Cyberattacks have turned into more targeted and sophisticated affairs. The days of hackers using the old-school spray and prey approach, where they infiltrate a network and then splatter malicious software hoping to entice and extort random victims, are slowly dying away.
In their place, a much more concerning trend has emerged. Today, cyber threat actors are frequently using social engineering to target employees in influential positions within a company – such as those in the C-suite or in key operational roles like HR and accounting – and commit more complex cyberattacks leading to higher payouts.
“Hackers used to get into a network, encrypt the data, and move on,” said Neal Jardine, senior general adjuster, Crawford & Company (Canada). “Now, they’re gathering information from one breach in order to start the next. They’re targeting specific individuals within a company, and they’re stealing their contact lists in order to expand their attacks and increase their chances of success.”
Cyber security experts have long preached that cyber risk is industry agnostic. In the spray and prey days, hackers used to prefer targeting data-heavy industries, like healthcare and financial services, because they’re often the most eager to get their data back.
Jardine wrote in a recent Crawford & Company whitepaper entitled ‘Lessons from a Front Line Cyber Adjuster’: “It’s not about the data that you store: you are a business that makes money using data, and that makes you a target. What people don’t realise is that it’s not the value of the data to the hackers that matters – it’s the value of the data to you: what you would pay to get that data back.”
But this relatively new method of targeting individuals is much more expansive, and it puts more companies at risk. Today, really any company or individual with exposure to the internet is a potential target.
“The risk is expanding into certain aspects of companies, like finance and accounting,” Jardine told Insurance Business. “If a hacker manages to steal an email list, they can cross reference that list with LinkedIn and they’ll know very quickly what department someone works in. For example, they might go after someone who works in accounts receivable. If they get into that person’s computer, they can then start sending out fake emails and invoices to that company’s suppliers and vendors, which broadens the scope of their attack.”
As the scope of cyberattacks has expanded, so have the costs, especially when it comes to ransomware and extortion – when threat actors use malicious software that threatens to publish victims’ data or block access to it until a ransom is paid.
In the past year, ransomware demands have skyrocketed to the extent that it’s not unusual to see seven- or eight-figure demands against large companies. Unfortunately, the financial pain does not end with the ransom. According to Jardine, hackers have started engaging more in data exfiltration – the unauthorised transfer of sensitive information from a target’s network to a location controlled by the threat actor. In some cases, hackers are demanding one chunk of payment for data de-encryption and another to stop them from publishing that data on the internet. But who can hold a hacker to their word?
“One concerning trend is the amount of data that’s being posted on the internet even after ransoms have been paid,” Jardine told Insurance Business. “I think we’re going to see more of that moving forward, and we’re going to end up seeing more publicly-known data breaches [stemming from ransomware attacks] because hackers are going to release the data anyway.”
There is some speculation in the industry around whether cyber insurance is both helping and hindering the growing ransomware and extortion problem. If hackers know they’re likely to get some form of payment – even if it’s negotiated down by a breach coach – they could be more brazen in terms of what they do with the data following an attack.
“Part of me wonders if it’s the hackers saying: ‘You’ve been able to pay a ransom and keep this quiet, which means you haven’t really upgraded your security properly, so we’re just going to tell everyone about this breach, and that’s going to force you to secure people’s data better.’ Who knows what their reasoning is, but that’s what I think the next big cyber trend could be: hackers releasing data and then naming and shaming regardless of the ransom payment,” said Jardine. “That’s a worldwide issue. Hackers don’t care about borders; we’re all in this together.”