Have you ever felt like the news about cyberattacks is just a constant, overwhelming drumbeat? One day it’s a hospital, the next it’s a major retailer. It’s easy to feel a little numb to it all, or worse, feel like it’s just too big of a problem to even think about.
But here’s the thing: we have to talk about it. Because the game has seriously changed.
This isn’t about lone hackers in hoodies anymore. We’re up against organized, professional operations that look a lot like legitimate businesses—with R&D departments, customer service (for negotiating ransoms!), and clear business goals. And right now, business is booming for them.
I was chatting with Dominic Keller, who heads up Global Cyber Services at QBE Insurance, and he put it bluntly: “This year, we’ve seen more activity by cybercriminals than in previous years, and their sophistication has increased dramatically.” He mentioned that his team is discussing new threats almost daily. It’s not just more of the same; it’s a whole new level of intensity.
So, let's pull back the curtain and talk about what’s really going on, who’s at risk, and most importantly, what you can actually do about it.
The Storm Isn't Just Coming—It's Here
Jack Tolliday, a Threat Intelligence Specialist at QBE, described the current situation as “particularly eventful and busy.” His job is basically to understand what the bad guys are capable of, who they’re targeting, and why. And what he’s seeing is a clear, continuous evolution in their skills.
Think of it this way: if you build a taller fence, they don’t just give up. They start learning how to build taller ladders or dig tunnels.
Here are a few of the biggest shifts we’re seeing:
The Supply Chain is a Giant Welcome Mat
Remember when you only had to worry about securing your own four walls? Those days are long gone. Keller pointed out that one of the biggest changes is the risk from your technology supply chain. Every vendor, every partner, every third-party app you use is now a potential doorway into your network. You might have the most secure front door in the world, but if your window installer left a window unlocked, you’re still vulnerable.
Social Engineering is Frighteningly Good Now
We all love to laugh at those old phishing emails with terrible grammar and unbelievable stories. Well, the criminals have gotten a lot better at English… and psychology.
“They operate with incredible sophistication, demonstrating strong English skills and very capable methods of network infiltration,” Keller noted. These new attacks are designed to manipulate human behavior. They can be so convincing that even your most security-savvy employees can get tripped up.
And now, with AI in the mix, things are getting even wilder. We're talking about deepfakes, voice-cloning for vishing (voice phishing), and hyper-personalized smishing (SMS phishing) attacks that are incredibly hard to spot.
They’re Tampering with Your Defenses
This one really gets me. As companies get better at defending themselves, attackers are adapting. Tolliday mentioned that they’re finding ways to tamper with IT security tools or use a compromised employee’s identity to move around a network. It’s like a burglar who not only picks your lock but also disables your alarm system on the way in.
A Target-Rich World: Who's in the Crosshairs?
While it’s true that everyone is a potential target, cybercriminals are strategic. They focus their efforts where they can cause the most disruption and get the biggest payout.
Here’s a quick look at who they’re really after, according to Tolliday:
- Manufacturing: This is a huge target. Why? Because if you can lock up a factory’s systems with ransomware, you cause massive operational downtime. Every minute the line is stopped, money is being lost, which gives them huge leverage to demand a ransom.
- Retail: Another sector that’s seeing a lot more attention. Think of all the customer data, payment information, and complex logistics systems they manage. It’s a treasure trove.
- Professional Services: Law firms, accounting firms, consultants—you name it. They’re targeted because of the incredibly sensitive client data they hold.
- Technology: This one’s a double-whammy. Tech companies are targeted by both criminal ransomware groups and nation-state actors for different reasons.
And don’t forget about healthcare and education. Despite some criminal groups claiming they won’t hit hospitals, it still happens all the time.
Keller made a couple of points that are crucial to remember. First, these criminals are opportunistic. Just because your industry isn’t on the “most targeted” list doesn’t mean you’re safe. Second, while the U.S. is still the biggest target geographically, the problem is global. We're seeing huge, multi-million dollar attacks happening all over the world.
The motivation behind almost all of this? Simple extortion. “Ransomware is absolutely the top threat in terms of impact and scale on organizations,” Tolliday said. Encrypting systems and bringing a business to a dead stop is their most powerful weapon.
Time to Build Your Defenses (And It's Not as Hard as You Think)
Okay, that all sounds pretty grim. But please, don’t feel overwhelmed. The truth is, you can make yourself a much, much harder target by focusing on some core fundamentals. It’s not about having impenetrable, futuristic defenses. It’s about being prepared, resilient, and smart.
Get Your Business Ready for a Bad Day
Before you even think about technology, you need to think about your business. Keller calls this "business readiness." Do you truly understand the financial, operational, and reputational damage a major cyberattack could cause?
This means having a real plan. It’s like having a fire escape plan for your office. You don’t just hope a fire never happens; you practice the drill so everyone knows what to do. Running tabletop exercises where you simulate an attack is a fantastic way to see where your weak spots are.
Your People Are Your First and Last Line of Defense
This is probably the single most important piece of advice I can give. “The vast majority of cyber attacks still begin with human error—someone clicking a link or inadvertently opening a gateway for cyber criminals,” Keller explained.
You can have the best tech in the world, but it won’t matter if your team isn’t trained to spot a threat. Regular, engaging, and up-to-date training isn’t a “nice-to-have”; it’s an absolute necessity.
Know Your Data, Protect Your Data
Do you know what your most critical data is? Not just customer lists, but the data that’s absolutely essential for your business to function.
Keller says the leading organizations are laser-focused on this. They know what their "crown jewels" are, they know where they live, and they have specific plans to protect and monitor them. It’s about smart data governance, not just trying to protect everything equally.
Nail the Technical Basics
From a tech perspective, you don’t need to reinvent the wheel. Tolliday stressed the importance of getting the basics right. As an insurer, these are the first things we look for:
- Multifactor Authentication (MFA): Just turn it on. Everywhere. It’s one of the most effective single things you can do.
- Patch Your Systems: Keep everything updated. Attackers love to exploit old, known vulnerabilities.
- Endpoint Protection: Have good, modern anti-virus and anti-malware on all your devices.
- Good Backups: Have backups that are tested, reliable, and—this is key—kept separate from your main network so they can’t be encrypted in an attack.
You Don't Have to Face This Alone
Here's where the relationship between businesses and their insurance partners has really evolved. It’s no longer just about cutting a check after something terrible happens. It’s about being a true partner in risk management.
Your insurer can be an incredible resource before an attack ever happens. Many now offer threat intelligence services, access to security experts, and resources to help you build up your defenses. For example, at QBE, the cyber team has partnered with vendors to offer specialized training that simulates those scary vishing and smishing attacks.
The goal is to balance what you can do in-house with expert help from the outside. As Tolliday put it, it's about upskilling your own team as much as possible, but knowing when to bring in specialists for the things you can't handle.
Ultimately, resilience is the name of the game. It’s about how you prepare before an incident and how you react when one occurs. “Resiliency really boils down to how you react when an event occurs, which is where insurance and the specialists we work with can help if the worst should happen,” Keller concluded.
So yes, the threats are real and they’re getting more complex. But by focusing on the fundamentals, training your people, and working with strategic partners, you can build a defense that is strong, smart, and ready for whatever comes next.
