By Tom Goodwin
More than half of us expect our businesses to be the target of a cyber attack in the next year. Half of us also think if we were hit, we’d lack the ability to recover.1 Pile on other factors of the evolving threat landscape, and one begins to wonder how the CISOs of the world can get a restful night of sleep.
- Geopolitical: Uncertainty from geopolitical events is when cybercrime thrives on uncertainty from geopolitical events. Case in point: it soared by 600% at the beginning of the COVID pandemic.2
- Increasing stakes: The average cost of a data breach is $4.35 million,3 and ransomware payments average $570,000.4
- Supply chain vulnerabilities: 19% of attacks are now caused by a supplier getting hit and this filtering through into other organizations.3
- Inadequate planning: The first hours in an incident are crucial, yet 47% of companies haven’t tested the readiness of their designated incident response teams.5
- Spiking insurance premiums: Cyber insurance premiums were up 92% in the last quarter of 2021 alone.6
Given the situation, I advise the CISOs I work with to prioritize two actions.
- Plan for the worst; expect regulation will continue to lag and insurance policies to devolve.
- Insist on proactive responsibility for operational resilience across your organization.
Regulation and insurance
Depending on what industry you are in, regulation will differ. But one fact remains consistent throughout: regulation sits far behind where we need it to be to mitigate risk.
The main issue with regulation is that new measures do not come in until after a world impacting event which requires it to do so. Before the devastating events of September 11, 2001, for example, some companies had one data center in the north tower of the World Trade Center and one in the south tower. Regulations now mandate data proximity between two sites so that they would not be exposed to the same regional risks.
Yes: regulation lags behind logical standards to mitigate threats, and we must educate the wider business to advocate action that goes beyond meeting the bare minimum.
Insurance companies already have taken notice. Hence the 92% rise in cyber premiums in Q4 of 2021 alone.6 Lloyds of London insurers announced to their underwriters that from the end of March 2023, state sponsored attacks will no longer be covered in cyber insurance policies.7
Some companies—such as water utility companies and chip manufacturers—find themselves increasingly uninsurable due to regulation sitting far behind where it needs to be and increasingly high demands from insurance providers on the standards they need to meet.
Too many companies completely rely on their insurance policies to cover costs of recovering from a cyber incident. If you are a CISO, it has never been more critical to start thinking about how confident you are in your ability to recover and the financial implications you would face from prolonged downtime, which now faces the very real threat of not being covered by insurance.
Whether the threat is geopolitical, cyber, or environmental, business leaders need to realize that responsibility for the concentrated risk and operational resilience rests with us as CISOs, IT directors, and risk officers. (Not with regulators or insurers.)
According to Gartner®, “By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities.”8
I say it creates a massive opportunity to push for incremental progress—taking stock of where you are today and working to organizational and industry stability. Establishing a security perimeter is key. Most businesses also need to:
- Invest in automating and orchestrating recovery processes, enhancing recovery time and recovery point objectives.
- Assess and establish how best to mitigate human error in restoring from backups.
- Make a practice of continuously testing those incident response plans, running cyber simulation exercises to make sure you have confidence in their ability to act and recover at pace when the worst happens.
According to Gartner, “By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.”9 Remember, 19 percent of attacks today are caused by a supplier being hit.3 That means any business you operate with is a potential liability to your own exposure, and vice versa.
The threats landscape continues to expand, with a growing volume of attacks that are increasing in sophistication, leading to longer downtime and rising recovery costs.
- There needs to be a realization that regulation lags behind where you need to be for mitigating risk, and that insurance policies are shifting that risk and responsibility back into your hands.
- Whether it’s a cyber-attack, geopolitical uncertainty, or an extreme weather event, your organization needs to adopt a culture of becoming operationally resilient to survive the evolving threat landscape.
Tom Goodwin is a Business Continuity Specialist at Kyndryl.