Not long ago, the corporate world was enthralled with the promise of digital transformation. But in the midst of the digital revolution, people were paying less attention to security than they probably should have. The business advantages of digital transformation may be obvious. So how do we account for the associated security risks and costs? Today, along with increased connectivity, endpoint proliferation and the SaaS explosion, attack surfaces have expanded exponentially.

The average cost of a data breach in the U.S. is $9.44 million. In light of this eye-popping figure, is more connectivity worth it? Or is it merely part of the entrance fee to remain competitive as a modern-day business? You didn’t need auto insurance or anti-lock brakes before cars were invented. Still, if you want to move at modern speeds, these things are essential.

For a company, staying viable isn’t free either. But is digital transformation worth it security-wise?

Paving the way for threat actors

In every way, the technology we’ve developed and deployed has set the stage for the current cyber crime explosion. If there were no email, there would be no phishing — which skyrocketed by 569% in 2022. If industrial plants and communications weren’t heavily connected online, there would be much less critical infrastructure risk. In the past, the only way to hack a factory was from the inside. Machine controls weren’t connected to the cloud since it didn’t even exist.

Most organizations now host a combination of interconnected IT, OT and IoT devices in their networks. This has increased their attack surface significantly. Forescout data shows that nearly 24% of connected devices in every organization are no longer traditional IT. The growing number and diversity of connected devices in every industry present new challenges for organizations to understand and manage risk exposure.

During the pandemic, everyone scrambled to increase their online presence and reach. Some estimates place the overall average spending for enterprise digital transformation at $27.5 million. Imagine trying to pull off a digital transformation without APIs, SaaS, software, social media, emails and messaging apps. And all these are major highways for attackers to invade, disrupt and pilfer valuable assets.

If we add the digital transformation cost to the cost of a single breach, the total approaches $40 million. Hopefully, revenues have outpaced this increased spending. Meanwhile, the burden of these costs eventually impacts the overall economy.

Who’s responsible for cybersecurity?

We could debate forever if the push for more connectivity is worth it. But rather than getting bogged down in a philosophical debate, other more practical questions come to mind. For instance, who’s responsible for security? Should companies have to fend for themselves? Or should software creators and vendors be held responsible? If a breach occurs due to a third-party vulnerability, who should pay for the damages?

Recently, the White House unveiled its new National Cybersecurity Strategy. The Biden administration is proposing measures that encourage secure development practices. And there’s a push to transfer liability for software products and services to large corporations that create and license these products. This shift would not impact open-source application developers, often contributing to technology innovation.

Some industry insiders are wary of legislation that holds software manufacturers liable. New liability laws could make software manufacturers reluctant to share information if their products are discovered to have an exploited vulnerability.

Developments in cybersecurity insurance

If incident rates and damages are increasing, you can be sure that insurers are paying attention. In August 2022, the world’s largest insurance marketplace, Lloyd’s, asked all cyber insurers selling through its platform to rewrite their policies. Lloyd’s now requires that standalone cyberattack policies include a clause excluding liability for losses arising from any state-backed cyberattack. This move will likely embolden non-Lloyd’s carriers to exclude coverage for war-related cyber incidents as well.

Meanwhile, as insurance companies grow more wary about risk, the cost of insurance is rising. The average price for cyber insurance in the U.S. rose 79% in the second quarter of 2022. And this was after the cost more than doubled during each of the previous two quarters.

Insurers seek to limit systemic and aggregated cyber losses in one of two ways, both in terms of the scale of loss or type of peril, explained Julian Miller, partner at law firm DACB. Lloyd’s, for example, has taken a peril approach, such as with the state-backed cyber exclusion. Chubb, on the other hand, has chosen to constrain cover to systemic or aggregated losses through policy limits and retentions, although it explicitly excludes cyber war, as per Miller.

“From an insured’s perspective, [an infrastructure outage] is exactly the time they need protection. These are the incidents that disrupt an insured’s business, and insurers are writing them out,” Miller said. Some insurers even deny coverage for companies that don’t measure up to certain security standards.

Security is central to business decision-making

A single security breach might cost you more than $9 million. Cyber insurance rates are rising, and catastrophic incidents might not even be covered. And the government continues to increase pressure on companies to report cyber breach incidents. Cyber risk factors can even impact a company’s credit rating. Given all these developments, it’s crystal clear that security concerns are core business concerns.

In today’s environment, companies must improve their security tools and strategies to remain viable. Even simple measures such as employee cyber awareness training and proactive patching go a long way. Today, decision-makers must carefully consider security issues before adding anything new to their tech stack, not after. And threat intelligence enables companies to understand where the real risk is emerging among the vast security chatter out there. Finally, an overall migration to zero trust might separate those who survive the continued onslaught of attacks from those who don’t.

Long gone are the early days of the digital transformation wave. Back then, just saying it was “encrypted and secure” sufficed for some. Increasingly, buyers are going to want some kind of proof or guarantee about code integrity and the business logic behind any new application. How all this will impact innovation and growth is anybody’s guess.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…