Cyber ransom is now seen as the top threat to IT systems, according to a recent survey by Advisen among cyber insurance buyers.

“Holding your network hostage for extortion” was voted the top risk. That was followed by business interruption caused by cyberattacks. Distributed denial of service (DDoS) attacks moved up the risk rankings significantly.

The financial impact, media fallout, and potential legal issues of such events also likely elevate cyber extortion events above cyber incidents that only cause business interruption,” the report said. “Since DDoS attacks and cyber extortion can both disrupt the normal flow of business operations, those possibilities are top of mind for risk managers.”

Remote risks

Covid-19 has also changed this year’s risk landscape. With many employees working from home, businesses are worried that some may inadvertently infect the organisation with malware. That could arise if staff click on links in phishing emails or visit bogus websites. In previous surveys, bringing one’s own device to work was seen as high risk – but that dropped to second lowest threat.

The survey also revealed gaps in staff training in many organisations. Less than a third assessed the cyber threat landscape monthly – with one in three doing so only annually.

“Despite recognizing the consequences stemming from cyber events, organizations may not realise how rapidly cyber risks can evolve,” the report said. Over the past twelve months, for example, ransomware actors have shifted to exfiltrating data from their targets. This has turned such events into both extortion/business interruption scenarios and potentially notifiable data breaches.

“Assessing risk exposure should be performed annually at a minimum, but organisations should more regularly monitor for new threats in this changing environment,” it said.

Stressed IT staff

Organisations are also struggling to comply with tougher IT security and data privacy regulations, according to a separate study by Telos Corporation – an IT business consultancy.

The survey, which poled 300 IT professionals, found that organisations spend an average of $3.5 million annually on compliance activities, with compliance audits consuming 58 working days each quarter.

Nearly all survey respondents (99 per cent) indicated their organisation would benefit from automating IT security and/or privacy compliance activities, citing expected benefits such as increased accuracy of evidence (54 per cent), reduced time spent being audited (51 per cent) and the ability to respond to audit evidence requests more quickly (50 per cent).