In this opinion piece, Maura Wiese and Danielle Roth share deep insights on 2019’s top cyber risks and finding solutions in vulnerability .
Fourteen seconds. That was the prediction in 2017 on how often a business would endure a cyberattack by 2019. By October 2019, however, the actual figure was much worse. Every ten seconds, cyber thieves are trying to gain access into a business’s systems.
If 2019 proved anything, it was that hackers are becoming much more cunning in both their methods and their targets. The amount of money lost to cybercrime in 2019 – $2 trillion. By 2024, losses are expected to top $5 trillion.
That number could increase, particularly since cybercriminals frequently change how they attack. For companies trying to stay ahead of hackers, it becomes a struggle to eliminate one vulnerability as another is evolving.
Yet often, the method by which hackers breach systems is a common one. In fact, phishing via email or social media continues to top the list of how hackers are getting in. Phishing attacks make up 90 percent of data breaches, and phishing attempts have increased 65 percent in just the last year (2018-2019).
The problems are only increasing. In 2018, reports of credential compromise increased 70 percent over 2017, a 280-percent increase from 2016.
Still, knowing how hackers are getting in – and who they’re targeting – can go a long way to putting preventative measures in place. Let’s consider the three key trends in cybercrime that have dominated the conversation in 2019.
In 2019, ransomware grew in scope and frequency, signaling that this is the preferred method of attack for many cybercriminals. Ransomware attacks are growing at a rate of 350 percent each year. The reason – these attacks are easier for hackers to deploy and net higher payouts. They simply access the system, lock out users, and demand ransom to restore systems and files.
Yet even this method continues to evolve. Hackers, looking for the ultimate payout for their efforts, are now targeting companies that house their data or online access of multiple organizations. Vendors that are being used by many companies are a prime target as hacking into one system could net them access to hundreds or even thousands of customer systems such as a payment processor.
By all accounts, ransomware is expected to continue its exponential growth as a preferred method for cybercriminals. The top causes of ransomware to date are careless employees (51 percent), ineffective antivirus protection (45 percent), and outdated or unpatched software or security (26 percent).
Fortunately, these causes can be addressed effectively by most companies. Training employees on how to spot and handle fraudulent emails or phone calls requesting proprietary information can reduce significantly the risk of employee error. A clear process for reporting suspected activity should be part of a company’s overall risk reduction strategy.
Likewise, IT departments should be conducting regular updates of all software and security applications, as well as ensuring that current antivirus programs are able to respond to new threats as they emerge.
2. Public Entities Targeted
In 2016, there were 46 publicly reported ransomware attacks on state and local governments. By 2018, that number had risen to 53 incidents. By early 2019, there were already 21 attacks on the books. While that number is disturbing, reports say the true total is much higher as many state and local governments are unwilling to publicly acknowledge cyberattacks.
Many high-profile ransomware attacks are helping to shed light on the risks that municipalities and government entities face. In May 2019, the city of Baltimore was hit with its second ransomware attack in just 14 months. The 2019 attack cost the city over $18 million. The original ransom demand, which the city refused to pay, was $76,000. The first cyberattack hit the city’s 911 emergency system and caused a limited disruption.
Small entities are not immune to attack. The town of Wilmer, Texas was hit with a ransomware attack in August 2019, an attack that shut down the entire network – from the police department to the library – in a town of just under 5,000 residents.
And location is equally irrelevant to cyber thieves – from Johannesburg, South Africa with over 5.6 million residents to the northernmost, sparsely populated Nunavut province in Canada, hackers are looking for easy prey.
To thwart cybercriminals, public entities, who typically have little to no cybersecurity budgets could still be utilizing some of the same type of preventative strategies as mentioned previously – educate employees on proper response and reporting, update systems and applications regularly, and make sure antivirus protection is up-to-date and scalable to handle new threats.
Facial recognition. Fingerprint scanning. Retina scans. Today’s identification tool is also a hotbed of exposure, both from hackers and litigants.
Some states are setting up protections. Illinois is one of them, having enacted the Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”) to regulate companies that collect and store Illinois citizens’ biometrics, such as fingerprints. The BIPA establishes standards for how employers must handle Illinois employees’ biometric identifiers and biometric information, and ultimately mandates that reasonable safeguards are put in place.
In a 2018 case, a teenager visiting an Illinois Six Flags amusement park became central in a case involving what companies can and cannot do with biometric data they collect. The teenager was fingerprinted as part of the process of purchasing a season pass. The attempt to verify the identity of the purchaser resulted in a successful lawsuit in which the company was cited for having violated the state’s biometric privacy laws that require notice and consent, even without the need to show harm.
More recently, a logistics company that provides operations and management services to senior living communities throughout the US, including facilities in Illinois, found itself in the middle of a “BIPA” violation. The company uses a biometric time tracking system that requires employees to use their fingerprints as a means of authentication, rather that key fobs or identification cards.
Employees are required to have their fingerprint scanned to enroll in the database. The plaintiff, on behalf of the class, alleged that the company did not comply with BIPA in connection with its collection and use of the fingerprints. An early settlement in this case was reached however, total defense costs plus the settlement on a class basis totaled approximately $600,000.
In any case in which biometric data is collected and/or stored, companies should operate with transparency. Clearly disclosing of the practice and obtaining written consent protects both the company and the owner of the biometric data. Also, companies should include how the data will be used and stored in any disclosure and consent process.
Halting hackers at the door
Cyber risks are evolving in both scope and form. From ransomware attacks to biometric exposures, cyber liabilities are being reshaped. For your company to stay ahead, you should be partnering with an experienced insurer that has a team of experts who can help with both prevention strategies and incident response.
Whether it is ransomware threats or the exposures stemming from using biometrics, your company should be reviewing systems and policies to ensure that both system preparedness and compliance with privacy laws are adequate.
Also, know how your carrier will respond, and what your responsibilities are in the event of a breach or a violation of privacy regulations. Your carrier can help you build a sound plan and deliver an insurance package that fits your risk exposure.
(Maura Wiese is Head of Cyber – Northeast Region, AXA XL and Danielle Roth is Cyber Claims Manager – AXA XL. Views expressed in this article are of the authors.)