Issue Ten
January 2022
Looking back on 2021, we see significant change within the cybersecurity industry. The conversation has been elevated from occasional staff meetings to the C-Suite and boardroom, all the way to The White House. This is positive progress and a necessary step in the right direction.
While much of the year was consumed with addressing ransomware and supply chain attacks from a reactionary position, the focus nearing the end of the year shifted to building resilience as a proactive measure.
One of the major catalysts for this shift in focus was the cyber insurance industry. Many organizations leveraged cyber insurance in lieu of establishing a budget and true cybersecurity strategy, and it certainly upended the industry. An uptick in attacks resulted in an increase in claims, and therefore an increase in premiums. Pretty straightforward. To reduce claims and keep premiums within reach, insurers added basic cybersecurity requirements to the qualification process – highlighting the importance of resilience not being a one-sided approach.
Looking forward to 2022 - we see organizational transformations happening on many fronts, not simply digital, as those efforts are well underway due to the work from anywhere push during the pandemic.
Cybersecurity efforts will continue to focus on reducing supply chain risk and improving resilience, but the importance of highly specialized and integrated partners will become more profound. To differentiate in 2022 and into the future - organizations must move away from the constraints of relying purely on their own resources, to establishing, nurturing, and leveraging trusted partners’ resources in a more socially responsible and secure supply chain.
“Learning and innovation go hand in hand. The arrogance of success is to think that what you did yesterday will be sufficient for tomorrow.” William Pollard
Disruption is oftentimes the catalyst for differentiation, and we expect to see that play out in real time this year.
ZEROING IN
Prepare, defend, recover, repeat – The vicious cybersecurity cycle in 2021
Last year was one for the record books, and it put cybersecurity on the agenda for nearly everyone. We saw critical infrastructure, critical industries, and supply chains hit hard with ransomware throughout the year. The biggest lesson learned from these events, is that the post-attack budget is far larger than the pre-attack budget.
So, if ransomware continues to be the most prevalent method of takedown, how can we get in front of it? The simple answer is awareness. We know the entry points are most commonly phishing, password guessing, exploitation of vulnerabilities, or malicious documents in an email - and that provides us with a solid starting point for developing a strategy.
Rather than focus on shiny new technologies like artificial intelligence and machine learning, businesses need to continue placing their efforts on strengthening the basics like passwords, patching, and policies. While this may seem juvenile to organizations already on the path to a more mature security posture, keeping focused on the basics ensures the foundations we’ve built do not crumble as complexities increase in the future.
This year ransomware will continue to get more sophisticated and supply chains will become more complex. By focusing on the fundamentals and removing complexities within the policies and processes, organizations position themselves to be more resilient in defending against and bouncing back from future threats.
Cyber insurance explained: What it covers and why prices continue to rise
One of the most disrupted industries of 2021 is cybersecurity insurance. The number of ransomware cases rose drastically as the year unfolded, as did the number of claims. Breach response costs increased from 29% to 52% of overall claim costs.
This was in large part due to the fact that many organizations looked at cyber insurance as a cybersecurity strategy rather than a contingency, recovery strategy. Without an allocation of budgeting funds directed at developing a sound, preventative plan to reduce risk and improve resilience – a large swath of businesses left themselves wide open to the very vulnerabilities that ransomware sought to exploit.
Another critical misstep was the assumption that cyber threats fall under the responsibility of the IT department. While IT personnel typically manage the network and interconnectivity of systems, their expertise focuses on providing access and keeping traffic flowing, so as not to hinder productivity. Cybersecurity experts, on the other hand, take a deeper look at limiting access and control to reduce the ability for threat actors to traverse the network and do irreparable damage.
This perfect storm of misguided approach continued to churn throughout the year, and insurance providers found themselves in uncharted territory. There was, and still remains, a critical need to predict and control payouts for claims. The solution: clamp down on the standards for acquiring cyber insurance coverage – making the responsibility a shared one.
The future of cyber insurance is likely to remain volatile until organizations and insurers can come together to foster an environment that is mutually beneficial. The most acceptable path forward is for every organization to assess where their risks are and to begin addressing them by implementing the appropriate people, processes, and technologies necessary to master basic cybersecurity principles.
Digital Transformation Changes How Companies Create Value
Amidst all the disruption of 2021, the organizations that thrived realized new opportunity in how they sought to differentiate.
It has been well documented that digital transformation was accelerated by the pandemic, but now that the dust has settled - businesses begin to look at this new agile model as a way to reimagine their entire operations and differentiate themselves.
Manual, personnel-heavy processes have given way to digitized and automated technologies and stronger, more trusted partnerships – leading to leaner staffing resources required to perform operational tasks - generating value creation as a byproduct not only for the organization itself, but externally as well. This “firm inversion” has been an eye-opening breakthrough.
“To attract partners, these inverted firms follow one simple rule: “Create more value than you take.” A little reflection shows the rule’s potency. People happily volunteer investments in time, ideas, resources, and market expansion when they get value in return. Partners flock to a firm that makes them more valuable, which in turn helps the firm’s ecosystem flourish.”
This not only solves the problem of the skills shortage, but it also invites the best of the best to the playing field. Collaboration and sharing of expertise many organizations could not afford to hire internally, while generating value that begets value. It’s the type of win-win scenario that has catapulted intangible assets to account for 90% of the valuation for S&P 500 firms.
“Too many product firms start from the bad habit of asking “How do we make money” when instead they should start by asking “How do we create value?” and “How do we help others create value?”
If there is ever to be a silver lining gleaned from the pandemic, this model is one worth paying attention to.