Our world is highly globalised and interconnected. Extreme scenarios have long since stopped affecting just high-risk countries, they are a real global threat to everyone. The same is true for Switzerland. What are companies most afraid of? Allianz assesses this annually using the large-scale Risk Barometer study, and publishes the results as the “Top 10 Business Risks”. Following the uncertainty caused by last year’s pandemic outbreak, in 2021cyber risks are once again ranked in first place. This clearly shows that cyber security is more than just one of the many items on the to-do list, and that companies around the world are struggling with it. We have summarised here which cyber risks are currently particularly concerning companies according to the study.
As part of the Allianz Risk Barometer Report 2022, 2650 risk management experts from 89 countries were asked which topics were of particular concern to companies and what the greatest risks will be. Among them there were 75 CEOs, risk managers and brokers from Switzerland.
Concerns about cyber attacks (44%) came in first place, ahead of disruption to business and deliveries (42%) – which, incidentally, is frequently caused by cyber incidents –, natural disasters (25%) and the wider impact of the Covid 19 pandemic (22%). These include specifically ransomware, data breaches and IT failures.
Even if these findings are unsurprising, studies like these show once again that the issue of cyber risks is becoming more and more worrying year on year, and rightly so, if you look at the statistics of recent years, media publications and prognoses.
In the Risk Barometer, four cyber risks in particular emerged as a concern: the rapid increase in ransomware, data theft, IT vulnerabilities due to a growth in remote working / home office and disruptions due to failure of digital supply chains, cloud and other technology service platforms.
There are many reasons for this year’s top ranking: progressive digitalisation and networking mean that companies are more susceptible to attacks, and the switch to home office has placed high demands on security technology. Hackers are constantly developing new methods, using technologies such as artificial intelligence and conducting themselves in a more professional manner. Internal company risks are also on the increase. In concrete terms, employees who are not adequately trained in cyber risks and security, for instance, can become a dangerous source of vulnerability. That’s why security awareness should hold a key position in every cyber security strategy.
There used to be bank robberies, but nowadays there are ransomware attacks – but they are on a larger scale, are more profitable and take less effort. In the past, there was at least a recognisable pattern in terms of sectors or company size, but now hackers attack in an apparently indiscriminate way. Cyber criminals are often highly professionally organised, and have refined their attack methods and their business model to such an extent that attacks can be conducted with minimal effort. What is particularly treacherous is that ransomware tools can be bought cheaply on the Dark Web or used in the form of Ransomware-as-a-Service (RaaS), so that even non-professionals can get in on the action.
The study also revealed the latest trends in ransomware attacks. Firstly, there is an increase in “double blackmail”, i.e. a combination of initial data theft and encryption, followed by a threat to disclose sensitive data. Secondly, hackers attempt to encrypt or delete backups at the same time, thus reducing companies’ ability to react following an attack. And thirdly, attackers are increasingly using targeted Spear Phishing and Whaling, to gain access to systems.
The study revealed a worrying trend of cyber attacks on digital supply chains, with attackers targeting related platforms, physical critical infrastructure and a digital single point of failure. An example of this was the attack on the US Colonial Pipeline, which led to the disruption in the US energy infrastructure. The most recent incident, the Log4j vulnerability, also shows the speed with which an attack like this can happen. Worldwide, hackers carried out more than one million attacks in just four days, introducing ransomware into software updates, among other things, which can – and in some cases did- have devastating consequences. This makes it clear that the increasing dependence on digital infrastructures poses a major risk.
Given the increasing risk levels, companies are right to be unsettled and confused about what form effective protection should take. As nice as it would be, there is no such thing as a strategy that can be used by every company. Of course, setting up security architecture that is as secure as possible and individually tailor-made to suit the company is one of the basics, as are modern network and security solutions, well-trained specialists, the right security measures, regular security awareness training sessions for the staff and a multi-level cyber defence. If you are unable to do this alone, you should definitely be calling on the services of an external experienced partner company. At InfoGuard, we are happy to provide you with support.
Moreover, it’s not an optional extra, it’s an often neglected obligation. Business Continuity Management, in other words, targeted preparation for a successful incident like a cyber attack. The question of whether a company is a likely target is no longer a relevant one – the real issue is when it will it happen. Business Continuity Management also includes, among other things prepared incident response or table-top exercises. Here too, our experienced experts will be pleased to assist you.
Ultimately, the aim is to achieve a healthy, comprehensive cyber resilience, or resistance to cyber attacks. The responsibility for this lies with the senior management. The Board of Directors, on the other hand, bears the overall responsibility for risk management in the company. But how do you measure a company’s cyber resilience? In our free “Cyber Resilience Checklist” we present the fundamental expertise relating to cyber resilience, its principles and which points need to be evaluated in order to make an assessment.
* Source infographic: https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html