The constantly evolving world of cyber risk

Headshot of Christa Johnson of Gallagher Bassett.

Transcription:

Transcripts are generated using a combination of speech recognition software and human transcribers, and may contain errors. Please check the corresponding audio for the authoritative record.

Patti Harman (00:06):
Hello and welcome to the Dig In podcast. I'm your host, Patti Harman, Editor-in-Chief of Digital Insurance. Today we are discussing a topic that affects everyone, both personally and professionally - cybersecurity. A new report from Allianz Commercial found that the frequency of large cyber claims was up 14% for the first six months of 2024, while severity had increased by 17%. Data breaches are the top cyber exposure companies fear the most, and several high profile cyberattacks on MGM, T-Mobile, Change Healthcare and Snowflake resulted in the theft of records involving millions of people and highlighted the vulnerabilities associated with protecting customer data. There are many facets to cybersecurity, and joining me today to discuss how risks are evolving, what's going on in the area of ransomware attacks and some common mistakes companies can make when it comes to protecting their data is Christa Johnson, team lead for cyber at Gallagher Bassett. It's so great to catch up with you today, and thank you for joining us, Christa.

Christa Johnson (01:20):
Thank you for having me, Patti. I'm so excited to be here.

Patti Harman (01:24):
Well, this is just such an interesting topic and there's so much to talk about in the cyber space. So let's start with ransomware. How is it evolving and are you seeing more attacks, fewer claims, or a change in the types of claims that are coming out?

Christa Johnson (01:43):
Yes, definitely. So we are definitely seeing an increase in ransomware claims right now, especially up since 2022. A lot of people attributed the slowdown back then to the Russia-Ukraine war, and there were some government intervention that is improving things. So we had Hive, which was taken down by the FBI, we had Black Cat last year which was interrupted briefly. So these efforts are starting to have an impact on the ransomware landscape. However, the numbers are up, especially in 2023-2024, ransomware is just starting to become even more lucrative. It's becoming more available and we're going to talk about all of that. But yeah, the numbers are up, extortion payments are up. I read that there was over a billion dollars in ransomware payments just in 2023.

Patti Harman
It's just amazing to me to hear that.

Christa Johnson (2:46)
I know, it's crazy. And so all of these extortion payments are made in cryptocurrency, which means we have more insight into what's being paid, but also crypto is becoming more popular. You can pay such large sums of it. Ransomware is definitely taking back its crown of being the most popular claim, unfortunately, overtaking business email compromise, other type of data breaches, et cetera.

Patti Harman (03:03):
So let's continue that line of conversation then. What trends are you seeing with ransomware? Are there certain industries or businesses that are being targeted and are there even certain ways that they're being affected at this point?

Christa Johnson (03:19):
Oh yeah, definitely. So ransomware is contributing to more claims, more losses, but this is not just extortion payments. So sometimes you see people are not paying extortion payments anymore, which is great because they're doing all the things that we're going to talk about later. But the losses hit so many different insuring agreements on the policy. So you have data recovery costs going up, you have business income loss going up, and so these are all going to continue to grow, unfortunately. So you're seeing so many more attacks on critical infrastructure. This is a huge unfortunate trend in ransomware. So you're seeing threat actors identifying these companies that multiple companies rely on, resulting in basically these claims that we refer to as vendor incidents. So the vendors relied upon by the insured and threat actor identifies that company and takes them down. IE change health, CDK.

(04:19):

These industries rely upon the software or the program, and if that company gets hit, you have all of these claims coming in, breach response, dependent business income loss, again, hitting multiple insuring agreements on the policy. We're also seeing a general growth of knowledge and sophistication amongst the threat actors. Many years ago, we went from poorly written emails and low demands, like $10,000, $15,000 to now we have chat bots and customer service people and they say, oh, well, we've reviewed the documents and we know that you have X amount available to you, so please come back to us with a better negotiation. And it's all clear. It's super easy to read. It's honestly wild and literally some ransomware groups have HR departments. Another business that we're seeing getting attacked a lot is manufacturing. We have these supply chain issues and delays mean they're going to be able to demand more money to get things going.

