In its latest Risk Barometer, Allianz reveals that cyber incidents have claimed the top spot as the foremost global business risk for 2024.
It was the third consecutive year that cyber incidents and business interruption ranked in first or second place. Cyber incidents also ranked as the top corporate risk in the U.S., Allianz said.
- Data breaches, attacks on critical infrastructure or physical assets, and increased ransomware attacks drive cyber concerns (36% of responses)
- Business interruption remains #2 with 31% of responses.
- Natural catastrophes is the biggest riser compared to 2023 with 26% in #3
- Risk perception differs regionally for climate change, political risks and violence, and shortage of skilled workforce
Large corporates, mid-size, and smaller businesses are united by the same risk concerns – they are all mostly worried about cyber, business interruption and natural catastrophes. However, the resilience gap between large and smaller companies is widening, as risk awareness among larger organizations has grown since the pandemic with a notable drive to upgrade resilience, the report notes. Conversely, smaller businesses often lack the time and resources to identify and effectively prepare for a wider range of risk scenarios and, as a result, take longer to get the business back up and running after an unexpected incident.
Cyber threats are constantly evolving as hackers gain access to new technologies or find new ways to exploit old vulnerabilities, Allianz said in the report.
“Hackers are beginning to use artificial intelligence (AI) powered language models to increase the speed and scope of ransomware attacks, as well as create new malware and produce highly convincing phishing emails and deep fakes. Such attacks are likely to proliferate during 2024,” the report said.
TRENDS DRIVING CYBER ACTIVITY IN 2024
Following two years of high but stable loss activity, 2023 saw a worrying resurgence in ransomware and extortion losses, as the cyber threat landscape continues to evolve.
It’s little wonder that companies rank cyber risk as their top concern (36% of responses – 5% points ahead of the second top risk) and, for the first time, across all company size: large (>$500mn annual revenue), mid-size ($100mn+ to $500mn), and smaller (<$100mn), as well.
It is the top peril in 17 countries, including Australia, France, Germany, India, Japan, the UK, and the USA. A data breach is seen as the most concerning cyber threat for Allianz Risk Barometer respondents (59%) followed by attacks on critical infrastructure and physical assets (53%). The recent increase in ransomware attacks – 2023 saw a worrying resurgence in activity, with insurance claims activity up by more than 50% compared with 2022 – ranks third (53%).
Ransomware on the rise
By the start of the next decade, ransomware activity alone is projected to cost its victims $265bn annually. Activity surged by 50% year-on-year during the first half of 2023 with so-called Ransomware-as-a-Service (RaaS) kits, where prices start from as little as $40, a key driver. Gangs are also carrying out more attacks faster, with the average number of days taken to execute one falling from around 60 days in 2019 to four. Ransomware claims activity was up by more than 50% year-on-year in 2023.
Most ransomware attacks now involve the theft of personal or sensitive commercial data for the purpose of extortion, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage. Allianz Commercial’s analysis of large cyber losses (€1mn+) in recent years shows that the number of cases in which data is exfiltrated is increasing – doubling from 40% in 2019 to almost 80% in 2022, with 2023 activity tracking even higher.
“Protecting an organization against intrusion is a cat and mouse game, in which the cyber criminals have the advantage,” says Rishi Baviskar, Global Head of Cyber Risk Consulting, Allianz Commercial. “Threat actors are now exploring ways to use artificial intelligence (AI) to automate and accelerate attacks, creating more effective malware and phishing. Combined with the explosion in connected mobile devices and 5G-enabled Internet of Things (IoT), the avenues for cyber-attacks look only likely to increase in future.”
Data breach is the cyber exposure of most concern, followed by cyber-attacks on critical infrastructure and physical assets and the increase in ransomware attacks. In the context of turbulent geopolitics and the ever-deepening reliance on digital devices, the potential shutdown of critical infrastructure is likely to become a much more concerning risk for businesses in future, respondents believe.
