The COVID-19 pandemic ushered a 360-degree shift in business operations, with many companies switching to remote operating models almost overnight. This urgent transformation has intensified commercial cyber risk and placed extra onus on business leaders to shore up their cyber security.
Unfortunately, Aon’s latest cyber report - 2021 Cyber Risk Report: Balancing Risk and Opportunity Through Better Decisions – found that many companies are ill-equipped to navigate the new exposures arising from the rapid digital evolution. Only 17% of organizations reported having adequate application security measures, such as secure development training for developers, software management and regular penetration testing to close cyber security gaps. On a more positive note, 60% of organizations reported having sufficient network security measures to manage new digital connectivity.
According to Aon, many companies hover dangerously close to being at an initial – or nascent – stage of cyber security maturity. This is as true in Canada as it is elsewhere around the world. Katharine Hall, Aon’s cyber solutions leader in Canada, said there’s lots of room for “meaningful and impactful improvement for almost every single Canadian company,” and the need has only become more urgent amid the rapid digital evolution triggered by the COVID-19 pandemic.
“The evolution of how we work and how we connect to people really caught most organizations flat-footed, and so they’re trying to catch up from a technical perspective, but they haven’t necessarily kept up from a cyber security, monitoring, or even from an understanding perspective,” she told Insurance Business. “In Aon’s 2021 Cyber Risk Report, only 17% of organizations reported having adequate security measures – and that’s people self-reporting. What we often find when dealing with insureds is that what they think is adequate is not actually adequate from an insurance perspective.
“The other piece of it is we have really haven’t seen companies embrace the fact that cyber is not just an IT risk; it needs to be treated as an enterprise-wide risk, and most businesses aren’t necessarily good at thinking about it in that way yet. It’s the new way of looking at cyber risk.”
As companies adapted to the ‘new normal’ of remote working, they left inevitable gaps open in their cyber security, which threat actors were quick to exploit. The vast extent of that exploitation really came to light by the end of 2020, when Aon reported ransomware activity up 486% from the first quarter (Q1) of 2018 to Q4 of 2020.
“A lot of ransomware attacks were linked to COVID-19,” said Hall. “You’ve got people working from home for the first time, they’re home-schooling, they’re stressed and distracted – and so they click on things they shouldn’t click on. At the beginning of the pandemic, as society was getting used to these new patterns, there was a whole host of opportunities for threat actors, which is why we saw ransomware and other social engineering and business email compromise attacks shoot through the roof.”
When considering ransomware, or cyber risk of any kind, it’s important for organizations to take a holistic and continuous approach to mitigation, Hall stressed. The way cyber threats are continuously evolving, any action taken to remediate cyber vulnerabilities today could be out-of-date by tomorrow, which is why companies need to stay appraised of the risk landscape. With ransomware, for example, there’s a new trend of double extortion, whereby criminals are encrypting data, accepting a ransom for de-encryption, and then publishing the stolen data anyway.
“It used to be that hackers would send out mass phishing emails and their victims were on the hook for $5,000 to get their information back,” Hall commented. “But the threat landscape has evolved. These days, it’s not uncommon for a threat actor to infiltrate a system, stay there for a while and have a good look around to see what they can extort you for, and then they typically ask for around 10-20% of last year’s revenue. If they figure out that you’re a big company, they’ll ask for more. So, they’re no longer taking a broad-brush approach; they’ve become much smarter, much more discerning, and their attacks are targeted. And no industry sector is immune; everybody is at risk.”