(05:21):

Professional services, healthcare, obviously huge ones. There's so much sensitive data and it's worth more. And education, finance, we're also seeing a uptick in what's called ransomware as a service. So you have one affiliate that develops the malware and then they allow other affiliates to use it, and then the originating group gets part of the ransom. So some of these are easy to send out, and so they're doing more frequent attacks with lower demands. But some of these entities are pretty picky about who can use their malware and those result in the larger demands, larger ransoms, and they're just more sophisticated software.

Patti Harman (06:08):
So it's become big business in a way that you wouldn't want it to develop actually.

Christa Johnson (06:13):
Exactly. Which I think I'll say this probably multiple times, but if it can happen, it will. So if it could develop into something extremely lucrative and extremely sophisticated, it was going to and it is and it's going to keep going.

Patti Harman (06:28):
Yeah, I've been covering it for probably about 10 years now, and I am just astounded at the way that it has evolved over the last decade or so. Are threat actors getting smarter and adapting more quickly as companies improve their defenses then?

Christa Johnson (06:43):
Oh, definitely. Yeah. There's so many different ways now for threat actors to get in. They're still exploiting vulnerabilities. There's still and more efficiently leveraging remote services. The remote desk protocol is such not easy, but it's becoming an easy way for people to get in. Covid made it so we can work from home. So we all have these remote desk protocols that we use so that we can get into Citrix, we can get into whatever we use to work. And so the attackers find these RDPs, what we call them, finds the usernames and passwords on the dark web or however they get in, and they basically brute force their way in. So they're trying all of these passwords, all of these usernames, and so stop using the same password that you use for everything else, everybody.

(07:33):

And then sometimes they get it in just line Wait. I mean, a lot of times now we're seeing RDPs are basically protected through VPN and secured by MFA, which is multifactor authentication, which we'll talk about later. But yeah, the RDP, so some people have open RDP where they don't have MFA and they don't have BPN, and I mean everyone I talk to is like turn that off, figure out how to secure it. We also have zero day vulnerabilities. There are security gaps that exist before the company can send out a patch. So do your patches when you're told to everyone, but threat actors can take advantage of those. We're also seeing, and this is one of the more interesting slash detrimental changes, is that we're seeing a shift from encryption based tactics to data exfiltration and extortion. So encryption requires more technique. Sending out the decryptor takes time.

(08:30):

Sometimes the decryptors don't work, but making the switch to exfiltration and release is more efficient for criminals. Ultimately, these people are criminals, and so what they're always going to do is what's easiest for them. So when they get in, they can start exfiltrating data very slowly and a lot of times you don't see it. Sometimes they'll use programs that are native to your network, and so they're exfiltrating this data slowly and eventually they have X amount of gigs of data and then they're saying, okay, well we've been here and so here's the ransomware and we've already taken what we need to take, here's how much we want. And so moving to that toward a sort of exfiltration and extortion tactic, typically it's not putting down for so long because they already have the data, but you are still forced to consider if you're going to pay for that or not.

Patti Harman (09:26):
Yes, because they've already taken it and it is just amazing to me how much they have refined their tactics over the years and just really gotten it down to we know what to do, we know how to do it, we know how to press your pain points, all of these different things. And given all of that, are companies getting better at backing up their data and generally protecting their assets now?

Christa Johnson (09:51):
Oh, definitely. I think everyone's getting a lot better. There's so many directives out there now for how to protect yourself. The White House put something out back in 2021 even about how to protect yourself from ransomware. Again, there's just so many things that you can be doing, and I think people are taking it more seriously now. I think cyber insurance is being taken a lot more seriously now as opposed to it used to be a nice to have, now it's a need to have. So I do think companies are getting a lot better at backing up their data and just taking backups more seriously. I remember I used to work at a law firm and we had our little backup on a little tiny drive, and we would do it every day, and now however many years later, it's like, oh, that was actually great practice taking your tiny little drive. She would put it somewhere else. There was no way anyone could ever access that backup drive.

Patti Harman (10:50):
And you only have to lose your records once to realize that some of these redundancies are far more important than you ever gave them credit for.

Christa Johnson (10:59):
Exactly.

Patti Harman (11:00):
So, are there still common mistakes though that they're making or areas where they're leaving data? Are their companies vulnerable to attacks, do you think?