The power of AI (to accelerate cyber-attacks)
AI adoption brings numerous opportunities and benefits, but also risk. Threat actors are already using AI-powered language models like ChatGPT to write code. Generative AI can help less proficient threat actors create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute. An increased utilization of AI by malicious actors in the future is to be expected, necessitating even stronger cyber security measures.
Voice simulation software has already become a powerful addition to the cyber criminal’s arsenal. Meanwhile, deepfake video technology designed and sold for phishing frauds can also now be found online, for prices as low as $20 per minute.
Mobile devices expose data
Lax security and the mixing of personal and corporate data on mobile devices, including smartphones, tablets, and laptops, is an attractive combination for cyber criminals. Allianz Commercial has seen a growing number of incidents caused by poor cyber security around mobile devices. During the pandemic many organizations enabled new ways of accessing their corporate network via private devices, without the need for multi-factor authentication (MFA). This also resulted in a number of successful cyber-attacks and large insurance claims.
“Criminals are now targeting mobile devices with specific malware to gain remote access, steal login credentials, or to deploy ransomware,” says Baviskar. “Personal devices tend to have less stringent security measures. Utilizing public wi-fi on such devices can increase their vulnerability, including exposure to phishing attacks via social media.”
The roll-out of 5G technology is also an area of potential concern if not managed appropriately, given it will power even more connected devices. However, many IoT devices do not have a good record when it comes to cyber security, are easily discoverable, and will not have MFA mechanisms, which, together with the addition of AI, presents a serious cyber threat.
Security skills shortage a factor in incidents
The current global cyber security workforce gap stands at more than four million people, with demand growing twice as fast as supply. Gartner predicts that a lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025. Shortage of skilled workforce ranks joint #5 in the top concerns of the media sector and is a top 10 risk in technology in the Allianz Risk Barometer.
It is difficult to hire good cyber security engineers, and without skilled personnel, it is more difficult to predict and prevent incidents, which could mean more losses in the future. It also impacts the cost of an incident. Organizations with a high level of security skills shortage had a $5.36mn average data breach cost, around 20% higher than the actual average cost, according to the IBM Cost of a Data Breach Report 2023.
Early detection is key
Preventing a cyber-attack is therefore becoming harder, and the stakes are higher. As a result, early detection and response capabilities and tools are becoming ever more important. Investment in detection backed by AI should also help to catch more incidents earlier. If companies do not have effective early detection tools this can lead to longer unplanned downtime, increased costs and have a greater impact on customers, revenue and reputation.
The lion’s share of IT security budgets is currently spent on prevention with around 35% directed to detection and response.
“However, if undetected, an intrusion can quickly escalate, and once data is encrypted and / or stolen, the costs snowball – as much as 1,000 times higher than if an incident is detected and contained early. The difference between a €20,000 loss turning into a €20mn one,” explains Michael Daum, Global Head of Cyber Claims at Allianz Commercial.
SMEs the increasing sweet spot
For smaller and mid-size companies (SMEs), the cyber risk threat has intensified because of their growing reliance on outsourcing for services, including managed IT and cyber security providers, given these firms lack the financial resources and in-house expertise of larger organizations.
As larger companies have ramped up their cyber protection, criminals have targeted smaller firms. SMEs are less able to withstand the business interruption consequences of a cyber-attack. If a small company with poor controls or inadequate risk management suffers a significant incident, there is a chance it might not survive.
“SMEs should remain vigilant and have a clear understanding of the risks involved and allocate ample resources in terms of personnel, IT infrastructure, and budget to implement the required security measures,” says Rishi Baviskar, Global Head of Cyber Risk Consulting, Allianz Commercial.
“Initiating a conversation with an MSSP [Managed Security Service Provider] can serve as an excellent initial move, allowing for the creation of an IT budget and strategy tailored to the business’s specific priorities.”
Businesses can take a proactive approach to tackling cyber threats by ensuring their cyber security strategy identifies their most crucial information system assets. Then, they should deploy appropriate detection and monitoring software, both at the network perimeter and on end-points, often involving collaboration with cyber-security service partners, to uncover and nullify threats attempting to gain network access.
Source: Allianz Risk Barometer