August 3, 2023 By Jonathan Reed 4 min read

Not long ago, the corporate world was enthralled with the promise of digital transformation. But in the midst of the digital revolution, people were paying less attention to security than they probably should have. The business advantages of digital transformation may be obvious. So how do we account for the associated security risks and costs? Today, along with increased connectivity, endpoint proliferation and the SaaS explosion, attack surfaces have expanded exponentially.

The average cost of a data breach in the U.S. is $9.44 million. In light of this eye-popping figure, is more connectivity worth it? Or is it merely part of the entrance fee to remain competitive as a modern-day business? You didn’t need auto insurance or anti-lock brakes before cars were invented. Still, if you want to move at modern speeds, these things are essential.

For a company, staying viable isn’t free either. But is digital transformation worth it security-wise?

Paving the way for threat actors

In every way, the technology we’ve developed and deployed has set the stage for the current cyber crime explosion. If there were no email, there would be no phishing — which skyrocketed by 569% in 2022. If industrial plants and communications weren’t heavily connected online, there would be much less critical infrastructure risk. In the past, the only way to hack a factory was from the inside. Machine controls weren’t connected to the cloud since it didn’t even exist.

Most organizations now host a combination of interconnected IT, OT and IoT devices in their networks. This has increased their attack surface significantly. Forescout data shows that nearly 24% of connected devices in every organization are no longer traditional IT. The growing number and diversity of connected devices in every industry present new challenges for organizations to understand and manage risk exposure.

During the pandemic, everyone scrambled to increase their online presence and reach. Some estimates place the overall average spending for enterprise digital transformation at $27.5 million. Imagine trying to pull off a digital transformation without APIs, SaaS, software, social media, emails and messaging apps. And all these are major highways for attackers to invade, disrupt and pilfer valuable assets.

If we add the digital transformation cost to the cost of a single breach, the total approaches $40 million. Hopefully, revenues have outpaced this increased spending. Meanwhile, the burden of these costs eventually impacts the overall economy.

Who’s responsible for cybersecurity?

We could debate forever if the push for more connectivity is worth it. But rather than getting bogged down in a philosophical debate, other more practical questions come to mind. For instance, who’s responsible for security? Should companies have to fend for themselves? Or should software creators and vendors be held responsible? If a breach occurs due to a third-party vulnerability, who should pay for the damages?

Recently, the White House unveiled its new National Cybersecurity Strategy. The Biden administration is proposing measures that encourage secure development practices. And there’s a push to transfer liability for software products and services to large corporations that create and license these products. This shift would not impact open-source application developers, often contributing to technology innovation.

Some industry insiders are wary of legislation that holds software manufacturers liable. New liability laws could make software manufacturers reluctant to share information if their products are discovered to have an exploited vulnerability.

Developments in cybersecurity insurance

If incident rates and damages are increasing, you can be sure that insurers are paying attention. In August 2022, the world’s largest insurance marketplace, Lloyd’s, asked all cyber insurers selling through its platform to rewrite their policies. Lloyd’s now requires that standalone cyberattack policies include a clause excluding liability for losses arising from any state-backed cyberattack. This move will likely embolden non-Lloyd’s carriers to exclude coverage for war-related cyber incidents as well.

Meanwhile, as insurance companies grow more wary about risk, the cost of insurance is rising. The average price for cyber insurance in the U.S. rose 79% in the second quarter of 2022. And this was after the cost more than doubled during each of the previous two quarters.

Insurers seek to limit systemic and aggregated cyber losses in one of two ways, both in terms of the scale of loss or type of peril, explained Julian Miller, partner at law firm DACB. Lloyd’s, for example, has taken a peril approach, such as with the state-backed cyber exclusion. Chubb, on the other hand, has chosen to constrain cover to systemic or aggregated losses through policy limits and retentions, although it explicitly excludes cyber war, as per Miller.

“From an insured’s perspective, [an infrastructure outage] is exactly the time they need protection. These are the incidents that disrupt an insured’s business, and insurers are writing them out,” Miller said. Some insurers even deny coverage for companies that don’t measure up to certain security standards.

Security is central to business decision-making

A single security breach might cost you more than $9 million. Cyber insurance rates are rising, and catastrophic incidents might not even be covered. And the government continues to increase pressure on companies to report cyber breach incidents. Cyber risk factors can even impact a company’s credit rating. Given all these developments, it’s crystal clear that security concerns are core business concerns.

In today’s environment, companies must improve their security tools and strategies to remain viable. Even simple measures such as employee cyber awareness training and proactive patching go a long way. Today, decision-makers must carefully consider security issues before adding anything new to their tech stack, not after. And threat intelligence enables companies to understand where the real risk is emerging among the vast security chatter out there. Finally, an overall migration to zero trust might separate those who survive the continued onslaught of attacks from those who don’t.

Long gone are the early days of the digital transformation wave. Back then, just saying it was “encrypted and secure” sufficed for some. Increasingly, buyers are going to want some kind of proof or guarantee about code integrity and the business logic behind any new application. How all this will impact innovation and growth is anybody’s guess.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today