Christa Johnson (11:09):
Oh, definitely. I mean, I could go on forever about things that you need to do to improve your cyber resilience, things that you need to do to improve your cyber hygiene. So I'll just get into it now because I think it's really important. So my number one is more training. You have to train your employees, you have to teach them what these emails look like. You have to teach them what could potentially be popping up on their phones. You have to teach everyone everything because human error is the number one reason threat actors are getting in. So more training, continuous risk management internally, take it seriously internally, have a risk management committee. Have a risk management team whose focus is to make sure your network is safe, not just it, everyone just relies on it. It can do it, it can fix it, but dedicate some of those IT resources to an actual risk management team gets cyber insurance, obviously endpoint detection and response.

(12:14):

So it's software that manages your endpoints and most people have it, but sometimes it's not being monitored or it's not up to date. So if it pings that there's something wrong, then no one sees the ping. It's like it didn't ping at all. Patch management, obviously, if you hear back from your software providers that you need to update or do your patches, do it immediately, literally immediately, because the threat actors also heard that there's a patch that needs to be patched and they're going to get in there. MFA at this point should be table stakes. Ultimately, however, change health was because there was no MFA on an account. So I will continue to preach MFA and not just having it on, but enforcing it until we stop seeing large scale attacks as a result of no MFA. Sometimes people are like, well, it's annoying to me or I don't want to have it on, and it's like too bad. I saw a meme the other day that said, I have given up two years of my life to multifactor authentication, and I reposted it on LinkedIn and I said, it's worth it. It's really worth it to protect the company, to protect the data.

(13:31):

People need to take MFA very seriously. It is literally like having the key to your house and locking the door. You can have a key, but if you don't lock the door, what's the point?

Patti Harman (13:41):
Yeah, they're true. I know, and I understand that people are irritated because it does make it take longer, but every time I use it for I think just about every account that I can have it on, I have added that. And I think it just makes it harder, it's like putting a club on your car. It just makes it a little bit harder to steal it if somebody, and if they're really intent, yes, they will get it, but don't make it easy for them. For sure. Are there certain types of attacks that companies are more concerned about? We've talked about data breaches and ransomware. Does one concern them more than the other or is there something we haven't even discussed yet that companies are like, Ooh, this is something else that I've been watching at this point?

Christa Johnson (14:29):
I think all attacks, everyone should be concerned about small to large, because some of them have the potential to be huge. Some of them can be absolutely devastating, and when you're leveraging human error, you have to be aware of everything. Human error is literally nearly a hundred percent of the reason why you would see a cyber attack, someone clicked a link, someone approved a weird MFA request. So I think that it's important to be aware of all potential attacks, and I know we get claims that we'll have people come in and say, oh, well, it wasn't that big of a deal. They got to one inbox, whatever, but if they got into one inbox, they might be able to get into 50 inboxes. So I think they're all important and the cyber hygiene you have to have speaks to pretty much all potential attacks. I know a lot of people are worried right now about potential cloud attacks hitting the big guys like AWS and Google Cloud. But I think yes, while you should remain vigilant about that, the only way to protect yourself is by taking your own personal cyber tactics seriously. So yes, say that happens, but if you have an Iron Cloud protection at your company, you're doing the best you can. You can't control if another company who has your data, has an attack, has a data breach, it's going to happen. It's always going to happen. That's why I say get cyber insurance. But yeah, I think you should just continue to maintain your vigilance for all types of the tax.

Patti Harman (16:05):
Right? Yes, very true. So we're going to take a short break now and we'll be back in just a few minutes...Welcome back to the Dig In podcast. We're chatting with Christa Johnson, team lead for cyber at Gallagher Bassett. And Christa, how does the increased use and adoption of AI put companies at greater risk of a cyber event?

Christa Johnson (16:30):
This is a great question. Everyone is very, AI is very top of mind for everyone right now just because, I mean, it's in its infancy, so we're learning all of the widespread applications that AI have, and if it's being used for good, it's also being used for bad. So the sophistication in the internet scams has significantly increased. I know we all used to get those poorly worded emails saying, send me $500, and now these emails that you get, you don't even know they're scams anymore. They look extremely real. AI DeepFakes has made initial attempts at accessing networks cleaner and even more convincing. I mean, even the emails that are from a completely different email address where if you look, you maybe can see that it's not the CEO asking you to go buy the gift cards from Apple, but it looks exactly the same. It sounds like that person, especially when they're taking AI to kind of make it fit that person.

