Blog & Tools

Ransomware and phishing trends impacting cyber insurance

The Greater Sioux Falls Chamber of Commerce set the tone for National Cybersecurity Awareness Month with its annual Cybersecurity Conference.

A wealth of speakers addressed an abundance of cybersecurity challenges that businesses face in today’s cyber threat landscape.

Dan Hanson with Marsh & McLennan Agency and Michael Nougier of Eide Bailly, LLP, took a relaxed, conversation-style approach to break down the trends and opportunities small and medium-sized businesses face. We have some takeaways from their on-stage discussion.

Phishing is more sophisticated than ever.

While phishing continues to exist as an ongoing threat, Nougier warned they’re noticing a trend in more sophisticated tactics such as spear phishing.

Hackers used to send an email blast to reach hundreds of inboxes at a company. Now they’re sending malicious emails or electronic communication scams that are more targeted toward a specific, valuable individual at an organization or business. And social media and websites are making their job easier.

Nougier says that’s because reconnaissance is easy. He says the platforms have become an open-source of intelligence that can be used to target and exploit vulnerabilities among people and organizations. For example, it becomes easy to steal the structure of an organization’s email to reach those valuable employees. Then, celebrated anniversary dates give relevance to clicking on links in malicious emails.

When hackers know where a business is vulnerable externally, he says they exploit that to hopefully get access internally as well. And if it doesn’t they’ll phish an employee and exploit the human element.

Michael Nougier

Ransom demands are more expensive and more disruptive.

Hanson shared that in 2018, the average ransom payment was $3,000; today the average is $220,000 — a huge escalation. Perhaps the bigger challenge is the increase in downtime, with the average business disruption at 23 days, he said.

The cost of not being able to conduct business is also a challenge. And other costs include investigating vulnerabilities, fixing systems after figuring out what happened and potential reputational damage.

Dan Hanson

Whose responsibility is cyber safety?

Both Hanson and Nougier agree on this point — Cyber safety is everyone’s responsibility.

“This is not an IT issue,” Hansen said. “This is an enterprise issue. It starts at the top and goes all the way down. Everyone needs to be on board and buy-in.”

At the top, he recognizes that allocating dollars to IT security isn’t exciting and can take away funds to hire a new salesperson or infrastructure. And cyber insurance is much more intangible than insuring a vehicle. But when IT teams communicate the risk and the potential consequences, the value of cybersecurity becomes more impactful and resources become available.

Then working throughout the rest of an organization, Nougier says the biggest challenge is vision with cybersecurity. He says culture plays a huge role and that an organization’s culture needs to possess the belief that cybersecurity is everyone’s responsibility.

How important is cyber insurance? No, really, how important is it?

Ask two guys who work in cyber insurance how important it is for businesses to have it and of course they’ll say it’s important. But, getting insurance is not as easy as it used to be. Hanson fondly recalled the “good old days” — just about a year ago — when cyber insurance was cheap and easy to procure.

Pricing has gone up as have deductibles. And there are many things a business must do to even get a policy written, such as having multifactor authorization (MFA) across the organization. Hanson says not all policies are equal, which is why it’s important to understand what you’re buying and what it covers.

Where to start?

Nougier says the first step you can take is to figure out where you’re at today and where you need to go. Companies should do reconnaissance on themselves to determine their strengths and their weaknesses. He suggests utilizing resources available through entities such as the Cybersecurity and Infrastructure Security Agency (CISA).

One of the biggest obstacles is shame, he said. No one wants to admit “I clicked the link.”

“Shame stems from punitive action. You don’t want to create fear that there’s punitive action. If there’s fear, there’s no communication,” he said.

Instead, work on building your cybersecurity culture so that everyone understands what to do and who to talk to about it. The ultimate goal is to get buy-in from everyone and an understanding that cybersecurity is everyone’s responsibility.