5 minute read
We’re risk takers, and that’s making cyberattacks more costly
Businesses are addicted to gambling on their cybersecurity, writes Nicholas Dynon. But our big appetite for cyber risk is now being called out by insurers, government… and criminals.
Nicholas Dynon is chief editor of NZSM, and a widely published commentator on New Zealand’s defence, national security and private security sectors. 2022 has been a good year for those engaged in cybercrime. With media reporting recently that businesses are willing to pay almost double what they were prepared to pay last year in ransom to stop a ransomware attack, there are spoils to be had.
Research by McGrathNicol Advisory has found that in the event of an attack four in five businesses chose to pay the ransom to the tune of an average $1.01 million+. The average amount that businesses would be willing to pay almost doubled from $682,123 in 2021 to $1,288,608 this year.
And it seems that businesses can’t give their money away to those holding them to ransom fast enough. The research reveals the timeframe for ransom payments has shortened, with 44% of businesses paying within 24 hours (up from 23% in 2021).
Unsurprisingly, businesses are also willing to pay more for cyber insurance. Premiums for cyber insurance collected by US insurance carriers last year, for example, grew by 92% from the previous year. In Australia, a Marsh study has found that cyber insurance premiums have surged up to 80% in the first half of last year, with claims numbers also increasing by 50%.
So, the pay-outs for these cyberattacks are increasing. Whether it’s ransom payments – where the attack is already in progress, or cyber insurance – which is based on the inevitability of an attack, businesses are digging deeper into their pockets to pay for cybercrime either (i) as it occurs or (ii) with the assumption it will occur.
This begs the question, are businesses adequately investing in their cybersecurity to prevent and prepare for attacks ahead of time?
Reactive: We address fallout not threats NIST’s Incident Response Process provides an established framework for understanding the four major phases involved in managing cyber incidents: (i) preparation, (i) detection and analysis, (iii) containment, eradication, and recovery, and (iv) post-incident activity.
The Preparation phase is all about setting the organisation up to be able to better deal with an incident if it were to happen. It is during preparation, states NIST’s venerable Computer Security Incident Handling Guide, that “the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.”
Actions like paying ransoms and taking out cyber insurance policies are not aimed at minimising the risk of a cyberattack occurring. They are more about containment and recovery, which places them in the third phase of NIST’s process, i.e. post-incident.
According to a range of experts, businesses in New Zealand and Australia are just not doing enough to get on the front foot in relation to cyberattacks. Poor security hygiene, a lack of basic controls, and the absence
of risk assessments are creating wide gaps for cybercriminals to exploit.
In a recent 7news report, Professor Sanjay Jha, Chief Scientist at the University of New South Wales Institute for Cybersecurity, said that companies should be doing more to protect data, saying they have to lift their game and “spend a bit more on cybersecurity.”
“I’m just wondering why some simple things like [multifactor authentication] are not being done in companies that should be easy to fix,” he said.
It’s a good question. Why aren’t businesses doing the simple things? Why aren’t they investing in prevention and preparation? Factors like complacency and culture may provide part of the explanation, but, according to behavioural economics, an underlying reason may well be that when it comes to security human nature dictates that we are risk-takers. Speculative: We bet on losing big Prospect Theory is a behavioural economics model for describing how people make decisions between alternatives that involve uncertainty, or risk. Daniel Kahneman, one of the economists behind the theory, won a Nobel Prize in Economics for his work, so as far as theories go it’s pretty sound.
According to the theory, for most people a small yet certain gain is more attractive than the prospect of a less certain larger gain, but when it comes to losses, the reverse holds true: most people will risk the prospect of a greater loss rather than incur a guaranteed smaller one.
In one study, participants were presented with two choices: the choice between a certain gain of $500 and a 50% chance of gaining $1,000, and the choice between a certain loss of $500 and a 50% chance of losing $1,000. 84% chose the certain $500 gain over the riskier one, while 70% chose to risk a $1,000 loss over settling for the smaller certain one.
In other words, human nature dictates that we’ll take a sure gain over a less certain bigger one, yet we’ll risk a bigger loss just to avoid a certain smaller one. We are hard-wired to be risk-takers when it comes to security; it’s part of the human condition.
Businesses prepared to gamble on their security are more likely to expose themselves (and their customers’ data) to greater risk, yet they are less likely to put in place adequate controls to minimise their risk. When combined with cyber insurance, this predilection for risk leads to moral hazard.
It’s no wonder the price of ransoms and cyber insurance premiums are skyrocketing. But in addition to rising costs, businesses can also expect that insurers will require them to comply with increasing security requirements as barriers to obtaining and retaining coverage.
According to a recent report by Duncan Cotterill, over the past two years “the local [New Zealand] cyber insurance market has undertaken a significant adjustment,” with a new baseline being set in relation to “premium, deductible levels, coverage availability, capacity, and underwriting rigor.”
Baseline criteria to obtain cyber cover, include the use of anti-malware software, regular data backups, the use of Multi-Factor Authentication, ensuring software updates are actioned regularly, and updating default credentials.
“Some businesses may need to make some changes to how they operate in order to obtain cyber insurance cover,” states the report, “and businesses may see an increase in the premium they pay for cover.”
You can also bet on cybersecurity becoming an increasingly regulated space, and we’re already seeing this in relation to privacy, and across the Tasman with the recent toughening of the Australian Security of Critical Infrastructure Act. As cyberattacks increase in severity, governments are identifying the need to legislate in order to compel better security behaviours.
Ultimately, while the risk of cyberattack itself may have never provided businesses a strong incentive for better cybersecurity, rising insurance costs and regulation will drag us kicking and screaming towards it – and that’s a sure bet!