(17:33):

And so it's just so convincing. You're like, oh, well, I thought this was X-Y-Z-C-E-O. And so I was at a conference a few weeks ago and we were talking about the threat actors using AI to scrape LinkedIn for people who work, what systems are used, it's all in the job description. So when they know that X, Y, Z company uses these systems because they're looking for an engineer, an IT person who has experience with these systems, they know what they need to do to get into that company. Now they know this company has X system, so we're going to try to use the vulnerabilities that we know about that system. Maybe they didn't patch their vulnerabilities in that software. It's just so much more information for threat actors to use.

Patti Harman (18:23):
Wow, that's a kind of sobering and scary thought that they're using it that way, but it...

Christa Johnson (18:29):
Can be done.

Patti Harman (18:30):
Yes, yes, you're right. It can. On the flip side, does their use and adoption of AI also give companies a better opportunity to maybe identify and preempt some of these attacks?

Christa Johnson (18:43):
Definitely. Like I said, AI can definitely be used for good. So we can use AI to bolster some of these tactics that we've already talked about, enhancing the software that we're using, enhancing notification for when patches need to be used. Ultimately, I think AI is going to assist in the efficiency of most processes and companies. So it's definitely going to be assisting in the cybersecurity processes, and I think we're already beginning to see it and it's just going to grow even more.

Patti Harman (19:19):
Yeah, there are just so many different facets of it to take into consideration. And it's interesting when I talk to other editors within our company, they're saying, oh, well they're adopting AI in this line of business or in this one, but insurance seems to be slower. And my answer is always because insurers are covering the risks that the rest of your companies are going to be exposed to. So there's a lot more that comes into play before we automatically adopt something where there's a lot more to consider. I think. Are you seeing an improvement in terms of cyber hygiene, like consistent patching, which we've talked about, better training, better controls as companies become more cyber savvy then?

Christa Johnson (20:03):
Oh, definitely. So having more cyber hygiene, which I love that phrase, it's a non-negotiable at this point, not only to become insurable. So a lot of these underwriting applications are getting larger and larger because we have to know what's going on within your company in terms of your cyber hygiene. And so you're not just doing all of these to become more insurable. You're doing all of these steps to avoid a potentially catastrophic loss. Insurance can only keep you so far. If you have something terrible that happens and you exhaust your tower, the rest of that's on you. And so I think year by year companies are taking cyber attacks more seriously because ultimately it's the only option. It's not if you're going to get attacked, it's when

Patti Harman (20:53):
So true. Is there anything that really concerns you at this point in cyberspace, certain trends or increased attacks on infrastructure when you mentioned that earlier or threat actors becoming bolder and there are attacks?

Christa Johnson (21:09):
Definitely. The vendor incidents that we talked about earlier are I think one of the biggest things that I'm most worried about, especially this year. We've had so many of them, and if we've had this many this year, we're going to add double next year. So the ability to identify these critical companies by the threat actors and then take them down is very concerning to me. And so change healthcare honestly was hopefully a wake up call to everybody because it was is vast and devastating. And like I've been saying, if a threat actor can compromise a company, they will, especially those companies that are so integral to society. I'm genuinely surprised more hospitals have not been taken down. More nuclear planes have not been taken down, which I hope speaks to the cyber hygiene of those companies.

Patti Harman (22:05):
Yeah, I am located in Baltimore, and I think two years ago, several hospitals all suffered different cyber attacks, and I started listening to the news reports and as soon as they would say something, it's like, oh, that was a cyber attack. And then you would hear the follow-up report later, and it's like, yes. And there isn't a business anywhere that's really going to be spared, I think. And you're right, if it can be done, it definitely will. Are there recommendations you have for companies to help them improve their cyber resilience?

Christa Johnson (22:36):
Yes, definitely. So like we talked about earlier, get cyber insurance

(22:42):

MFA, which I again am going to beat to death because it's so important. Get your EDR tools situated, and I do want to take some time to talk about backups. So we talked briefly about backups earlier, but you should be backing up regularly. These backups should be immutable, which means you can't change them after they're done and they need to be segmented off the network. So I have talked to people about the 3, 2, 1 rule where you have three copies of the backup, two types, and one offsite. It's also important to test your backups and do test restores because if you have your backups and you're doing them regularly and they're off the network, but nobody practices how to bring them back up or no one knows how to access them, they're useless. And also give your backups of special password, not just one that if a threat actor gets into the environment and then goes a spreadsheet that's marked passwords and your password of the backup is in that, or they find that you use the same password for everything that's internal at the company, they're going to be able to get into your backup and they're going to try to delete it.

