These stepped-up threats are playing out against the backdrop of a business environment (and public) already stressed by the pandemic.
The shift to work-from-home arrangements has blurred companies' security perimeters - the borders that define their networks. As a result, companies that lack advanced security and intrusion detection tools become more exposed to threats.
What's more, phishing attacks thrive when there's fear and uncertainty. When employees suddenly find themselves physically distant from their coworkers and leadership, they become more susceptible to phishing.
And all this cybercrime comes with direct and indirect costs.
The Cost of Cybercrime
Because of the disruption and likelihood of getting their data back (over 94% of the time), on average, half of all ransom demands are met according to Sophos’ State of Ransomware 2020 report. In addition to the ransom, the victim organization incurs costs from loss of employee productivity and the setback to its reputation. It can also face legal costs and other expenses if its customers' personal information is breached, along with potential regulatory inquiry.
The average cost of recovering from a ransomware attack in 2020 was $732,000 if the ransom was paid. When the ransom wasn't paid, the cost doubled to more than $1.4 million.
Selective's customers have reported few cybercrime losses. Since we began offering our new Cyber Liability and Data Breach Response Coverage insurance product in 2020, we've had a limited number of claims as of this writing (March 2021). All were from small or midsize businesses and caused by hacking or malicious software installations.
Making Yourself More Secure from Cybercrime
While no one is immune from cybercrime, there are some steps you can take to improve your organization's security:
- Train your employees to be knowledgeable about phishing. If someone unknown to them requests sensitive information via email, phone or text, they should contact the sender through another channel and confirm that the request is genuine.
- Just as you conduct fire drills in your office building, conduct cybersecurity drills. Consider implementing phishing awareness tests to keep employees alert to this threat.
- Don't use free services for critical business functions. The adage “you get what you pay for” applies to technology.
- Leverage multi-factor authentication (MFA) everywhere you can, and use password wallets where you cannot. MFA is a regulatory requirement for some industries.
- If you're storing your data in the cloud, don't rely solely on the vendor for security. In most cases, you and the vendor share contractual responsibility for keeping your data secure, and you are likely to be legally responsible if it is subject to unauthorized access or disclosure.
- Ensure your devices and software are properly installed, protected, and regularly updated, and change the default credentials.
The pandemic has exacerbated cyber threats. By following rigorous security practices, you can vastly improve your organization's ability to defend against cyber attacks.
About the Author
Robert (Bob) McKenna is Senior Vice President of Enterprise Strategy and Execution and leads Selective’s IT technology strategy, shared application delivery, enterprise architecture, and cybersecurity teams. Bob is an experienced leader of Information Technology teams with over 25 years of overall IT experience. The last 17 years of his career have been in Insurance with prior experience across manufacturing, software development, and financial brokerage.