Not long ago, the corporate world was enthralled with the promise of digital transformation. But in the midst of the digital revolution, people were paying less attention to security than they probably should have. The business advantages of digital transformation may be obvious. So how do we account for the associated security risks and costs? Today, along with increased connectivity, endpoint proliferation and the SaaS explosion, attack surfaces have expanded exponentially.
The average cost of a data breach in the U.S. is $9.44 million. In light of this eye-popping figure, is more connectivity worth it? Or is it merely part of the entrance fee to remain competitive as a modern-day business? You didn’t need auto insurance or anti-lock brakes before cars were invented. Still, if you want to move at modern speeds, these things are essential.
For a company, staying viable isn’t free either. But is digital transformation worth it security-wise?
Paving the way for threat actors
In every way, the technology we’ve developed and deployed has set the stage for the current cyber crime explosion. If there were no email, there would be no phishing — which skyrocketed by 569% in 2022. If industrial plants and communications weren’t heavily connected online, there would be much less critical infrastructure risk. In the past, the only way to hack a factory was from the inside. Machine controls weren’t connected to the cloud since it didn’t even exist.
Most organizations now host a combination of interconnected IT, OT and IoT devices in their networks. This has increased their attack surface significantly. Forescout data shows that nearly 24% of connected devices in every organization are no longer traditional IT. The growing number and diversity of connected devices in every industry present new challenges for organizations to understand and manage risk exposure.
During the pandemic, everyone scrambled to increase their online presence and reach. Some estimates place the overall average spending for enterprise digital transformation at $27.5 million. Imagine trying to pull off a digital transformation without APIs, SaaS, software, social media, emails and messaging apps. And all these are major highways for attackers to invade, disrupt and pilfer valuable assets.
If we add the digital transformation cost to the cost of a single breach, the total approaches $40 million. Hopefully, revenues have outpaced this increased spending. Meanwhile, the burden of these costs eventually impacts the overall economy.
Who’s responsible for cybersecurity?
We could debate forever if the push for more connectivity is worth it. But rather than getting bogged down in a philosophical debate, other more practical questions come to mind. For instance, who’s responsible for security? Should companies have to fend for themselves? Or should software creators and vendors be held responsible? If a breach occurs due to a third-party vulnerability, who should pay for the damages?
Recently, the White House unveiled its new National Cybersecurity Strategy. The Biden administration is proposing measures that encourage secure development practices. And there’s a push to transfer liability for software products and services to large corporations that create and license these products. This shift would not impact open-source application developers, often contributing to technology innovation.
Some industry insiders are wary of legislation that holds software manufacturers liable. New liability laws could make software manufacturers reluctant to share information if their products are discovered to have an exploited vulnerability.
Developments in cybersecurity insurance
If incident rates and damages are increasing, you can be sure that insurers are paying attention. In August 2022, the world’s largest insurance marketplace, Lloyd’s, asked all cyber insurers selling through its platform to rewrite their policies. Lloyd’s now requires that standalone cyberattack policies include a clause excluding liability for losses arising from any state-backed cyberattack. This move will likely embolden non-Lloyd’s carriers to exclude coverage for war-related cyber incidents as well.
Meanwhile, as insurance companies grow more wary about risk, the cost of insurance is rising. The average price for cyber insurance in the U.S. rose 79% in the second quarter of 2022. And this was after the cost more than doubled during each of the previous two quarters.
Insurers seek to limit systemic and aggregated cyber losses in one of two ways, both in terms of the scale of loss or type of peril, explained Julian Miller, partner at law firm DACB. Lloyd’s, for example, has taken a peril approach, such as with the state-backed cyber exclusion. Chubb, on the other hand, has chosen to constrain cover to systemic or aggregated losses through policy limits and retentions, although it explicitly excludes cyber war, as per Miller.
“From an insured’s perspective, [an infrastructure outage] is exactly the time they need protection. These are the incidents that disrupt an insured’s business, and insurers are writing them out,” Miller said. Some insurers even deny coverage for companies that don’t measure up to certain security standards.
Security is central to business decision-making
A single security breach might cost you more than $9 million. Cyber insurance rates are rising, and catastrophic incidents might not even be covered. And the government continues to increase pressure on companies to report cyber breach incidents. Cyber risk factors can even impact a company’s credit rating. Given all these developments, it’s crystal clear that security concerns are core business concerns.
In today’s environment, companies must improve their security tools and strategies to remain viable. Even simple measures such as employee cyber awareness training and proactive patching go a long way. Today, decision-makers must carefully consider security issues before adding anything new to their tech stack, not after. And threat intelligence enables companies to understand where the real risk is emerging among the vast security chatter out there. Finally, an overall migration to zero trust might separate those who survive the continued onslaught of attacks from those who don’t.
Long gone are the early days of the digital transformation wave. Back then, just saying it was “encrypted and secure” sufficed for some. Increasingly, buyers are going to want some kind of proof or guarantee about code integrity and the business logic behind any new application. How all this will impact innovation and growth is anybody’s guess.