims statistics.” 

Quick patching remains key in protecting against newly discovered vulnerabilities that are often exploited in an automated fashion, sometimes 15 minutes after they are publicly disclosed.

Nehme says that ultimately, adopting a ‘Defence in Depth’ strategy, which takes a holistic view of cyber security, and sets up multiple layers of defence against potential attacks is the best form of defence.

This approach forces organisations to assume a breach and implement the needed controls to limit its impact.

A Defence in Depth strategy includes a number of measures including - ensuring security patches are installed as they become available, for both exposed and non-exposed servers and limiting users’ permissions and access to role-based needs.

Having a hardened security configuration of systems, applications and cloud resources should be included, as well as limiting network connections to the bare minimum and having automatic detection and response capabilities (such as Endpoint detection and response).

””It is important that risk managers are not lulled into a false sense of security following the brief decline in activity due to the war in Ukraine.” 

Alongside these measures incident response and disaster recovery plans should be developed and regularly tested.

In addition, don’t overlook backup systems – as they need to be able to resist a ransomware attack.

Don’t forget, if your IT admins can modify or delete backups, so can a threat actor. A secure backup solution is one that does not allow any user to alter backups once written.

Nehme said: ”The benefits of a Defence in Depth strategy are borne out in our underwriting and claims statistics. It is a proven and highly effective strategy approach to mitigate the rising tide of cyber-attacks and incidents.

”In our research, we found that more than a third of the businesses we surveyed (36%) plan to invest in cyber security this year, and the growing awareness that more needs to be done is welcome.

”It is important that risk managers are not lulled into a false sense of security following the brief decline in activity due to the war in Ukraine. They must stay vigilant, constantly reviewing their infrastructure in order to identify and plug vulnerabilities.”