(23:59):

They're going to try to compromise it. So backups are so important. Backups are the number one way for a company to get back up after a ransomware attack, so they're so important. Another thing that we talk about is developing a plan for verifying wire payments. We are seeing so much wire fraud and so much social engineering fraud. I guess it depends on what the policy calls it, but you need to have a plan to verify new instructions from vendors. And I see that people only set up a plan to verify instructions after they get hit. So do it before maybe you got hit a long time ago and you never change your tactics. Change your tactics today, set it up today and make sure everyone taking payments or involved in changing instructions knows what they're supposed to be doing. Additionally, incidents, response planning, everyone should have an incidents response plan. Everyone should have a hard copy of that plan in case the entire network's down. You need to know who you're supposed to be calling. You need to know what you're supposed to be talking about and know who you need to call. If it's your cyber insurance, if it's whomever you need to call, make sure you know who they are and that you're not reliant on just their emails because it's potential. All of your emails will be down. And then, like I said, so much training. Please, please train. Do phishing exercises, do tabletops, just train.

Patti Harman (25:28):
Yeah, that is so important. I remember talking to an executive a couple of years ago about the attacks where they were impersonating CEOs and having somebody in their accounting department move money, and I just remember him going, oh, no. And for a company that operates internationally or that has offices all around the country, that becomes a real threat because you may not see people, and so then everything is done by email or whatever, and they can get an email that says, oh, so Frank wants me to send money to this new vendor and this is where I should send it, and they may not think that I should double check and make sure that this is really a legitimate request. So it's interesting how quickly these things can spread without people even realizing it. Are there risks that you're watching or things that companies should be monitoring in the next, and I'll just say six to 12 months because it just is changing so rapidly now?

Christa Johnson (26:34):
Yeah, honestly, all of the attacks just continue to get worse. The threat actors are growing in sophistication, growing in knowledge. They know who they need to hit and they will take the time to hit that company or those companies or those industries because they know they can get the most money out of it, and they know they can get the most bang for their buck. Sometimes threat actors will take the easy way out in terms of social engineering. They can churn through those, but if it's worth a big payout, like some of these huge attacks where they're going to take the time and they're going to take the energy, they're going to take the HR department, they're going to do it. So all companies should be taking their cyber hygiene, their cyber steps so seriously and just continue to be proactive in terms of doing what you can before you get attacked.

(27:33):

Plan for all of these things. Do your patches have your MFA enforced? Do your trainings just, I think as long as you plan for everything, you'll be as safe as you can be, right? Again, it's not if, it's when, so taking it seriously, doing what you need to do before you get attacked. It's great that after you get attacked, you have cyber insurance, hopefully, but get the cyber insurance. So you have to do something first before it happens. Take it seriously and hopefully the impact won't be as great because of all the steps that you've taken on day one as opposed to what's happening on day 60.

Patti Harman (28:11):
And I think a lot of times companies don't realize the benefits that come along with having cyber insurance. I mean, you have access to a lot of expertise and individuals who can kind of help you navigate the aftermath of a cyber attack. So that's another important reason to consider having that. We've covered so much over the last few minutes. Is there anything that I haven't asked you that you think our audience should know about cyber risks?

Christa Johnson (28:40):
I think I've hit a lot of these points, but I'm going to say them again. It's not if, it's when. Make sure you're taking your cyber health of your network seriously and doing everything that you can to protect yourself. Train your people, get cyber insurance. Do all the things that will protect you or will mitigate the losses that you have when this day does come.

Patti Harman (29:06):
Great. Thank you so much, Christa, for sharing your insights with our audience. Thank you for listening to the Dig in podcast. I produced this episode with audio production by Kellie Malone Yee. Special thanks this week to Christa Johnson of Gallagher Bassett for joining us. Please rate us, review us, and subscribe to our content at www.digin.com/subscribe. From Digital Insurance, I'm Patti Harman, and thank you for listening.