Cyber attackers are getting “more creative” and faster, while many organizations still treat basic controls like multi‑factor authentication as optional, senior leaders from KPMG and Microsoft have warned – a gap that leaves insurers increasingly exposed.
“I think it’s pretty transparent in the room that things are going faster, harder, and there is… a feeling of no relief,” said John Ryan (pictured centre), national security officer for Microsoft Canada, during a fireside chat with KPMG’s Guillaume Clément (pictured right) at the NetDiligence conference. “I’m both excited and terrified in this sense, and I think a lot of the folks in this field feel that same way.”
Ryan pointed to the recent “ClickFix” campaign, where attackers didn’t send malicious attachments at all, but instead persuaded users to copy and paste commands into a terminal themselves. Once you see it, he suggested, it seems obvious – but it’s the kind of simple, high‑impact trick that somehow didn’t emerge for years.
Attackers “have a very real return on investment,” Ryan added. “They have a motivation… I think it is in all of our best interest to bring a little bit of our own creativity to the fore… you have to really enjoy imposing costs on your adversaries… you have to be almost malicious in return.”
Yet on the defensive side, Clément said many organizations – including insureds – are still relying on partial deployment of controls that were never designed to be used at 80 or 90 per cent coverage, particularly when it comes to multi‑factor authentication and endpoint detection.
Clément said that the gap is showing up in real‑world incidents across industries.
“It’s not a matter of, is MFA enabled now, or is EDR deployed,” he said. “It’s a matter of, is MFA enabled on every account. We’re facing a lot of attacks right now where there’s one or two, or just a few accounts where MFA was not enabled.”
Those straggler accounts – often service accounts, executives, legacy users or contractors – are where threat actors are getting in, he warned. Yet many cyber insurance questionnaires still frame key controls as simple yes/no questions.
“We’ve been investing and implementing controls for years now,” Clément said. “I think we’ve all done the 80/20 approach, or the 90/10 approach, knowing that the last 20% is very expensive, very demanding. I think, as an industry, we need to aim more at 100% efficiency – 100% implementation of any control at any time.”
Ryan said Microsoft is seeing the same picture globally: organizations that believe they have controls in place, but lack visibility into coverage and effectiveness.
“It’s not easy to run an organization where you have a thousand people and one security guy,” he said. “We’ve always assumed baselines and foundations are easy, and they’re not.”
He urged buyers – and their insurers – to look beyond whether controls exist on paper and ask how they are monitored and enforced.
Clément argued that cyber insurers, brokers and assessment firms will need to evolve quickly as AI‑driven attacks proliferate. Standard questionnaires focusing on whether MFA or endpoint tools are technically “in place” are no longer enough, he said.
“The next step is, how do you ensure that the MFA is well deployed, 100% deployed, on every user?” he said. “I think we should ask about, what are the visibility mechanisms that you have – any data or any live visibility on controls. This is, I think, the next step, and we need to find a way to go there.”
The same applies to other safeguards, from endpoint detection and response to data loss prevention, he added. Security buyers might have licences and products, but insurers should be challenging how those platforms are configured, used and maintained over time.
Behind the technical details, both speakers said the human and governance side remains a major bottleneck. Boards and executive teams may now accept that cybersecurity is critical, but CISOs still spend much of their time “selling” basic investments and behavioural change inside their own organizations, Clément noted.
“It’s a big challenge,” he said. “As a CISO or CIO… you need to do a sales job first. You need to convince someone to invest. You need to convince your colleagues to apply some good behaviours. It’s kind of an endless challenge.”
Ryan said Microsoft is trying to make it easier for resource‑constrained organizations by offering more opinionated security baselines and automated “predictive shielding” that can turn on certain protections ahead of an attack based on telemetry. But he also called for a shift in mindset – particularly among those who have not yet lived through a serious incident.
“We publish all these articles, threat intelligence profiles, and I will speak with technical leaders who haven’t really internalized the pain of having gone through being victimized,” he said. “Once they do, this conversation is very easy – we just tell them what they need to do and they do it. If you can figure out how to bottle up that feeling, let me know, because that’s what we need to sell. We need to sell the pain, the fear, the frustration, the anger, so that we can direct it toward things that are productive, that will make Canada safer.”
