Annual ransomware attacks increased by 84% in 2023 according to some sources. High-profile cyber attacks have hit several large organisations, and in March, Leicester City Council had to disable its phone and computer systems due to a cyber incident. This led to a prolonged disruption and an ongoing criminal investigation.
Artificial intelligence (AI) is expected to increase the global ransomware threat over the next two years according to a report published by the National Cyber Security Centre in April 2024.
Cyber trends
At Crawford, the Cyber Team is seeing that perpetrators tend to be more careful in what they're attacking. They are increasingly going for intellectual property rather than data. They tend to be targeting backups, and companies are growing increasingly concerned about the reputational impacts of these attacks.
Supply chain attack rises
Ransomware attacks generate headlines, but Crawford is also seeing a rise in supply chain attacks that seek out weaknesses and vulnerabilities within the complex network of suppliers, vendors, partners and contractors involved in delivering products and services to and for organisations.
Threat actors exploit the trusted connections between parties within the chain, usually finding an easy target and infecting their systems with malware to gain unauthorised access to the rest of the supply chain. If undetected, the malware can spread across layers of organisations within the chain.
The consequences can be catastrophic, with potential for widespread failure of critical systems and large-scale data breaches. A single attack can affect hundreds of thousands of end users.
The cyber security industry is talking about it, cyber insurers and brokers are talking about it, all with increasing concern. But it is vital the risks and potential impacts are understood by end users.
Acting on cyber threats
Cyber criminals look for the path of least resistance. Organisations with fewer resources, reduced budgets and more legacy systems (with greater potential for vulnerabilities) and a less robust cyber security posture, provide easier points of entry.
Managing supply chain risk isn’t easy; organisations need to think not only about their own suppliers and vendors, but the suppliers of suppliers, and even those suppliers who rely on the same suppliers as them.
Organisations need to identify all supply chain links and data paths, including who has access to networks and applications. This web of interconnectivity can create challenges in understanding what and where the exposure lies.
There are risk control mechanisms and processes that can be implemented by companies of all sizes and across any industry to help mitigate supply chain exposure.
Crawford Risk Consulting’s Cyber Team encourage at least these measures:
- Robust evidence-based supplier onboarding procedures, including risk assessment and resiliency reviews.
- Baseline security standards that vendors are assessed against.
- Maintenance of contractual controls and periodic audits.
If the worst does happen, speed of response for cyber claims is of utmost importance, as when a claim is lodged, an attack may be ongoing. This is a crisis event and if you don't respond immediately, what could be a relatively small, well-contained incident can erupt into something much bigger and harder to fix.
You also need the right experts to call on. It is essential to have instant access to the right people to assist in the most effective way to manage cyber-related incidents.
Readying your organisation to respond to a cyber incident is a multi-step process, and one that must be continually adapted.
Cyber incident planning
Having a cyber incident response plan and crisis communication plan is a start, but just as you need to exercise your fire escape plans, you should be exercising your incident response plans as well.
Make sure people are aware of plans and know their responsibilities. It is critical to conduct specific training for all stakeholders. This will help people make informed decisions in the event of a cyber incident.
Importantly, engaging with employees will go a long way towards building understanding of cyber security and the consequences of failing to plan and react adequately to the worst possible eventuality.
