- Defense and intelligence officials are bracing for an onslaught of cyberattacks after a U.S. airstrike killed a top Iranian military official
- Attacks from state-sponsored sources on businesses have increased over the past few years
- Global business cybersecurity spending is estimated to have reached $124 billion in the fourth quarter
Cyberattacks, already seen as the top risk of doing business by executives, are likely to receive renewed attention — and spending — as tensions between the U.S. and Iran escalate.
Defense and intelligence officials are bracing for a potential onslaught of attacks from Iranian hackers after a U.S. airstrike killed one of Iran's top military leaders, Qasem Soleimani, at Baghdad's airport on Friday.
"Today's crisis highlights how volatile cyber risk can be, materializing and escalating almost overnight," said Tom Reagan, U.S. cyber practice leader at Marsh, an insurance brokerage and risk management consulting firm.
The possibility of a retaliatory attack should be viewed as an immediate and urgent challenge for businesses, he added.
Last weekend, a group claiming to be Iranian hackers defaced a federal government library website with a violent image depicting President Donald Trump.
The White House and FBI haven't confirmed or commented on the library hack, but if it is Iran's work, it's only a hint of what Iranian's cyber army is capable of.
In a terror alert after the Soleimani strike, the Department of Homeland Security warned of Iran's long history in cybercrime and ability to target critical infrastructure.
"In today's cyber threat landscape, it's not just the military industrial and defense industries that have a legitimate reason to be concerned about cyber terrorism and state-sponsored cyber attacks. Attacks from state-sponsored sources have significantly increased over the past few years for businesses, too," Jordan Mauriello, vice president of managed security at cybersecurity firm Criticalstart, told CNBC in an email.
"From financial services and healthcare to even retail services, targeted attacks against any number of organizations could occur in an attempt to disrupt the U.S. economy," Mauriello said.
U.S. corporations have often been the target of Iran's efforts.
Between 2012 and 2013, Iranian hackers carried out a series of attacks on the largest U.S. financial institutions including Bank of America and Citigroup. Las Vegas Sands Corp. was attacked in 2014 over owner Sheldon Adelson's support for Israel and calls for attacks on Iran.
Recent events between the U.S. and Iran come at a time when businesses have never spent more on cybersecurity, which has ballooned into a massive global industry, expected to have reached $124 billion.
One segment seeing increased focus is cyber insurance. These policies fill in the gaps left by traditional lines, said Tracie Grella, global head of cyber insurance at AIG.
"Cyber insurance policies were designed specifically to cover intangible, non-physical loss caused by a cyber event — loss of data, cyber extortion, loss of business income," Grella said.
According to Reagan, the number of clients looking to add this type of policy has doubled in the last five years, and those already with cyber insurance are looking to up their policy limits dramatically.
"If an organization may have been purchasing $5 to $10 million worth of insurance, today they may purchase $50 to $100 million of insurance," Reagan said, adding this size increase is not unusual in today's climate.
Marsh estimates cybercrime cost the world half a trillion dollars in economic damage in 2018, far more than the $300 billion in economic losses from natural disasters. Yet that same year, U.S. customers spent only $4 billion on cybersecurity insurance premiums, dwarfed by the $180 billion paid for property insurance premiums, suggesting the risk of cyber losses is vastly underestimated.
Experts say the threat to small businesses may be even greater than for large corporations because they often invest less in cybersecurity and are more vulnerable to incursion by malware, Trojan horses or ransomware.
"Traditional anti-virus is simply not enough today." said Mauriello. He advises clients to deploy effective endpoint detection and response tools that can monitor and respond to threats in a timely manner. And he said two-factor authentication is a must.
David Kennedy, a former hacker for the NSA and U.S. Marine Corps, completed two tours in the Middle East, working on signal intel and electronic warfare. Now as CEO of Trusted Sec, he advises clients including the U.S. government, foreign governments and companies.
He warns, "All businesses should be on notice: they could easily become collateral damage as geopolitical crises escalate."