By Mia Wallace, originally published in partnership with Insurance Business UK on 13th July, 2023.
Last month, headlines were dominated by news of a cyberattack impacting several high-profile organizations including the BBC, Boots and British Airways. But though the discourse generated was unsurprising given the prominence of the targets, it is also symptomatic of an ongoing challenge in the cyber market – of preventing the stories that dominate headlines from taking attention away from the threats most relevant to the wider market.
This Cl0p-attributed attack epitomizes the tendency of the mainstream Press to zero in on such events, noted Tom Bennett (pictured), cyber threat analysis team leader at CFC. However, if you look at these objectively, they are actually quite small run-of-the-mill incidents – albeit involving high-profile players.
“Cl0p is a group which has carried out thousands of attacks,” he said. “It just happened to be a big headline that day, but it ignores the fact that many of Cl0p’s thousands of victims have been very small businesses.
“For another example, BlackBasta – one of the ex-Conti groups who sided with the Russian state – has hit loads of companies who are £5 million-£10 million in revenue, or even smaller. They aren’t necessarily only going after billion-dollar international megacorps. They’re hitting what they can and unfortunately, it’s proving very effective.”
From an insurance perspective and in terms of what’s really impacting our customers, ransomware is still number one.
With recent figures from GOV.UK’s ‘Cyber security breaches survey 2023’ revealing approximately 2.39 million instances of cybercrime across all UK businesses in the last 12 months, the true scale of the cyber challenge becomes clearer. And delving into the cyber threat landscape facing UK businesses today, Bennett highlighted why ransomware remains front of mind.
“From an insurance perspective and in terms of what’s really impacting our customers, ransomware is still number one,” he said. “What’s changing isn’t so much the type of cyber threat, but how they are playing out and how threat actors are using new strategies and techniques to strong-arm victims while making boatloads of money.”
The changing profile of cyber criminals’ behaviour
CFC is seeing a continuing move away from cyber gangs just encrypting data to instead stealing data and threatening its publication – a trend which started back in 2019 with Maze Ransomware. As a result, Bennett said, despite the insurance industry’s advocacy for high-quality backups to allow the restoration of data, victims still pay ransoms to avoid the ramifications of their data being stolen and published.
In turn, criminals have realized that this is why victims are paying, he said, so they’re zeroing in on that data theft piece and spending more time in networks, looking to steal information that will make victims feel obligated to pay the ransom demand. What’s been interesting to see is how the market has come full circle – from the pre-ransomware emphasis on data breaches to being about data breaches again, propelled in part by privacy laws and the obligations around notifying subjects in the event of a breach.
“The extra tier of this is how criminals are becoming increasingly nasty,” he said. “They’re making personal attacks against stakeholders in the business. I know of one incident where the CEO of an organization was hit by extortion, and the organization looked like it wasn’t going to pay. So, the criminals sent pictures of [the CEO’s] grandchild to the company with a very vague threat, in an attempt to intimidate.
“And it had the desired effect of making them want to cave in, to avoid any threats to life in the real world. That’s something we’re seeing more of – people getting harassing phone calls on personal numbers that the criminals have spent time to discover in order to use real-world intimidation rather than just cyber extortion to encourage them to pay. That’s something we hadn’t really seen in previous years.”
The power of in-house expertise and solutions
The vast majority of the tools CFC’s policyholders benefit from are ones that the business has built in-house, leveraging the expertise of its 100-plus software development team. And understanding where to best direct those resources has been made possible by its in-house cyber forensic capabilities – creating a seamless feedback loop of monitoring what’s impacting customers and then building the tools to protect and support them as this changes over time.
“My team is basically the conduit for interfacing this with our customers,” he said. “We take all those lessons about what’s causing claims, and the constantly changing shifts in attacker methodologies and targeting behaviors and then focus our efforts there. And our focus is on making this as simple as possible for the customer, so we can hold their hand through the process of managing threats, irrespective of their technical knowledge or the size of their company.”
Our focus is on making this as simple as possible for the customer, so we can hold their hand through the process of managing threats, irrespective of their technical knowledge or the size of their company.
Bennett and his team bring together multiple threat intelligence feeds alongside CFC’s proprietary data, so they’re well placed to step-in where a customer has a problem and to mitigate threats before they develop into claims. And there’s no “sting in the tail” of this offering, he said, it has no impact on a client’s risk profile because CFC has a mutual interest in its policyholders not claiming on their policies.
“We have pretty unparalleled access to what criminals are doing – literally in real-time in many cases,” he said. “We can see the attacks that happen and alert customers in that small timeframe between their initial compromise and something very serious having happened. Because criminals are now looking for that valuable data, it creates that very small window of opportunity – and that’s where we leverage our ability to intervene.”