While technology matures with each passing day, the most ominous cyber threats for most individuals and businesses are also the most common.
“The majority of cybercrimes are far less complex than you may think,” said Adam Tyra, At-Bay’s general manager of security services.
“There are surely advanced threat actors who are devising new forms of malware, but they are generally not causing a lot of cyber breaches that are plaguing businesses across the board.”
During an interview with Insurance Business at RIMS Atlanta in May, Tyra spoke about why cyber attackers are still clinging to tried and true vulnerabilities, how generative AI can be of use to the industry and the way insurance companies can help technology producers to build safer products.
As a security professional, Tyra has heard many conversations about the rate of technological development in relation to the growing concern of cyber attacks.
“During these talks, there is a need to continuously push the conversation forward in order to get ahead of threat actors,” he said.
However, when working on the ground, these insider talking points remain relatively moot.
Instead, the bulk of actual incidents of cyber-attacks are relatively modest.
“These pervasive threats are more casual,” Tyra said. “Sophisticated hackers definitely exist, but they are targeting much larger and more resourceful corporations with robust securities teams.”
Attackers are much more successful at carrying out phishing campaigns, botnets and mundane tactics that are still successful at preying on vulnerabilities related basic cyber hygiene failure.
“A list compiled by the US government of the top 10 vulnerabilities to be aware of included something that was discovered in 2017,” Tyra said.
“Six years later, outdated and simplistic cyber-attacks are still relevant.”
This is proving to be quite lucrative for hackers, since technical sophistication is not needed to carry out ransomware, phishing or other malicious attacks.
“Until individuals and businesses, especially at the small to mid-range, adopt more vigilant behaviour, these casual threats will be profitable and pervasive,” Tyra said.
Similar to the insurance industry, the security profession is also experiencing a crippling talent shortage.
“Colleges aren't putting out more people for doing security. The military's not putting out more people,” Tyra said.
This creates an issue for companies, especially insurers, who are looking to incorporate more security professionals to help buttress their operations and provide necessary insight to prevent hacking.
When the topic of ChatGPT and other generative AI was brought up, especially on how the insurance industry might react to this hot topic technology, Tyra was relatively optimistic.
“Generative AI can be very useful for insurers,” he said.
Most of the conversations Tyra is having with companies providing cyber coverage are uncomplicated.
“We get a lot of people asking what multi-factor authentication (MFA) is and how to deploy it, which is a relatively straightforward question to answer,” Tyra said.
Using ChatGPT or other generative AI can provide good insight into the benefits of MFA and nudge businesses in the right direction of acquiring it.
“One of the top reasons losses occurs is not having adequate access controls, which includes multi-factor authentication,” Tyra said.
While this may seem common sense to his peers, Tyra noted how the benefits of this essential security measure is not as widespread. As a result, generative AI can help impart some necessary education on the subject.
When looking at the current state of technology production and deployment, one thing Tyra has witnessed is that fear is not working as a control mechanism for more secure products.
“People are scared of cyber losses, but that is not effective at getting these companies to make technology with a risk prevention mindset in place,” he said.
Additionally, governmental intervention has not successful in creating legislation to help standardize technological output.
However, when analyzing the insurance industry, Tyra noted how it has historically had a role in regulating other types of risk.
“Insurers were able to make using a seatbelt standard practice, both socially and legislatively,” he said.
“This is largely due to pressure from the insurance industry, who had to pick up the pieces in the wake of accidents and other auto-related incidents.”
Thus, Tyra does not find it far fetched that with the persuasive regulatory rhetoric of the industry, that insurers would have influence over technological producers to make more secure products and services.
“I’ve worked as a security professional for quite some time,” Tyra said.
“And I rallying together like this and using our resources to help enact greater change has the potential to help in the long term.”