In 2021, there were 623 million cyberattacks worldwide. If there is an opportunity to enter a company’s premises undetected, cybercriminals will find it. In the digital age, no organization is immune to cyber threats. Size doesn’t matter.
A recent report from cyberinsurance provider At-Bay highlights that ransomware is the biggest digital threat to American businesses, responsible for approximately 60% of all national cyberinsurance claims in 2020. Over the past year, the average ransom payment has almost doubled, and the average total loss is $1.8 million for a single incident.
Rotem Iram, co-founder and CEO of At-Bay, explained that a major challenge facing business owners is that security governance and government regulations have failed to keep pace with the pace of change. adoption and innovation of technology – and their corresponding new risks.
“Software has become the single most important driver of productivity and growth for any business in a very short time,” he said. “It’s no surprise that cyber risk has grown alongside technology adoption, but unfortunately the software and security industries have failed to adapt to the growing risk.”
“The average organization uses hundreds of different types of software. Just keeping track of them all, let alone making sure they’re all up to date, is very complicated, especially if you’re a small business with few resources,” Iram said. “And on the other side, you have well-organized criminal organizations that can use large-scale attacks. It’s unrealistic to expect corporations to be able to do this on their own.
Protocol spoke with Iram about the state of cybersecurity, the benefits of cyberinsurance, and his hopes for the future of security.
What’s the biggest cybersecurity misconception among business leaders?
I’m going to give you the wrong idea and I’m going to give you a blind spot. I think the biggest misconception is that most cyberattacks are very sophisticated. In reality, the most active cybercriminals are not sophisticated state actors. They are middle-of-the-road criminals exploiting the same core technology and configuration issues over and over again. It’s actually pretty mundane, but that’s how most damage happens.
The blind spot is the technologies we depend on to run our businesses. You might be using a perfectly safe server or VPN, then one morning, through no fault of yours, it’s no longer safe – it’s actually extremely at risk. We come to find that the software we depend on is full of holes, like Swiss cheese. It is incredibly porous and easy to break through. And the company you bought it from has no obligation or responsibility to ensure that the vulnerabilities it created are fixed.
Can you paint a picture of the impact of a security breach?
I’ll give you an example from our own industry: last July, a large insurance company suffered a ransomware attack. In a basic ransomware attack, hackers encrypt the victim’s data and demand a ransom from the organization to regain access. In this case, the attackers first siphoned off a few terabytes of data, then to increase the urgency of their ransom demand, began disclosing this stolen data, which included sensitive information such as health records, HR and employee salary information, and Suite. The employees were victims of identity theft based on the leaked information. And even after the ransom is resolved, the organization still has to deal with the long-term impacts on its reputation, investor relations, regulatory review, employee issues, and more. They could face the fallout for years.
How does At-Bay help protect organizations?
Simply put, we help prevent ransomware attacks from happening. This is what really sets us apart from other insurance companies. We don’t just provide you with insurance in the event of an attack; we have a security team that actively monitors your risks throughout the policy year. This team uses tactics very similar to those used by attackers to identify potential targets. We regularly scan each of our insured companies to see if they have any issues that would be easy for an attacker to discover and exploit. When we identify issues, we go one step further and work with our insured companies to help resolve them before they fall victim to an attack.
Theoretically, for every five ransomware attacks experienced by our competitors, we help prevent four from happening and help the fifth recover quickly. In the unfortunate event of an attack, our claims team gets to work immediately, pairing the victim with a panel of experts including privacy lawyers, a breach management team and a incident response to get the organization back up and running.
What can companies do to demand change and turn the tide of cybercrime?
Imagine if foreign organized crime groups physically stormed a New Jersey town, extorting local businesses, schools, and hospitals en masse. We would be in arms. Yet when it happens in cyberspace, we abandon it. So far, we’ve seen that the government – and the media – only really react to cyber incidents related to critical infrastructure and big business. If you’re a small business, college, or small town, you don’t get help from your government. They have to fend for themselves against these attackers.
In all other industries, the government plays a vital role in consumer protection. For example, you cannot choose whether you want to install a seat belt in a car or not. If you want to sell cars in America, they have to have seat belts. Technology is not regulated in the same way. You are allowed to sell enterprise software that does not require multi-factor authentication or robust spam filtering. With the share of our economy now dependent on technology, the lack of government regulation poses a major risk to businesses and ultimately to our own citizens. In the absence of government action, insurance intervenes. The insurance companies were the first to push the federal government to mandate them. Likewise, we can push for security measures in cybersecurity that will have the same kind of impact on technology.
What is your hope for the future?
Hopefully, with the emergence of insurance companies like At-Bay, we now have a real chance to understand what drives cyber risk. One thing that’s frustrating about security is that you have no idea what matters and how much you should be paying for it. Do you need a next-generation firewall? How much should this cost you? $100? $1,000? By looking through the lens of insurance claims, we can identify what matters when it comes to security, and then use the insurance policy as a tool to drive adoption of those security controls. At the same time, we can help regulators by providing them with the data and information needed to adopt effective policy.
Additionally, we need to start demanding more accountability from our software vendors, so that they give security the attention it needs.
Ultimately, I want us to reach a point where we are once again optimistic and excited about technology and where businesses can thrive in a digital world. What’s the biggest cybersecurity misconception among business leaders?