Aiming at A Moving Target

In a perfect world, all business threats would hold still so you could shoot them down one by one. That’s not the world we live in, though. Today, most threats to a company’s proprietary information and bottom line are moving targets — as soon as one threat is dealt with, a new one appears.

And in the cases of menaces created by cybercriminals, they are constantly evolving to evade countermeasures and exploit unanticipated vulnerabilities.

Advances in digital technology and the advent of AI have made the job of bulletproofing a business against cyberincursions vastly more complex.

“These days, I think in just about any business, you have to ask: what are the ramifications of cyberrisk?” said Grinnell Mutual President Dave Wingert. “There’s just so much more risk and exposure now than there used to be, and for everyone the risk has grown exponentially. Technology changes so quickly and the minute you think you’ve got it figured out, you’re behind.”

Looming Threats

Ever more rapid technological advances have produced an environment in which every business — of any type or size — is reliant on digital systems to function. This has produced tangible benefits. According to an April 2025 report from the Interactive Advertising Bureau, in the U.S. alone, the digital economy has surged to $4.9 trillion, helping create 28.4 million domestic jobs.

The downside of this digital bonanza is vulnerability to criminals who use technology to commit crimes on an equally massive scale. The FBI’s Internet Crime Complaint Center’s 2024 Annual Report (the latest available), notes that complaints during the reporting period came into the center at a rate of 2,000 per day, which represented a jump of 9 percent over the previous year.

And losses to the U.S. economy were notched at a staggering $16.6 billion. The bulk of the damage has stemmed from cases of fraud, with ransomware (software used to extort money by blocking access to applications or files on a computer system until a ransom is paid) posing the most pervasive threat to critical infrastructure.

More often than not, the fallout from a cyberattack isn’t just a dent in a business’s bottom line. It’s ruin.

According to Nicole Chesmore, Grinnell Mutual’s assistant vice president for Information Technology, “Based on industry data and my own experience in the field, the rule of thumb is that most sizable organizations, if they experience a significant data breach — especially one involving AI-powered attacks — are unlikely to make it five more years.” Chesmore’s judgement is informed by over 25 years of experience in cybersecurity. “The evolving capabilities of artificial intelligence have fundamentally altered the threat landscape, making recovery even more challenging for businesses,” she said.

Cybercriminals looking for a big payday are most likely to go after big targets: supply chains, heavy industry, educational and public administration institutions, health systems, and other businesses with more than $50 million in revenues.

However, small and medium-size enterprises — which describes most of Grinnell Mutual’s commercial policyholders, mutual member companies, and affiliated agencies — with fewer than 1,500 employees and annual receipts between $2.25 million and $47 million, are often targeted. In fact, the most recent studies found that annually, 46 percent of U.S. cyberattacks target businesses with fewer than 1,000 employees. Further, the data show that in 2024, 75 percent of small businesses were somehow affected by cyberattacks and only 14 percent of businesses with 1 to 250 employees are adequately prepared for these incursions.

“The bad guys are no longer Nigerian princes trying to get you to give them your banking information,” said Paul Carroll, editor of Insurance Thought Leader magazine. “There are people doing very sophisticated deep fakes, mounting phishing attacks that may use a simulated voice that sounds exactly like your boss, telling you to transfer money right away or else.”

AI as a Threat Multiplier

According to a recent survey out from industry analyst Cowbell, “The cybersecurity landscape is advancing at an unprecedented pace and not only are new threats popping up, but the integration of various AI models is also driving further development of the attacks. This can be from open-source generative AI and large language models such as OpenAI’s ChatGPT… as well as from AI built specifically for threat actor groups.”

Chesmore affirmed that AI has had a significant role in the recent dramatic escalation in cybercriminal tactics. “Over the past two years, data indicate a staggering 1,200 percent surge in cyberattacks leveraging AI-driven methods,” she said.

In addition to constituting a threat in itself, AI can increase the potency of existing avenues of cybercrime. According to Insurance Thought Leader’s Carroll, “With AI, [hackers are] able to scrape data from social media, websites, and other places, which improves their ability to get to [you] and make [you] think that they're somebody they're not.”

“If they’re using AI, hackers don’t even need to know how to hack,” said Chesmore. “They just tell the program what they want to do, and it does the rest. What we’re seeing now is a gamechanger. Anyone, regardless of technical skill, can use AI to launch complex attacks. The barrier to entry is almost gone. That’s what makes today’s threats so much more dangerous and unpredictable.”

Best Practices

Although this scenario may seem bleak, Chesmore says there are powerful tools available to both companies and individuals. Interestingly, the greatest threat to a hacker using AI could be an IT expert equipped with AI designed to combat them.

“Our cybersecurity and AI solutions are designed to detect deviations from established baselines, accelerating analysis and enabling targeted investigation of anomalies,” she said.

