The escalation in cyber-attacks on IT and physical supply chains signifies a growing threat landscape. Cybercriminals are diversifying their tactics, notably through ransomware, to extort companies by stealing sensitive data, thereby elevating the risks of reputational damage and third-party liabilities.
A significant surge in ransomware victims, up to 143% globally in early 2023, underscores the urgency of robust data management practices, according to Allianz report.
Allianz analysis of a number of large insurance cyber losses shows that the proportion of cases in which data is exfiltrated is increasing every year – from 40% of cases in 2019 to around 77% of cases in 2022, with 2023 on course to surpass last year’s total.
The more mature industries, and largest spenders, will grow faster than average as they continue to invest in cutting edge security solutions to prevent and fend off ransomware attacks on their distributed workforce and to protect critical infrastructure, which is increasingly connected to the IT network.
23 sectors with about $22 trln — or 28% of the $80 trln in collective Moody’s rated debt associated with 71 global sectors — have High or Very High cyber risk exposure, according to Moody’s.
Annual cost of ransomware
The projected annual cost of ransomware could reach $265 billion by 2031. This evolving cyber threat environment, compounded by the proliferation of connected devices and the advent of 5G, amplifies the challenges in preventing attacks, according to Beinsure report Cyber Security Global Trends.
The importance of early detection and rapid response to mitigate the potentially exponential costs of cyber incidents is more critical than ever.
The year 2023 has seen notable ransomware activity, with payments to attackers nearing annual records, highlighting the continuous and expanding threat to global cybersecurity.
Preventing a cyber-attack is therefore becoming harder, and the stakes higher. As a result, early detection and response capabilities are becoming ever more important.
An intrusion can quickly escalate, and once data is encrypted and / or stolen, the consequences and costs snowball – costs can be as much as, or even more than, 1,000 times higher than if an incident is not detected and contained early.
Top industries ransomware targeted
According to research from IBM X-Force, the average number of days taken to execute a ransomware attack has fallen from 60+ days in 2019 to less than four days in 2021.
In June, ransomware group Clop carried out a successful mass cyber-attack that is thought to have impacted thousands of companies, compromising the data of millions of individuals and businesses. Clop exploited a ‘zero-day’ vulnerability in MOVEit file transfer software to steal data from companies and public sector organizations, threatening to publish the data if they failed to pay a ransom demand.
According to Cybersecurity Spending Trends, the attack affected a number of large corporates, including energy giant Shell, British Airways, broadcaster the BBC, logistics firm DHL, insurer Genworth Financial, as well as the US Department of Health and Human Services and the US Department of Energy.
Genworth Financial alone reported that the personal information of nearly 2.5 million to 2.7 million of its customers was breached. Clop is now the second-largest ransomware group by number of victims.
According to PwC Research, 22% of respondents are executives in large companies ($1 billion and above in revenues); 16% are in companies with $10 billion or more in revenues.
Two-thirds of executives consider cybercrime their most significant threat in the coming year. Cybercriminals, increasingly using off-the-shelf tools, can perpetrate and orchestrate a variety of attacks.
- Fewer than 40% of senior executives say they have fully mitigated the risks their bold moves incurred.
- By their own assessments, CISOs see the need to advance further on five cyber capabilities: identify, detect, protect, respond, recover.
- Senior execs see heightened threats to their organisation and worry they’re not fully prepared to address them.
- In 2023, these challenges loom: mandated disclosures, tests of resilience, and pressure to get data security and privacy right.
Cloud Data Security related threats top the list of cyber security concerns that senior executives say will have a significant impact on their organisations in 2023, according to Ransomware Attacks & Cyber Insurance survey.
Cyber attack is biggest organisational risk scenario
Survey shows that the C-Suite is becoming more aware of how these complex cyber threats and the potentially damaging impact of them can pose a major risk to wider organisational resilience.
50% of senior executives also say they react to a disruption by invoking plans after an incident and focusing on recovery of business operations after a failure or incident, instead of taking a preventative and anticipatory approach that assumes incidents will occur, and embedding resilience capabilities to withstand disruption.
47% say they formally coordinate and integrate business continuity, disaster recovery, crisis management, incident preparedness and response, and threat intelligence.
The reality is that the cyber threats facing private businesses are no different from any other type of organisation. Cyber criminals are essentially opportunistic and will look to attack wherever they see vulnerabilities.
Recent research indicates that 45% of respondents from privately-owned businesses rated cyberattacks as the top threat to their organisation’s growth.
Cybercrime has catastrophic consequences in today’s corporate environment, including revenue and profit loss, brand ruin, erosion of consumer loyalty, competitive disadvantages, and, among other things, crippling lawsuits.
Awareness of cyber risk to organisational resilience grows
Just under half (48%) of UK organisations say a “catastrophic cyber attack” is the top risk scenario – ahead of global recession (45%) and resurgence of COVID-19 (43%) – that they are formally incorporating into their organisational resilience plans in 2023.
That echoes the findings of our annual CEO PwC’s Survey, where almost two-thirds (64%) of UK CEOs said they are extremely or very concerned about cyber attacks impacting their ability to sell products and services.
5 scenarios formally incorporated into organisation’s resilience plans (Ranked index)
1st | A catastrophic cyber attack |
2nd | Global recession |
3rd | A resurgence of COVID-19 or a new health crisis |
4th | Inflationary environment |
5th | Credit crunch / significantly reduced access to capital |
And while business leaders are understandably focused on the immediate threats of inflation, macroeconomic volatility, and geopolitical conflict in the next 12 months, cyber security rises to the top of the list when they take a longer-term view.
25% of CEOs say they believe their business is extremely exposed or highly exposed to cyber risks over the next five years – ahead of inflation, macroeconomic volatility, climate change and geopolitical conflict.
Yet there is more work required to go beyond focusing on just high-priority critical systems for cyber resilience.
Software, the fastest-growing segment, will capture 47% of all cybersecurity spending this year, followed by services at 39% and hardware at 13%, according to IDC’s forecast.
Global security spending will reach $220 bn this year and grow to nearly $300 bn in 2026. Investments in cybersecurity software, hardware and services will jump 15% from 2023 and outperform growth in overall IT spending.
The biggest security spenders this year will include organizations in banking, manufacturing, professional services and federal governments.