2023 Cyber Resilience Report
This is article 4 of 18 in this Report.
August 01, 2023 / 3 min Read
Cyber Insider Threats are a Growing Business Risk
By 2025, half of all cyber events are expected to be the result of human errors or malicious actions.
Key Takeaways
- Clients transitioned from a “basic” to a “managed” overall insider risk profile in 2022.
- Two in five companies reported a lack of security operations center (SOC) controls.
- Nearly half of all companies have not segregated their end-of-life software from application systems.
Insider risk is a constant concern for businesses. This is because humans, by their very nature, can make mistakes, and threat actors often take advantage of this vulnerability. By 2025, half of all cyber events are expected to be the result of human errors or malicious actions. This is a reality companies need to prepare for.1 New digital business models bring additional challenges. Among these, contingent workers can introduce vulnerabilities, and the increased accessibility of networks to third parties can compromise security.
Phishing remains the most common vector for initial network access, placing the insider – or the employee – at the front line. Advances in social sophistication, user fatigue, and targeted, context-based phishing contribute to the centrality of this risk.2 Cybercriminals continue to shift their methods as they leverage current events. Today, phishing emails that exploit the Ukraine-Russia conflict to solicit an emotional response to the war lead people to click before they think. A new trend is emerging, novel phishing, or led-by-consent phishing, in which attackers trick users into granting permissions to malicious cloud applications. Once clicked, these malicious applications can access legitimate cloud services and users’ data. Training and phishing exercise simulations remain the areas where least investment is made in the field of cyber risk mitigation, despite being the most significant countermeasure to slow down ransomware attacks.3 While certain acts of cybercrime decreased in 2022, data access brokers never ceased gaining unauthorized access to client networks and infrastructure. A trend to watch is data brokers and ransomware actors looking to opportunistically buy data and access from company employees, where vulnerability exploitation is one of the primary methods utilized.4 This trend drives a new insider threat risk where cyber criminals openly look for employees willing to sell a company’s data for personal gain. This evolving risk may include theft of data, proprietary information, intellectual property, and trade secrets.
As system integration and organizational dependence on third parties continue to rise, so will the need for increased insider risk monitoring. Organizations will focus more on the necessity for endpoint detection and response (EDR), security operations center (SOC), and network security. Similarly, the focus on safe work practices and data loss protection will remain if the hybrid workplace remains in place.
Ransomware Supplemental Red Flag Controls Data Findings: Aon Clients Report
Aon’s survey of top insurance providers indicates that data security ranks among the top five domain risks.4 However, a concerning trend emerges when looking at industries across the board: a majority report substantial gaps in their data security controls, highlighting the need for improved cyber security measures. Per CyQu data, scores were slightly higher in governance and data protection as clients transitioned from a “basic” to a “managed” risk profile in 2022. Interestingly, user awareness and training saw the greatest improvement across all data security categories. This trend suggests that continued investment in cyber risk training is not just beneficial, but crucial for businesses seeking to mitigate the escalating threat of insider risk.
CyQu Scores for Data Security
Data Security | 2021 | 2022 | Change |
---|---|---|---|
Data Classification | 2.0 | 2.2 | +.2 |
User Awareness and Training | 2.6 | 3.1 | +.5 |
Data Protection | 2.3 | 2.6 | +.3 |
Governance | 2.3 | 2.6 | +.3 |
Risk Management | 2.0 | 2.4 | +.4 |
CyQu Risk Maturity Scoring
Initial: 1.0 - 1.9
Basic: 2.0 - 2.5
Managed: 2.6 - 3.4
Advanced: 3.5 - 4.0
Nearly half of all companies (47 percent) have not segregated their end-of-life software from application systems, potentially increasing their vulnerability to cyber threats. Further compounding this issue, 40 percent of companies lack necessary SOC controls, intensifying their exposure to insider risk. This data underscores the importance of robust cybersecurity measures in mitigating insider threats. Turning to EDR controls, CyQu data painted a more robust picture, as 70 percent of clients reported that their organization’s EDR covered all of the total workstations.
47%
report end-of-life software is not segregated from applications systems
40%
report lack of security operations center (SOC)
70%
report their organization’s EDR covered 100% of the total workstations
References
1 “Predicts 2023: Cybersecurity Industry Focuses on the Human Deal.” Gartner. Report. 25 January 2023. https://www.gartner.com
2 “ENISA Threat Landscape 2022.” Report. European Union. November 2022. ENISA Threat Landscape 2022 — ENISA (europa.eu)
3 “Global Ransomware Damage Costs Predicted to Reach $20 Billion (USD) by 2021.” Article. Cybersecurity Ventures. Retrieved from https://www.cybersecurityventures.com. Cyber Awareness Training: Success Starts with Meaningful Engagement of People | Aon
4 Trends to Watch: Cyber Q4 2022 Global Markets Insight. Aon. Report. January 2023. Cover – Q4 2022 Global Market Insights (aon.com)
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Managing cyber across six featured risk themes.
This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.