The Center for Data Innovation spoke to Darren Thomson, Head of Cyber Security Strategy at CyberCube, a cyber risk analytics platform specializing in insurance solutions. CyberCube combines data analytics, machine learning, and risk and actuarial science into a software tool for insurance companies. Thomson spoke about how insurance is responding to the digital revolution, trends in the digital risk landscape, the role of AI in combating online threats, and how open societies should respond to growing cyber risks.
Ben Mueller: Can you talk a bit about the background of CyberCube—how did the business come into being, and what do you aim to do?
Darren Thomson: CyberCube is a SaaS technology company, with a strong pedigree in cybersecurity and technology and deep expertise in insurance. Born out of the world’s leading cybersecurity company, Symantec, CyberCube has strong financial backing and governance from cybersecurity and insurtech specialist investors and is positioned to build the leading platform for powering profitable cyber insurance growth.
Cyber risk presents the greatest opportunity insurers have had in over a century. In a world with billions of Internet-of-Things devices, the explosion of data and the automation of industries, cyber risk will reshape risk, the economy and society, and therefore the entire insurance industry.
Our products help the cyber insurance market to grow profitably through the use of our cyber risk analytics tools. We aim to give insurers the ability to take insight-driven risk decisions, see trends before they become claims and tackle complex and important challenges.
Mueller: What are some of the key trends in cyber risk, and how can businesses adapt to this fast-evolving threat landscape?
Thomson: Key trends in cyber today include the emerging of new threat actor types, specifically, the emergence of “as-a-service” models to enable criminal gangs to leverage mature malware and ransomware solutions and deploy them rapidly. In addition, emerging attack types such as “double-exploitation ransomware” where data is both encrypted and exfiltrated from a target are keeping us and our clients very busy. New attack models, focusing on software supply chains and “single points of failure” are also of concern today. Insurance businesses and enterprises need to invest in research and modelling capabilities to stay abreast of these trends so that both underwriting practices, for insurers, and security controls, for enterprises, can be modified to stay ahead of the game.
Mueller: What role does AI play in the cyber threat landscape, particularly with regards to “social engineering”?
Thomson: In the broadest context, “social engineering” is a defined domain within social sciences that focuses on efforts to influence particular attitudes and social behaviours. In recent years, there has been recognition that social engineering plays a huge part in the execution of cyber security attacks. Using computer systems to engage in psychological trickery has already proved to be fruitful for today’s cybercriminals and innovation in this area should be expected to continue.
Criminal investment in cyber now focuses on the application of AI and automation, with millions of social profiles being built on demand and with the ability to tailor this activity to the specific needs of the criminal.
The injection of vast scale into socially engineered attacks will have a couple of effects. Firstly, the cybercriminals will be able to take advantage of a law of averages to ensure the return of investment for the attack. The more people are targeted, the more likely the criminal is to see a return. Secondly, we will start to see large accumulations of loss since the attacks now systematically target hundreds or even thousands of businesses, in parallel. This is a dynamic that should be of great interest and concern to the insurance industry.
Mueller: How can open societies strengthen their resilience against systemic cyber threats?
Thomson: Society at large needs to do a better job of working and sharing collaboratively to combat these society impacted issues. The criminal fraternity actually does a good job of sharing best practices and working collaboratively on innovation. There are lessons to be learned here. In addition, the security industry has still not cracked the issue of user education and enablement, although some good progress has been made in areas such as phishing simulation. Lastly, the power of data and analytics is still not fully understood or appreciated by those who seek to lower their cyber risk posture. This is apparent in both the insurance industry as well as in enterprises.
Mueller: What role does the insurance industry play in the face of these new threats?
Thomson: The insurance market will need to consider advances in social engineering when developing attack scenarios. For example, deep fake technology could destabilize political systems (perhaps on a global basis) as communications constructed from the technology become indistinguishable from the real thing. This same technology could impact the financial markets and the reputation of large corporations.
Technology can play its part in mitigating cyber risks but to understand the nature of the threat, it is important to understand the actors behind it. Multi-disciplinary experts across data science, cyber security, software engineering, actuarial modelling, the military and commercial insurance will increasingly play their part in helping to understand the psychology and motivations behind social engineering approaches.