Human error, inaction top cyber vulnerabilities – report

Cyber policyholders with even one unresolved critical vulnerability are 33% more likely to experience a claim, according to a new report from cyber insurance provider Coalition.

Coalition’s 2023 Cyber Claims Report also found that policyholders who continued to use end-of-life software – products that are no longer supported by their original developer – were three times more likely to suffer a cyber incident. This held true regardless of the organization’s size.

“Threat actors are forever looking for targets with weak security controls or unprotected infrastructures – these are the paths of least resistance into a company’s network,” said Catherine Lyle, head of claims at Coalition. “Unfortunately, that’s why human inaction, such as not patching a publicized critical vulnerability or updating out-of-date software, is a high risk factor for a cyber incident or cyber claim.”

The Cyber Claims Report also found that human error is as much a risk driver as inaction. Phishing accounted for 76% of reported cyber incidents – more than six times greater than the next most common technique. Overall phishing-related claims have spiked by 29% since the beginning of last year, Coalition found.

Phishing often leads to funds transfer fraud (FTF) or business email compromise, but is also the number-one path used to breach a company’s system for any purpose, the report said.

Read next: Coalition expands cyber risk protection to US-based large enterprises

“It’s a straightforward but critical recommendation: setting up multi-factor authentication is one of the best ways to prevent attackers from getting into an organization’s network because it provides the person protection even when security is not top of mind,” Lyle said. “For the majority of Coalition’s phishing-related cases, multi-factor authentication would have stopped access and prevented a claim.”

Other key findings include:

• Overall claims frequency fell by 22% from 2021 to 2022
• FTF frequency fell slightly last year after spiking by 23% in 2021. FTF severity flattened in 2022 after surging by 68%
• When policyholders alerted Coalition to an FTF event, Coalition successfully recovered 66% of lost funds
• Ransomware claims frequency tumbled 54% year over year. Ransomware demands also dropped, from $1.2 million in 2021 to $1 million in 2022
• Last year, Coalition successfully negotiated ransom payments down for policyholders to an average of 27% of the initial demand

Last month, Coalition announced the launch of a new AI initiative to defend against cyber threats. The company also recently released a new model for understanding cyber risk aggregation.

Have something to say about this story? Let us know in the comments below.