This article was created in partnership with BOXX Insurance.
In the shiny world of cybersecurity, it’s tempting to chase the latest buzzword or marvel wide-eyed at cutting-edge defence tools. Artificial intelligence, zero-trust frameworks, and ‘next-gen’ platforms dominate headlines. However, in the trenches of cyber insurance, a quieter, more pragmatic threat is underway, one that trades futuristic sheen for the unglamorous fundamentals that stop most attacks before they start.
Speaking to Insurance Business, Jack Brooks, head of Hackbusters – BOXX Insurance's advisory, prevention, and response team – explained that a re-emergence of old-school vulnerabilities accounts for the overwhelming majority of breaches.
“I’m seeing two approaches here,” Brooks said. “Some insurance companies are reducing the number of questions and the number of controls they’re asking for, and there are others that are staying put. Essentially, when it comes to the vast majority of cyberattacks, it really boils down to the basics.”
And the data supports Brooks’ assertions. Research from Hoxhunt found that organizations with over 1,000 employees face an 83% to 97% chance of being targeted by a business email compromise (BEC) attack every single week, while firms with over 50,000 employees have an almost 100% chance of experiencing one BEC attack in the same time frame.
“Technically, they’re somewhat unsophisticated, maybe a little more sophisticated if they’re automated or use AI to make phishing emails grammatically correct and images properly sized, but the smart money is doubling down on those basic controls,” added Brooks.
And those controls aren’t exotic. It’s about multi-factor authentication (MFA), strong endpoint protection, regular segregated backups, and ensuring cloud platforms like Microsoft 365 or Google Workspace are patched and properly configured.
“Everyone wants to go to the sexy new tools with blinking lights,” Brooks added. “But it’s still the basics that, comfortably 90% of the time, have bitten somebody and allowed a criminal to get in.”
Many breaches, Brooks noted, stem from risks people don’t think about or anticipate. For brokers and underwriters, this means going beyond application forms.
“A big part of what we try to do is educate brokers,” he explained. “It sounds daunting, but it’s really not. You can build up a little bit of knowledge — like, have you looked at multi-factor authentication since you implemented it five years ago? Are you still using text messages? Did you know criminals can intercept those tokens and reuse them?”
Brooks’ team often joins broker-client conversations to explain exactly how criminals are utilizing these fairly basic attacks to get into businesses just like theirs. The real shift, he argued, is toward dialogue.
“Don’t just count on the questions on an application. If you’re not able to have that conversation, find someone you can work with who will help you have it. Antivirus from five years ago was great at stopping threats from five years ago. It’s absolutely terrible today.”
The hardest part, Brooks admitted, is convincing organizations to act before disaster strikes. Here, he told IB, it comes down to talking.
“Helping small and medium-sized business owners realize they’re the ones most under attack. There’s still a huge stigma. After an attack, I’ll say, ‘I know this stings. You probably feel embarrassed. But talk about your experience.’ Most people aren’t going to have a particularly negative opinion – it’s in the news all the time. All the big kids are getting hit.”
The myth he fights most is the idea that small businesses fly under the radar. As he told IB, no one’s too small to be attacked – you’re only too small to make the news.
“Criminals are okay getting $100,000 from a small business if it only took them 30 minutes because the gaps weren’t closed. Think of the large MGM attack a couple of years ago – it took criminals years to get in. For a small business, they can conduct dozens, if not hundreds, of attacks in the same timeframe and make as much or more money.”
And while AI is hyped as the next frontier, Brooks sees it as an accelerant, not a revolution. “AI and various tools give criminals velocity. They can speed up their attacks and hit more people. But the attacks themselves haven’t really changed.”
This is why Hackbusters’ prevention strategy focuses on constant improvement.
“Have you continuously improved your controls? Because MFA from five years ago isn’t the same as MFA today. Antivirus isn’t enough. It’s about evolving with the threat.”
In an industry still adapting to the unpredictable nature of digital risk, Brooks sees insurers falling into two camps – those relaxing standards, and those doubling down on essentials. The latter, he argues, are better positioned to weather the storm.
“Smart insurance companies are focusing more on how most businesses get compromised. It’s not the Hollywood-style hacks. It’s someone clicking a phishing email, or a system left unpatched. It’s not about ticking boxes. It’s about conversations that lead to real security improvements. The reality is that for most organizations, their actual risk profile hasn’t caught up with the scary headlines.”
To learn more about how BOXX Insurance can transform your cyber security, complete an easy contact form to speak to an expert, get a demo, or find a Broker to get more information on Cyberboxx Business here.
