There’s no getting away from it: cyber security remains one of the biggest existential threats to organisations across the globe. In 2023, this is further compounded by a tumultuous threat landscape - NCC Group’s Annual Threat Monitor Report takes a look at ever-evolving attack techniques deployed by threat groups.
Attack Impact Stages 2022
- Ransomware: 40%
- Business Email Compromise: 33%
- Coin mining: 13%
- Banking malware: 7%
- Data breach: 7%
NCC Group Annual Threat Monitor Report, 2022
Balancing risk appetite with key security investments in 2023
Research from Enterprise Strategy Group suggests a mixed picture: though 65% of organisations are expected to increase cyber security spend in 2023, the same survey found 48% predicted overall IT budgets to remain flat or decrease throughout the course of the year. Cyber security is clearly a non-negotiable - but how do you reconcile this with scrutinized budgets?
Organisations are increasingly forced to strike the delicate balance between cyber risks, and where (and how much) to invest when it comes to ensuring an adequate level of cyber security protection.
Where to begin? Know your risk appetite:
- What’s driving it and review this on a continuous basis
- Are there any regulatory changes (see more on page XX)?
- Does your organisation handle vast volumes of confidential data?
- Could a breach cause significant reputational damage, that you cannot afford to be exposed to?
Understanding your risk appetite is key, as is clearly defining it when entering any budget discussions.
For Maya Buchanan, NCC Group’s Director of Global Governance, cyber security budgets must ultimately be aligned to an organisation’s overall strategy and approach to risk. However, in many cases, improving cyber security postures doesn’t automatically equal increased spend. In Buchanan’s words, there is ‘no magic bullet’ that can make an organisation 100% secure; instead, it’s often a matter of ‘tuning up’ capabilities, simplifying your security estate and making informed decisions in line with existing controls, rather than investing in new tools.
At all times, aim for a holistic approach to enterprise risk management. A cyber attack has the potential to affect every aspect of an organisation, whether finance, HR, procurement, IT and so on. Understand how they would be impacted by a breach, and speak to those challenges. If payroll systems are affected, what problems does that create for finance departments? Would IT teams require additional resource to restore systems? Factor these considerations into investment decisions. Remember, too, that the fall-out of a breach can have a very long tail, and therefore require long-term financial support.
As one of the newer insurance markets, it’s an area that has been subject to intense discussion of late - from new product launches, to claims that cyber could be ‘uninsurable’.
Whether this statement is entirely correct or not, it is fair to say the market is hardening and latest studies are demonstrating that the scope of what cyber insurance covers is decreasing, at the same time that premiums are increasing.
Previously, cyber insurance has been seen as a substitute for cyber security. This is certainly not a recommended approach, and the squeeze on what policies cover and how much insurance costs is forcing many to reevaluate this ‘risk transfer’ approach. Instead, cyber insurance must be viewed as an enhancement of a robust control environment.
Premiums on the rise: Increases of 100% to 300% not uncommon throughout 2022
Coverage limits declining: Some firms seeing limits halved
Marsh Cyber Market Report
Tim Rawlins, Director and Senior Advisor at NCC Group, highlighted just how involved the process to obtain cyber insurance has become in recent years. ‘Underwriters are issuing far more detailed requirements to make better risk assessment[s], which affects the premium.’
Surveys containing upwards of 300 questions are now often required, assessing everything from the type and volume of data held, organisational structure, control maturity, supplier networks and advisors - essentially reviewing the robustness of an organisation’s cyber security posture. Ensuring you have adequate protections in place, to be able to respond thoroughly to such surveys, could in turn go a long way to benefitting the ability to access such coverage.
Even after overcoming the hurdles of accessing coverage, organisations must fully familiarise themselves with exactly what their premium covers, says Kevin Dunn, NCC Group’s global co-head of professional services. Cyber policies today don’t cover everything they used to, and policies often exclude ransomware pay-outs - a particularly costly aspect of attack.
Remember to consider the cost of insurance coverage alongside your wider control network and indeed over policies. Taking a holistic view will help to see if there are areas of overlap that could be consolidated, or gaps in protection that need addressing.
So, amongst a hardening insurance market, increasing barriers to accessing coverage and the recognition that even with cover, there are costs organisations are required to cover, some might ask: is cyber insurance worth it? You could ask this same question about many traditional insurance cover products - life, household, contents - and the answer is often: you’d answer yes, when you needed it most. Does the same answer not apply, for the sake of true operational resilience in the face of evolving threats?
Want to know more?
Read the full magazine.