Businesses are addicted to gambling on their cybersecurity, writes Optic Security Group’s Nicholas Dynon. But our big appetite for cyber risk is now being called out by insurers, government… and criminals.
2022 has been a good year for those engaged in cybercrime. With media reporting recently that businesses are willing to pay almost double what they were prepared to pay last year in ransom to stop a ransomware attack, there are spoils to be had.
Research by McGrathNicol Advisory has found that in the event of an attack four in five businesses chose to pay the ransom to the tune of an average $1.01 million+. The average amount that businesses would be willing to pay almost doubled from $682,123 in 2021 to $1,288,608 this year.
And it seems that businesses can’t give their money away to those holding them to ransom fast enough. The research reveals the timeframe for ransom payments has shortened, with 44% of businesses paying within 24 hours (up from 23% in 2021).
Unsurprisingly, businesses are also willing to pay more for cyber insurance. Premiums for cyber insurance collected by US insurance carriers last year, for example, grew by 92% from the previous year. In Australia, a Marsh study has found that cyber insurance premiums have surged up to 80% in the first half of last year, with claims numbers also increasing by 50%.
So, the payouts for these cyberattacks are increasing. Whether it’s ransom payments – where the attack is already in progress, or cyber insurance – which is based on the inevitability of an attack, businesses are digging deeper into their pockets to pay for cybercrime either (i) as it occurs or (ii) with the assumption it will occur.
This begs the question, are businesses adequately investing in their cybersecurity to prevent and prepare for attacks ahead of time?
Reactive: We address fallout not threats
NIST’s Incident Response Process provides an established framework for understanding the four major phases involved in managing cyber incidents: (i) preparation, (i) detection and analysis, (iii) containment, eradication, and recovery, and (iv) post-incident activity.
The Preparation phase is all about setting the organisation up to be able to better deal with an incident if it were to happen. It is during preparation, states NIST’s venerable Computer Security Incident Handling Guide, that “the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.”
Actions like paying ransoms and taking out cyber insurance policies are not aimed at minimising the risk of a cyberattack occurring. They are more about containment and recovery, which places them in the third phase of NIST’s process, ie. post-incident.
According to a range of experts, businesses in Australia and New Zealand are just not doing enough to get on the front foot in relation to cyberattacks. Poor security hygiene, a lack of basic controls, and the absence of risk assessments are creating wide gaps for cybercriminals to exploit.
Above figure: NIST’s Incident Response Process. From the NIST Computer Security Incident Handling Guide.
In a recent 7news report, Professor Sanjay Jha, Chief Scientist at the UNSW’s Institute for Cybersecurity, said that companies should be doing more to protect data, saying they have to lift their game and “spend a bit more on cybersecurity.”
“I’m just wondering why some simple things like [multifactor authentication] are not being done in companies that should be easy to fix,” he said.
It’s a good question. Why aren’t businesses doing the simple things? Why aren’t they investing in prevention and preparation? Factors like complacency and culture may provide part of the explanation, but, according to behavioural economics, an underlying reason may well be that when it comes to security human nature dictates that we are risk-takers.
Speculative: We bet on losing big
Prospect Theory is a behavioural economics model for describing how people make decisions between alternatives that involve uncertainty, or risk. Daniel Kahneman, one of the economists behind the theory, won a Nobel Prize in Economics for his work, so as far as theories go it’s pretty sound.
According to the theory (which is also covered in one of our recent Investing in Your Security articles), for most people, a small yet certain gain is more attractive than the prospect of a less certain larger gain, but when it comes to losses, the reverse holds true: most people will risk the prospect of a greater loss rather than incur a guaranteed smaller one.
In one study, participants were presented with two choices: the choice between a certain gain of $500 and a 50% chance of gaining $1,000, and the choice between a certain loss of $500 and a 50% chance of losing $1,000. 84% chose the certain $500 gain over the riskier one, while 70% chose to risk a $1,000 loss over settling for the smaller certain one.
In other words, human nature dictates that we’ll take a sure gain over a less certain bigger one, yet we’ll risk a bigger loss just to avoid a certain smaller one. We are hard-wired to be risk-takers when it comes to security; it’s part of the human condition.
Businesses prepared to gamble on their security are more likely to expose themselves (and their customers’ data) to greater risk, yet they are less likely to put in place adequate controls to minimise their risk. When combined with cyber insurance, this predilection for risk leads to moral hazard.
It’s no wonder the price of ransoms and cyber insurance premiums are skyrocketing. But in addition to rising costs, businesses can also expect that insurers will require them to comply with increasing security requirements as barriers to obtaining and retaining coverage. This already happens to varying degrees, but the requirements are set to become increasingly onerous.
You can also bet on cybersecurity becoming an increasingly regulated space, and we’re already seeing this in Australia with the recent toughening of privacy legislation and the SOCI Act. As cyberattacks increase in severity, governments have identified a need to legislate in order to compel better security behaviours.
Ultimately, while the risk of cyberattack itself may have never provided businesses a strong incentive for better cybersecurity, rising insurance costs and regulation will drag us kicking and screaming towards it – and that’s a sure bet!
More information
If this is a topic that’s relatively new to you, I suggest reading up on the guidance provided in relevant government websites that contain great information for businesses, including:
To find out more about how Optic Security Group can assist you on your organisation’s journey to cybersecurity maturity, feel free to get in touch with us or email me at nicholas.dynon@opticsecuritygroup.com
Nicholas Dynon is Enterprise Security Risk Manager at Optic Security Group.