Chesmore stresses, though, that AI can’t be the only weapon in anyone’s cybersecurity arsenal.

“Organizations must prioritize patch management and robust encryption protocols,” Chesmore emphasized. “Ensuring multi-factor authentication is enabled for all login processes is essential. Regular password updates, along with leveraging biometrics and other advanced security tools, are critical components of a comprehensive defense strategy.”

Chesmore also underscored the importance of workforce readiness as a powerful asset in combating cyber threats. “Continuous employee education is fundamental,” she said. “Phishing attacks have evolved to become highly convincing, making it increasingly difficult to distinguish legitimate messages from fraudulent ones. It’s not just obvious errors like spelling or formatting anymore. To defend against these sophisticated tactics, companies need staff who are trained to identify them and respond appropriately.”

The ABCs of Protection

Distinguishing between vulnerability and a threat is step one to staying secure. “When I explain security measures to people, I tell them there’s a difference between the vulnerability and the threat,” said Dr. Haider Qleibo, Grinnell Mutual’s director of Information Security. “Vulnerability is like a broken window in my house that someone might come in through. Threat is the gang of bad actors in the neighborhood who know about the window and want to march in.” Cyber protection, he explained, goes beyond patching the window; it detects intruders who slipped through and purges them from the premises.

In today’s threat landscape, no single solution fits all. “In countering the threat, we need to understand that there’s no such thing as a one-size-fits-all security solution,” Dr. Qleibo said. “Each threat has its own mitigation. We look at threats as a landscape. Effective security starts with mapping this terrain. We need to secure our systems, determine what categories of attacks we might be susceptible to, and pinpoint where our valued information is stored and how to secure it.”

Dr. Qleibo cautioned that the job’s not necessarily done when a company’s perimeter is under guard, because not all threats are external.

“Data must be safeguarded not only against external threats but also from internal risks,” he said. “This requires rigorous access controls: determining precisely who requires access to specific information and ensuring that access is granted on need-to-know basis. For instance, Claims department personnel may need access to policy data or claim files, whereas the Procurement department has no legitimate business need for such information.”

The P&C Industry’s Response

“It’s hard for most of us to imagine the mindset that drives these cybercriminals,” said Wingert. “Their exploits create an atmosphere where you feel you can’t trust anyone.” Given the aggressive and ever-evolving nature of cybercrime, designing insurance products that protect the insured against the dollar-cost of data incursions has been, and remains, a challenge.

The property-casualty industry has responded with two main categories of cybersecurity insurance: first-party coverage and third-party coverage. First-party coverage indemnifies businesses against costs incurred during the investigation of data breaches, income lost during the incursion and its aftermath, cost of data recovery, and the public-relations campaigns and customer communications necessitated by the crisis.

Third-party claims cover expenses incurred by parties external to the business that claim to have been affected by the crime, including customers or partners. This coverage also extends to legal costs and fines that may be levied if it is determined that the company violated privacy law.

Grinnell Mutual’s Response

Tonya Boos, Grinnell Mutual’s Reinsurance product manager, provides an inside view of CyberProtection™, the insurance product the company began providing in late 2023 to mutuals that are supporting their communities’ farms and individuals.

“Our primary goal in developing CyberProtection was to close the gaps that exist between traditional insurance policies and the types of losses created by modern cyber incidents,” said Boos. “Our package strongly supports best practices like patching, encryption, and secure configurations, achieved through education, coaching, and incident support.

“It transfers financial risk when failures occur. In the future we plan to expand proactive risk management features such as real-time monitoring, AI-based fraud alerts, patch prompts, and configuration checkups, so our coverage aligns even more closely with recommendations.”

As director of Grinnell Mutual’s commercial underwriting department, Kama Small oversees the company’s Cyber Liability and Breach Response Coverage, which the company developed in partnership with Beazley, a worldwide leader in technological and information security risks.

“Our focus in developing our Cyber Liability and Data Breach Response package was creating a product that would help insureds manage every stage of a cyber event,” Small said. “Businesses today are entrusted with sensitive personal and private information — about their customers, their employees, and often their vendors. With cyberthreats on the rise the way they are, it’s no longer a matter of if an attack will occur, but when.”

Small emphasized that Grinnell Mutual’s business-facing product is engineered not merely as a response to incidents of cybercrime but aims to stop the incidents from happening in the first place through a program of loss-control tools and risk-mitigation services.

If anything is clear amid the turbulent atmosphere that burgeoning cybercrime has created, it’s that things won’t be less turbulent anytime soon. However, “Grinnell Mutual is going to continue evolving our coverage to close gaps in new areas of risk that emerge as cybercriminals using AI and Gen AI make more sophisticated attacks,” said Wingert.

Source: totalassure.com, “Cyber Attacks on Small Businesses Statistics 2025,” Nov. 6, 2025