2022 proved to be a challenging year for organisations trying to protect themselves against cyber attacks that originate from across the world, and within only the first two weeks of 2023 more high profile attacks have been disclosed.

One indicator of the scale of the problem is to look at how cyber insurance providers have been objectively assessing the risk of a cyber attack on their clients, and how to price that risk. This gives us strong signals about the challenges that cyber security will bring in 2023.

The signs from the Cyber Insurance market

There have been some foreboding seismic changes in the cyber insurance market. The volume of attacks globally has resulted in insurance premiums that are now out of range for many organisations, and in December last year Zurich insurance said that cyber attacks will become “uninsurable”. Lloyds of London have mandated that all their policies must include an act of war exclusion, to ensure there is no liability when policy holders are caught in the cyber-crossfire by nation states such as Russia; it would not be a surprise if further exclusions were brought in later.

Cyber attackers come in many forms including nation states such as Russia, China and North Korea, as well as independent criminal gangs that operate in those countries and elsewhere. The line between these parties is very blurred, for example when the Russian military collaborates with local criminal gangs. It remains to be seen whether an insurance provider will make a distinction between the actions of a nation state and the country’s criminal gangs as an act of war, especially because attribution is not an exact science and may be outside the capability of an insurance underwriter. It is possible that the insured party will have to wait for some time before the claim is investigated, and they may need to challenge the assessment in court.

All the signs are that if insurance is indeed made available, then it will only be offered to an organisation that shows it has done everything it reasonably can to make itself an attractively low risk to an insurance provider. Consider the dispute between Travellers Insurance and their policyholder in the US in July last year, where the policy holder experienced a ransomware attack but Travellers successfully had the insurance policy annulled because the policyholder did not have the cyber protections in place that they claimed.

Organisations need to be constantly aware of the current and evolving risks of a cyber incident, and review whether their controls are robust enough to keep that risk down. Insurance providers have already started to do their own assessment of their policy holders’ controls, akin to a risk assessment before granting a person a life assurance policy, and they plan to go a lot deeper than you might think. Cloud providers including Google, Microsoft and Amazon are working with insurance companies to review the security configuration settings of their customers as part of the insurance company’s due diligence, to determine whether to offer insurance and at what price. The implications are clear: insurance companies expect you to have robust cyber security before they will consider you as a client. Where previously the application for an insurance policy was based on self-attestation by an organisation, insurance providers are now starting to ask for reports and metrics, however this could result in the applicant sharing highly sensitive information on their cyber security weaknesses which could be exploited if in an attacker’s hands. 

Ransomware will remain popular …

A recent report from the insurance industry’s representative body, the Geneva Association, highlighted that 75% of all cyber-insurance claims in 2020 (the latest available analysis) were for ransomware. In 2022 we saw a change in the tactics of ransom attackers, and we expect more to come as attackers copy the success of their peers in trying out new approaches.

Last year, a ransomware gang hacked into the website of their victim to post the ransom note for the world to see, in order to increase the pressure to have the ransom paid. Other attackers have used a new way of encrypting their victim’s files by only encrypting every 16th bit (called Intermitted Encryption) to avoid making too much ‘noise’ and setting off the victim’s detection systems.

We expect attackers to increase their ‘innovation’ in ransomware, especially as the ransomware software has become so much easier to purchase online through the ransomware-as-a service (RaaS) market that the attacker community has established, alongside their call centres and venture capital services to enable the RaaS market to flourish. As a result, organisations need to keep their ear to the ground by reading cyber threat intelligence, such as our weekly blog, to understand the new tactics and check how secure they are against them.

… but new types of attacks are increasing

However, ransomware is not the only type of attack and it looks set to decrease (slightly) in popularity with the recent crash in crypto currencies, which is a currency of choice for cyber attackers as it is like a suitcase of unmarked banknotes that cannot be traced. Coming up in popularity is business email compromise (BEC), and the lesser known email account compromise (EAC), where the attacker gains access to a user’s email account and, without the knowledge of the owner, uses it to conduct further attacks such as sending out emails requesting payments to fraudulent accounts. BEC/EAC are not new, but they seem to be considered easier and more profitable for attackers in late 2022 and into 2023.

It is worth noting that attackers will often lurk for months or years after an email account has been compromised. The attacker will watch and wait for the right moment to strike, for example when the victim is about to transfer funds to a third party and the attacker intercepts and alters emails to divert the funds to the attacker’s bank account.

When there is money to be made, there will be innovation

Every day across the world, hundreds of thousands of clever but dishonest people wake up in the morning, and their definition of a good day’s work is that they have broken through your defences to get access to your information or money.

Recent ‘innovations’ from the attackers perspective include call-back phishing, which has soared in popularity as attackers are refining their techniques. This starts with a classic phishing email that tells the recipient that their information or money is in danger. However, this email encourages the recipient to call a number for help; the person they call is the attacker who will talk them through downloading software (which is, sadly, malicious software or ‘malware’) and transferring money (unknowingly into the attacker’s account) in order to sort out the problem.

The ’robust’ controls of this morning might not be so strong by this afternoon

Last autumn, a contractor at Uber was contacted by someone claiming to be from the company’s IT team, who asked the contractor to accept the multi-factor authentication (MFA) prompts they had been receiving on their device in order that the IT team could work on their account. The contractor complied. The person who contacted them was of course an attacker and now had direct access to Uber’s systems, including the ability to post messages on the company’s Slack channels used for internal messaging.

This is a strong reminder that controls, such as MFA, that are considered robust can still be overcome by a determined attacker, especially if they can convince an employee to help them. To be clear, MFA is a very credible control and should certainly be maintained however there are no silver bullets and no single control offers 100% protection to withstand a determined attacker. The only way to protect yourself is to understand the evolving tactics of attackers, and to maintain a strategy of multiple layers of controls in order that if one of them fails, then the other controls can help to withstand or mitigate the damage; this is referred to as defence in depth.

Subscribe to our weekly round up of threat intelligence

2023 has already started as a yet more challenging year for protecting you and your clients’ information against a cyber attack. The UK’s Royal Mail has fallen victim to ransomware attributed to Russian attackers that has immobilised its international operations, and the Guardian newspaper has shared details of a recent attack on their systems.

This is why your cyber security strategy needs to be regularly reassessed based on what your ear to the ground is telling you. Subscribe to our weekly threat intelligence report on blackarrowcyber.com/subscribe to keep on top of the latest developments and see what our threat intelligence tells you to consider in your cyber security strategy. And contact us if you want to discuss what this all means for you; we know and love cyber security, and would be happy to hear from you.