Cyber security considerations for executives and board members: How current trends and developments in cyberattacks influence strategies for reducing cyber risks
Focus on the health sector
As more companies migrate to remote working in the face of the COVID-19 pandemic, cybersecurity has become an important issue for companies in all industries. A new remote world has increased business reliance on digital records, controls, and technology, making them a rich target for ransomware attacks.
Healthcare companies, as in other high-risk sectors, are increasingly recognizing the need for greater investments in data governance, risk management and compliance programs.
In this warning, we review current trends and costs related to cyber attacks and analyze how companies can implement strategies to reduce cyber risks.
The global cost of data breaches is increasing
A study published this summer by the Ponemon Institute and sponsored and analyzed by IBM Security that summarized results from 17 industries, including 537 companies in 17 countries and regions, found the global average total cost of a data breach to be $ 4.24 million be. The report concluded that the healthcare, financial services, pharmaceuticals, technology and energy industries are the industries with the highest average data breach costs. For the past 11 consecutive years, health organizations have had the highest average cost of a data breach. Between 2020 and 2021 alone, these costs rose by 29.5 percent.
Given these statistics and other potential strategies to reduce the risk of cyberattacks, companies should consider strengthening their information security programs, maintaining cyber insurance, and implementing best practices to reduce the risk of ransomware attacks.
With cyberattacks on the rise, insurers are focusing on risky sectors
For some time now, insurers have been seeing the risk of malicious cyber activity against the federal government, U.S. corporations, and critical infrastructures growing. A recent report by the Government Accountability Office (GAO) for 2021, released under the provisions of the National Defense Authorization Act for fiscal year 2021, confirms the need for a stable insurance market in light of the surge in cyberattacks in recent years.
Given the ongoing challenges, insurers and policy makers are encouraged to evaluate their cyber controls, especially in high risk sectors. The health sector in particular is looking for ways to protect itself from increasing attacks.
Growing demand for cyber insurance
Among other things, the GAO report found growing demand for cyber insurance, along with insurance price increases and more frequent and more serious cyber attacks. Cyber insurance utilization rates increased between 2016 and 2020, with the highest utilization rates observed in high-risk industries, including healthcare and education. Insurance premiums, which can vary depending on the industry, company size and cyber controls, also increased.
The report also indicated that insurers have lowered cyber insurance coverage limits for higher-risk industries and that insurers are tending to add specific limits on ransomware coverage. Challenges that insurers and policyholders face include limited availability of historical loss and cyber event data, the risk of aggregate losses from cyberattacks, and limited awareness of cyber risk and coverage that can help mitigate them, according to the report Risks are required.
The cyber risk to healthcare remains high
The analysis and the accompanying trend in cyber insurance limits is done as the number of ransomware incidents has increased over the past year. Moody’s Investor Services released a report in late May that found that cyber risk for the healthcare industry remained high.
Ransomware incidents in health and education institutions have been increasing steadily since 2019 and are showing no signs of decline. This summer the FBI issued a flash bulletin warning against attacks with the Conti ransomware. Conti is a human-operated “double blackmail” ransomware that steals information and threatens to divulge it, and encrypts it in such a way that its owner cannot access it. The bureau said it had identified at least 16 such Conti attacks targeting U.S. health and first aid networks. The FBI bulletin was published by the American Hospital Association, which published the warning along with a statement calling for a coordinated government campaign to disrupt ransomware organizations.
No shortage of hackers
Some ransomware organizations like REvil and Avaddon have publicly committed to rules prohibiting their affiliates who use their ransomware from attacking healthcare and educational institutions. Given the reported criminal activity of the groups and the fact that the perpetrators of these attacks may have disintegrated, such engagements are of course questionable. Although ransomware perpetrators often reappear with new groups, there is no reason to believe that they would keep their previous organizations’ promises to limit the scope of their activities. In addition, there does not seem to be a shortage of competitors eager to target these sectors.
The GAO results and the recent surge in cyberattacks and ransomware incidents highlight the need for cyber insurance policyholders to increase awareness of the risks and the resulting costs and operational impacts of cyberattacks, particularly in high risk areas such as healthcare and health the education system. Cyber insurance trends also underscore the need for industry participants to implement and strengthen cyber controls and defenses.
Federal government offers best practices for combating ransomware attacks
In July 2021, Justice and Homeland Security Ministries, in partnership with federal partners, established Stopransomware.gov, a one-stop shop for ransomware resources, as part of their ongoing response to the growing national security threat from ransomware attacks. private and public organizations reduce their risk of ransomware. The website provides tips and guidance on preparing for and combating ransomware attacks, as well as resources on how to report incidents.
Among other incident prevention best practices, the website recommends that organizations:
(1) restrict users’ privileges to install and run software applications
(2) Use strong spam filters to prevent phishing emails from reaching end users
(3) authenticate incoming emails to prevent email spoofing and
(4) Configure firewalls to block access to known malicious IP addresses.
The website also includes a ransomware response checklist that provides best practices for incident detection, analysis, containment, and remediation.
Other cyber risk management strategies
As the cost and complexity of cyberattacks continues to rise, and companies continue to seek ways to streamline operations in response to the evolving COVID-19 pandemic, companies should continue to monitor cyberattack trends and develop data governance programs. Other cyber risk management strategies include reviewing organizational controls, developing and improving incident response plans, performing internal and external security assessments, and training staff to prevent and respond to incidents.
Reviews of recent trends and statistics, provided by both public and private sources, underscore the need for companies in high-risk industries, including healthcare and education, to recognize spending on information security program development and high cyber insurance premiums with reduced caps part of the ongoing costs of doing business.
The advanced persistent threats posed by ransomware groups and other cyber criminals can pose an existential threat to businesses. Investing in cybersecurity and cyber insurance is critical for businesses and can help them avoid the much higher costs they could incur if they were the victim of a major cyber attack.