Newsletters
Risk Central
Digital EditionRansomware Surges as Third-Party Risks Expand Cyber Threat Landscape
Technology choices directly impact cyber risk, with poor decisions by companies significantly increasing the likelihood of an attack, while properly implemented security controls demonstrably reduce losses, according to a report by At-Bay based on an analysis of its claims data.
The cybersecurity landscape shifted dramatically in 2024, with three key threat vectors dominating the claims environment. The number of ransomware attacks returned to 2021 levels after lower frequency years in 2022 and 2023, with direct ransomware claims increasing 19% year-over-year. The average severity for these attacks grew 18% to $468,000, making them the costliest incident type for the fourth consecutive year, At-Bay found.
Even more striking is a 43% increase in indirect ransomware — incidents where organizations are impacted by cyber events affecting their vendors or partners. The CDK Global ransomware attack exemplifies this trend, causing substantial business interruption for auto dealerships nationwide. Third-party incidents, once considered an afterthought, now represent a growing share of overall technology risk as businesses increasingly rely on cloud-based solutions, according to the report.
Financial fraud remains persistently problematic, accounting for roughly a third of all claims for the second consecutive year. These attacks primarily exploit email systems to bypass security controls, with the average severity increasing marginally by 3% to $91,000. However, the most severe case involved a company with less than $25 million in revenue suffering a $5.2 million loss, demonstrating the existential threat financial fraud poses to smaller businesses, At-Bay noted.
Technology Choices Create Vulnerability Patterns
The data reveals clear disparities in vulnerability across different business segments. Manufacturing experienced nearly twice the ransomware claim frequency compared to the overall average, a disparity attributable to security technology selection and security culture rather than any single event.
Unlike heavily regulated industries such as health care or financial services, manufacturers typically lack industry-level cybersecurity regulations and often adopt security controls primarily to obtain cyber insurance rather than as part of a holistic risk management approach, according to the report.
Mid-sized companies with revenue between $25-100 million appear particularly attractive to attackers, experiencing a 46% increase in direct ransomware claims and a 20% increase in fraud incidents. These organizations are caught in a security middle ground — large enough to have baseline security controls but lacking the robust administrative and procedural safeguards of larger enterprises, At-Bay noted.
The pandemic accelerated digital transformation at an unprecedented pace, especially technology to support remote work, forcing companies to adopt unfamiliar technologies under pressure. As Microsoft CEO Satya Nadella observed in April 2020, “We’ve seen two years’ worth of digital transformation in two months.”
This rapid adoption often bypassed proper risk assessment, creating dependencies on external companies and technology solutions that have become less resilient over time, according to At-Bay.
“Remote access tools like VPNs and RDP continue to attract a high level of attention from cybercriminals. In 2024, they were correlated with 80% of ransomware attacks, up from 63% the year prior,” said Adam Tyra, chief information security officer for customers at At-Bay. “VPNs alone were a factor in 2 of 3 ransomware incidents. This problem isn’t going away for mid-market businesses. They need to upgrade to safer alternatives or consider getting support with patching and configuration management to lower their risk from operating these tools.”
Effective Security Still Works When Properly Implemented
Despite the evolving threat landscape, fundamental security controls remain effective when properly implemented, the report emphasized. Strong encryption continues to protect data from disclosure, while multi-factor authentication prevents attackers from leveraging compromised credentials. Market-leading Endpoint Detection and Response (EDR) tools managed by competent professionals remain highly effective when other controls fail, At-Bay said.
Email security requires particular attention as attackers shift tactics. While email was cited as the initial entry vector for 43% of all claims, it represented the entry point for 83% of financial fraud incidents but only 6% of direct ransomware claims. This suggests current email security tools effectively block malware attachments but struggle to identify sophisticated fraud attempts — a challenge compounded by generative AI tools enabling attackers to create increasingly credible social engineering emails, according to the report.
As businesses navigate this complex landscape, At-Bay’s message is clear: technology choices matter, security controls work when properly implemented, and both direct and indirect risks require careful management to minimize potential losses in an increasingly interconnected digital ecosystem.
View the full report here. &
