Insurance giant Allianz SE’s annual survey on business risk finds that organizations are most concerned about cyber events going into 2024, once again placing it as their top risk category above business interruption and natural catastrophes.
The survey includes the views of 3,069 risk management experts in 92 countries, and is now in its 13th year. This is now the third year in a row that cyber events have been the leading concern, but the category has tended to swap in and out of the top risk spot with business interruption since 2018 (the first year in which it ranked #1).
Continuing concern about cyber events driven by ransomware resurgence, attacks on critical infrastructure
There are many obvious reasons for cyber events to be the top risk concern, as many different segments of cyber crime continue to grow and flourish. But the survey finds several specific concerns that are keeping cyber events in the top risk spot: the continued strong presence of ransomware attacks, increasing impacts on physical assets and critical infrastructure from hacking, and the size and scope of data breaches.
Concern about cyber events and business interruption tend to be intertwined to a great degree, with the two categories either placing at the top or in the top three for over half a decade now. This year’s survey saw cyber events gain more ground as the clear top risk category, however. It came in as the top concern in 17 countries, with data breaches the leading concern within the category. It was also the universal top risk across company sizes for the first time in the survey’s history.
Ransomware never really “went away,” but a massive spike that accompanied the Covid-19 pandemic had appeared to be returning to more “normal” pre-pandemic levels. 2023 saw something of a resurgence in this area, however. One of the key drivers is the expansion of ransomware-as-a-service outfits, particularly the more common availability of cheap prefabricated “kits” aimed at would-be affiliates who do not have much technical skill. Most of these attacks also now include a data extortion component, and some major ransomware gangs have shifted to simply extorting stolen data and not even bothering with deployment of the ransomware.
Another driver is the use of AI. As generative tools like ChatGPT began emerging at the end of 2022, cyber criminals immediately started making creative use of them. One of the leading uses is to polish and fine-tune phishing emails and messages in languages that the attackers are not necessarily fluent in. Scam attempts look more credible, and threat actors are also using AI to help write code for their custom tools and malware. The use of deepfake video and audio is also expanding as capabilities in these areas improve.
The intermingling of business and personal devices that began during the pandemic has also seemed to embed itself as a trend. Cyber criminals are targeting the generally poorer state of security on personal devices as a point of entry to business networks, often profiling particular employees via sites like LinkedIn and deploying custom malware aimed at their specific devices.
George McGregor, VP of Approov, expands on this point: “It’s no surprise that companies see cyber incidents as their biggest concern. Allianz highlights poor mobile device security in particular as a key risk factor. Companies should evaluate and address this key attack vector as a priority – the basic security provided by App stores processes and tools is not enough. The mobile ecosystem is complex and evolving quickly, but there are simple and effective solutions which can protect mobile apps and APIs and prevent them being an open door for hackers.”
Cyber events are also a top risk because companies simply cannot field enough staff to provide their desired level of protection. The cybersecurity workforce gap stands at about four million people and is growing rather than diminishing, even as there are net year-over-year gains in new qualified personnel coming available. The workforce is adding substantial amounts of people, but demand is so great that it continues to outpace these additions.
Top risks becoming more acute for small-to-medium enterprises
While cyber events notably clocked in as the top risk category for all sizes of business, the danger seems to be disproportionately increasing for small-medium outfits. A growing “resilience gap” has pushed threat actors to target smaller businesses than they had in prior years, and these businesses tend to have less capacity to recover when hit. Use of AI to automate various functions is also making it more profitable for criminals to spend time on less lucrative targets.
Troy Batterberry, CEO and Founder of EchoMark, notes that pressure to outsource is also a factor: “It’s clear that businesses must prioritize a defense in depth approach against data breaches and infrastructure attacks, particularly as ransomware continues to be a top extortion method. Coupled with the global growing gap in cybersecurity expertise, the rising trend of IT outsourcing particularly impacts smaller companies and requires a strategic approach to risk management – forcing an urgent call for investment in cybersecurity training and education, and development of more intuitive, AI-driven security solutions to bridge the resource gap and bolster defenses.”
Mark Cooper, President & Founder of PKI Solutions, adds that businesses with limited budgets should look to proven defenses: “In today’s complicated cyber security market, there are far too many vendors claiming to have the solution to a corporation’s cyber security issues. The truth is, complexity in security isn’t doing any corporation any favors. Most of the tried-and-true security solutions that have been available for years are still quite valid, but they need to be constantly reviewed and monitored. Adding another new security solution on top of a poorly implemented security solution is actually counterproductive.”
Cyber events and business interruption tend to dominate the chart as of late, but the annual survey generally sees substantial movement by other categories from year to year in light of world events. “Natural catastrophes” surged to the third position on the top risk list this year, due to record-setting temperatures (and accompanying fires) around the world and the largest insurance bill on record for damage from severe thunderstorms. And while climate change did not move much from its position in prior surveys, it did become substantially more of a concern among smaller countries and those with developing or troubled economies.