Cyber crooks are evolving more sophisticated, three-pronged attacks to steal organisations’ funds, starting with data exfiltration and encryption, followed by extortion.

Forensic investigator Darren Hopkins, a partner with McGrathNicol, describes a “cyber-threat pandemic” and says threat actors will compromise a system, exfiltrate private and confidential information, then encrypt it and extort a ransom for return of the data and a decryption code.

If no ransom is paid, they auction the data on dark web marketplaces.

“A surge in revenue means threat actors can invest in research and development of new tools to evade detection and bypass security systems,” Mr Hopkins told a webinar hosted by underwriter Emergence Insurance.

Attended by more than 1800 brokers and their clients, the Emergence webinar heard that the attackers are now likely to be organised crime or state sponsored, rather than sole operators. These threat actors engage in professional business correspondence with victims, negotiating deals and spelling out the business risks.

In one case investigated by McGrathNicol – which is a member of cyber specialist Emergence’s incident response team - the threat actor showed a CEO a stolen copy of his company’s own cyber insurance policy.

Threat actors research target companies and tailor their demands according to the business’s ability to pay and the likely impact. They even employ voice actors who speak the same language.

Ransom demands are getting higher because threat actors could compromise back-up systems, increasing vulnerability. Smaller businesses with low budgets – as well as larger businesses that did not invest enough in the right security and risk management - are vulnerable.

Emergence’s National Head of Sales Gerry Power urges brokers to work with their clients to implement risk management which could potentially reduce their cyber insurance premiums.

Social engineering claims have doubled since 2018, and email vulnerability was the greatest risk to businesses, he said.

“There’s a huge need for employee security awareness training,” Mr Power said. “Employees are the last line of defence and too many still don’t recognise a phishing email or a dodgy invoice.”

Webinar attendees were advised to understand their information assets and data, assess their material risk and vulnerabilities, update backups, classify information assets and third-party arrangements, test breach response plans, ensure logs capture useful information for incident investigations, establish rigorous oversight of outsourced services and conduct continuous awareness training.