Ransomware has been a hot topic in the cyber industry for several years, but cyber criminals are finding ways to keep it relevant.
“Ransomware, I would say, is decreasing in [frequency] and going further into sophistication,” said Dr. Magda Chelly, managing director and chief information security officer of cybersecurity organization Responsible Cyber, on this episode of The Insuring Cyber Podcast.
She added that as many countries are beginning to regulate ransomware more closely and discourage ransom payments, criminals have found other ways to extort businesses.
“We call it double extortion or even triple extortion, where instead of just encrypting the data and blocking it, they will steal data or find other ways to make sure that companies have no other way but to pay the ransom in order to actually get access to the data,” she said.
With the increased use of generative AI, phishing attacks are becoming more advanced as well. Chelly described phishing as an attack that is typically carried out via email, in which cyber criminals manipulate users into clicking a link or opening a file to enter their credentials.
“Now, with generative AI and general artificial intelligence, we are seeing tools that allow criminals to take a better approach to phishing,” she said. “So, if I am a cyber criminal, I can find ways to communicate with someone over email in a much more realistic way. I can even analyze the responses of that person and create responses to encourage them to click on that malicious link.”
She said that as cyber attacks increase in sophistication, companies will need to move away from simply checking the boxes of a cybersecurity plan and invest more heavily in incident detection and response.
“Even for cybersecurity professionals, with the level of sophistication, it is very hard to recognize the real from the fake,” she said. “We need to always assume that there will be someone clicking on a link and there will be someone who will fall victim of such an attack. So, first and foremost, what is really important for companies is to understand that no matter what they do with the increased use of technology, the cyber attack is inevitable.”
Chelly urged that simple protective measures are not enough in 2024.
“If a company doesn’t have this detection and incident response in place, they are actually on the losing side already now,” she said. “I would say if we want to solve the problem, we need to come back and ensure we have the right fundamentals.”
This means companies need to develop strategies for discovering and responding to cyber incidents quickly, which will in turn be a benefit to their cyber insurers.
“What makes a difference between one company versus the other is how long a company will take to recover or even detect that something happened. It makes a difference as well for cyber insurance,” she said. “If the recovery time is three months or the recovery time is one week, the business interruption calls and the business interruption losses are not the same.”
With this in mind, Chelly is hoping for more collaboration among cyber insurance companies and their insureds this year.
“Often, the insureds do not realize how much support they can get from their cyber insurer,” she said.
On the other hand, insurers will need to work to better understand the business operations of their insureds and provide relevant protection. This is where context matters, she said.
“A client who might be an insured isn’t operating in the same way if they are manufacturing as a company in the financial industry as a company operating in e-commerce, but as well, the regulatory requirements might not be the same,” she said. “When I was actually assessing those companies, I would really pay attention to the context because that’s where I can understand what are the assets that are the most important for the company and where they might lose the most money if they are attacked.”
Chelly said she believes focusing on what matters to an individual company is much more effective than going through lengthy, generalized questionnaires – an approach to cyber insurance that she hopes insurers will streamline and individualize in the coming year.
“Actually having a conversation with the insured about their cybersecurity strategy and understanding the maturity of it in context requires more time that might be costly,” she said. “But in the long term, it is more cost effective because at the end of the day, cyber is an aggregated risk for insurance companies.”
Check out the rest of the episode to hear what else Magda had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.