Nothing brings an issue into focus like the repeated assertion of the significance of its risk. The enterprise has no greater risk than a cyber incident, such as a ransomware attack, data breach, or other IT disruption.
The data behind the assertion is significant.
According to an Allianz Risk Barometer press release, a cyber incident is the top global business risk in 2024 and for the third consecutive year. In a survey of more than 3,000 risk management professionals, more than a third (36%) say a cyber incident is the number one risk facing businesses, up from 34% from 2023. Allianz business entities compile responses from 3,069 risk management experts, including CEOs, risk managers, brokers, and insurance experts from 92 countries and territories yearly for the Risk Barometer, according to the release.
Though it should drive improvement in enterprise cyber-readiness, the risk appears to be climbing.
Progress toward effective cyber incident handling
Nothing drives progress like pain. Ransomware attacks and cyber insurance needs have forced improvements in cybersecurity.
“The biggest driver of change is the global ransomware epidemic and the rapid change in the cyber insurance market as a result,” said Chris Clymer, chief information security officer (CISO) of Inversion6, an Ohio-based cybersecurity company. Clymer said companies that under-invested in cybersecurity and fell victim to ransomware relied on cyber insurance to cover the costs.
According to Clymer, that led cyber insurance carriers to increase retention costs, reduce coverage, and require increasing levels of security controls even to obtain coverage.
Over the last three years, enterprises have made remarkable progress in effective cyber event mitigation and prevention, particularly toward meeting the requirements on cyber insurance carrier checklists, according to Clymer.
Cyber insurance carriers maintain checklists of requirements that companies must meet to qualify for cyber insurance. According to a BeyondTrust solutions page, these checklists require:
- removing admin rights from user computers;
- restricting accounts to the least privileges necessary;
- using protections for remote access into the corporate network;
- managing privileged accounts using software solutions, and
- using multi-factor authentication (MFA) for remote network access.
Because of cyber insurance requirements, enterprises have adopted additional security controls. Clymer said most organizations have a formal incident response plan, a proper Endpoint Detection and Response (EDR) solution protecting enterprise endpoints, patch management to patch and maintain software, and tight management of administrative credentials.
According to John Allen, vice president of cyber risk and compliance at Cambridge, U.K.-based cybersecurity company Darktrace, over the last three years, the increased regulatory pressure from new cybersecurity and privacy rules has been driving greater awareness of the risks of cyber incidents to enterprises.
Particular cybersecurity rules include the U.S. Securities and Exchange Commission final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, which mandates the disclosure of material cybersecurity incidents within four business days after a public company determines an incident is material.
Two years ago, the U.S. enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires Federal entities to report cyber incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours. Data privacy rules such as Europe’s General Protection Data Regulation (GDPR), and in the U.S., the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other state privacy laws regulate data holders regarding the legal collection, maintenance, and use of private data.
Allen said these regulatory drivers have pushed cybersecurity to the forefront as a business priority. “There has been a reallocation of resources, giving security teams additional power and autonomy to review and experiment with various cybersecurity strategies and tools,” said Allen.
Some strategies, like zero trust, have been critical in breaking down legacy approaches, even if those strategies perhaps fall short of hyped expectations, said Allen. “Experiencing the limitations of such strategies has allowed security teams to recognize that prevention alone is no longer a viable cyber risk strategy,” Allen said.
Where cyber incidents have persisted
Significant vulnerabilities in cyber readiness include lagging technology; the human factor; manual, informal, and ad hoc processes, and untimely remediation.
“When I think hard about ransomware and phishing, we don’t have a sophisticated answer for the end user. We apply interesting algorithms and network technologies, but we instruct people to be careful what they click on. The technology hasn’t caught up with the threat,” said Matthew Butkovic, technical director of the Cyber Risk and Resilience Assurance Directorate, CERT, at the Carnegie Mellon University Software Engineering Institute (CMU SEI).
One expert attributes the persisting risk to unwieldy incidents that impede cyber event management. “Almost three out of four enterprises agree that managing security events in a holistic and integrated way across the organization is their biggest challenge,” said Saurabh Gupta, president of research and advisory services at Cambridge, U.K.-based HFS Research, a global research firm. HFS based its research on input from 150 enterprise security leaders.
According to Gupta, these are the four main reasons that managing security events is so challenging:
- Sixty-seven percent of enterprise security leaders affirmed their cybersecurity team is understaffed for their organization’s size, preventing it from appropriately managing the increasing volume of security events and alerts.
- According to 66% of respondents, the organization depends on too many manual or informal processes for gathering data from disparate systems and data sources, analyzing events, and responding to security incidents.
- Nearly two-thirds (62%) of respondents noted the cybersecurity team is struggling to select and implement the remediation actions promptly, leading to a significant risk exposure.
- Almost as many (60%) indicated their cybersecurity team lacks the correct skills to efficiently analyze and correlate security events, preventing them from generating actionable insights to avoid repeat incidents.
Why the risk of a cyber incident is growing.
New technologies in the enterprise and in the hands of cybercriminals make for vulnerabilities and attack methods that can keep cyber incident handling off balance.
The risk of cyber incidents is growing because introducing new technologies is driving complexity, said Butkovic. Take Large Language Models (LLMs) for example; “Say I’ve decided we are going to use Microsoft Copilot, and we have an incident. Hypothetically, I don’t know enough about that product to triage correctly or determine what data we’re losing,” Butkovic said.
According to Gupta, the rapid advancement in digital technologies is a factor in the growth of cyber risks. “The malicious use of artificial intelligence makes cyber-attacks more effective, targeted, and difficult to attribute. The rise of quantum computing poses a challenge to current cryptographic security, with quantum-based attacks such as, “hack now, decrypt later” already occurring,” said Gupta.
Enterprises and criminals are only starting to comprehend these nascent technologies. Upcoming vulnerabilities and attacks are hard to anticipate.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment