top of page
Optic Security Group

We’re having to pay more for cyberattacks, and it’s our own fault!

Writer's picture: Optic Security GroupOptic Security Group

Businesses are addicted to gambling on their cybersecurity, writes Optic Security Group’s Nicholas Dynon. But our big appetite for cyber risk is now being called out by insurers, government… and criminals.

 

2022 has been a good year for those engaged in cybercrime. With media reporting recently that businesses are willing to pay almost double what they were prepared to pay last year in ransom to stop a ransomware attack, there are spoils to be had.


Research by McGrathNicol Advisory has found that in the event of an attack four in five businesses chose to pay the ransom to the tune of an average $1.01 million+. The average amount that businesses would be willing to pay almost doubled from $682,123 in 2021 to $1,288,608 this year.


And it seems that businesses can’t give their money away to those holding them to ransom fast enough. The research reveals the timeframe for ransom payments has shortened, with 44% of businesses paying within 24 hours (up from 23% in 2021).


Unsurprisingly, businesses are also willing to pay more for cyber insurance. Premiums for cyber insurance collected by US insurance carriers last year, for example, grew by 92% from the previous year. In Australia, a Marsh study has found that cyber insurance premiums have surged up to 80% in the first half of last year, with claims numbers also increasing by 50%.


So, the payouts for these cyberattacks are increasing. Whether it’s ransom payments – where the attack is already in progress, or cyber insurance – which is based on the inevitability of an attack, businesses are digging deeper into their pockets to pay for cybercrime either (i) as it occurs or (ii) with the assumption it will occur.


This begs the question, are businesses adequately investing in their cybersecurity to prevent and prepare for attacks ahead of time?


Reactive: We address fallout not threats


NIST’s Incident Response Process provides an established framework for understanding the four major phases involved in managing cyber incidents: (i) preparation, (i) detection and analysis, (iii) containment, eradication, and recovery, and (iv) post-incident activity.


The Preparation phase is all about setting the organisation up to be able to better deal with an incident if it were to happen. It is during preparation, states NIST’s venerable Computer Security Incident Handling Guide, that “the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.”


Actions like paying ransoms and taking out cyber insurance policies are not aimed at minimising the risk of a cyberattack occurring. They are more about containment and recovery, which places them in the third phase of NIST’s process, ie. post-incident.


According to a range of experts, businesses in Australia and New Zealand are just not doing enough to get on the front foot in relation to cyberattacks. Poor security hygiene, a lack of basic controls, and the absence of risk assessments are creating wide gaps for cybercriminals to exploit.




Above figure: NIST’s Incident Response Process. From the NIST Computer Security Incident Handling Guide.


In a recent 7news report, Professor Sanjay Jha, Chief Scientist at the UNSW’s Institute for Cybersecurity, said that companies should be doing more to protect data, saying they have to lift their game and “spend a bit more on cybersecurity.”


“I’m just wondering why some simple things like [multifactor authentication] are not being done in companies that should be easy to fix,” he said.


It’s a good question. Why aren’t businesses doing the simple things? Why aren’t they investing in prevention and preparation? Factors like complacency and culture may provide part of the explanation, but, according to behavioural economics, an underlying reason may well be that when it comes to security human nature dictates that we are risk-takers.


Speculative: We bet on losing big


Prospect Theory is a behavioural economics model for describing how people make decisions between alternatives that involve uncertainty, or risk. Daniel Kahneman, one of the economists behind the theory, won a Nobel Prize in Economics for his work, so as far as theories go it’s pretty sound.


According to the theory (which is also covered in one of our recent Investing in Your Security articles), for most people, a small yet certain gain is more attractive than the prospect of a less certain larger gain, but when it comes to losses, the reverse holds true: most people will risk the prospect of a greater loss rather than incur a guaranteed smaller one.


In one study, participants were presented with two choices: the choice between a certain gain of $500 and a 50% chance of gaining $1,000, and the choice between a certain loss of $500 and a 50% chance of losing $1,000. 84% chose the certain $500 gain over the riskier one, while 70% chose to risk a $1,000 loss over settling for the smaller certain one.


In other words, human nature dictates that we’ll take a sure gain over a less certain bigger one, yet we’ll risk a bigger loss just to avoid a certain smaller one. We are hard-wired to be risk-takers when it comes to security; it’s part of the human condition.


Businesses prepared to gamble on their security are more likely to expose themselves (and their customers’ data) to greater risk, yet they are less likely to put in place adequate controls to minimise their risk. When combined with cyber insurance, this predilection for risk leads to moral hazard.


It’s no wonder the price of ransoms and cyber insurance premiums are skyrocketing. But in addition to rising costs, businesses can also expect that insurers will require them to comply with increasing security requirements as barriers to obtaining and retaining coverage. This already happens to varying degrees, but the requirements are set to become increasingly onerous.


You can also bet on cybersecurity becoming an increasingly regulated space, and we’re already seeing this in Australia with the recent toughening of privacy legislation and the SOCI Act. As cyberattacks increase in severity, governments have identified a need to legislate in order to compel better security behaviours.


Ultimately, while the risk of cyberattack itself may have never provided businesses a strong incentive for better cybersecurity, rising insurance costs and regulation will drag us kicking and screaming towards it – and that’s a sure bet!


More information


If this is a topic that’s relatively new to you, I suggest reading up on the guidance provided in relevant government websites that contain great information for businesses, including:



To find out more about how Optic Security Group can assist you on your organisation’s journey to cybersecurity maturity, feel free to get in touch with us or email me at nicholas.dynon@opticsecuritygroup.com


Nicholas Dynon is Enterprise Security Risk Manager at Optic Security Group.

Optic Security Group

Your security risks. Converged. Managed. Solved.

ISO _45001_14001_2015_9001 & Optic Security Group
  • Optic Security Group LinkedIn

Optic Security Group (AUS) Head Office

34/203 Rooks Road 

Vermont, VIC 3133

Phone (Toll Free): 1300 72 98 72

Australia@opticsecuritygroup.com

Optic Security Group (Auckland)

14 Amelia Earhart Avenue

Airport Oaks, New Zealand, 2022

General: nz@opticsecuritygroup.com

Service: service@opticsecuritygroup.com

Phone: +64 9 950 9990

After Hours: 0800 405 040

Optic Digital

222 Lambton Quay

Wellington, New Zealand, 6011

sales@opticdigital.com

Phone: 0800 126 676

sales@opticdigital.com

Optic Security Group acknowledge the Aboriginal and Torres Strait Islander peoples as First Peoples of Australia, and Māori as tangata whenua and Treaty of Waitangi partners in Aotearoa-New Zealand.

Security Advisory

 

Be vigilant. There has been an increase in reports of false billing scams. If you have received an email with an invoice purporting to be from us, call your Optic Security Group contact person to confirm if it is legitimate. The Australian Competition and Consumer Commission’s National Anti-Scam Centre has reported a 25% increase in losses incurred by Australians from false billing scams in the July-September 2023 quarter compared to the same period last year. This is despite an overall 16% decrease in losses across scam categories.

 

Payment redirection scams are the most prevalent type of false billing scams. These involve scammers impersonating a business or its employees via email and requesting that money, which usually is owed to the legitimate business, is paid into a fraudulent account. For further information, visit the National Anti-Scam Centre website at https://www.scamwatch.gov.au/.   

 

Optic Security Group will never advise a change of bank details via email. If you have received an email with an invoice purporting to be from us, call your Optic Security Group contact to confirm if it is legitimate.

© 2024 by Optic Security Group

bottom of page