Beyond the Breach - Risk vs Investment

In this edition of Insights, we explore 3 key areas: - How to successfully address enterprise risk management in todays connected businesses - The role cyber insurance plays in mitigating risk - The Global Threat Landscape - a look back at 2022

Cyber security advice for senior executives

The role cyber insurance plays in mitigating risk How to make your cyber budgets work smarter

Edition

Beyond the Breach – risk vs investment

Article 1

The Global Threat Landscape

INSIGHTS • INTELLIGENCE • INNOVATION

Beyond the Breach – risk vs investment

Introduction

P3

The next twelve months are sure to test the mettle of leaders in any organisation. Against a backdrop of economic headwinds and recession, many organisations are looking to do more with the same budgets, and that includes cyber security. The disruption cyber-attacks create and the threat they pose to business continuity and the safety of everyone in society, means cyber security has become a stable item on the agenda across Boardrooms and Governments alike. In this edition of Insights, we’ll explore how to strengthen resilience and manage the cyber threats facing us today – and tomorrow. We’ll also look at how companies and public sector organisations can strike a balance between security risks and budgetary demands. Where are they investing security spend, and is this changing in the face of evolving cyber threats? In a recent pulse poll of Cyber leaders, we found – 43% are focusing the majority of cyber security budgets on technology, 38% on people, 14% on processes and the remaining 5% on insurance . With most focusing spend on technology, is there a way to make security tools work smarter, and realise more value from these investments? Our CISO Lawrence Munro goes into detail on page 8. When it comes to cyber insurance, how is the market adapting its offer to meet changing cyber coverage needs and budgets of CISOs? Our recent poll uncovered that 46% of respondents either did not have, or were unaware of, their organisation’s cyber insurance cover, whilst (a concerning) 10% were unable to obtain it . Hear from our experts on these very challenges on page 4. Legislative and regulatory commitments have a powerful influence on spend discussions . With new regulations moving at pace, we explore how organisations can strike a right balance between risk appetite and compliance considerations. Read more on page 16. I hope you find this collective insight from our NCC experts helpful.

Introduction - Mike Maddison, CEO

Welcome to our latest edition of Insights, our regular publication for leaders in Cyber Security

P4

The latest developments in cyber investment & Insurance

P8

A CISO Perspective

P12

How the threat landscape may drive cyber investment in 2023

Want more Insights, Intelligence & Innovation? Join our Insights Program

P16

Regulatory & Legislative spotlight

Mike Maddison CEO, NCC Group

REGISTER HERE >

The latest developments in Cyber Investment & Insurance

For Maya Buchanan, NCC Group’s Global Director of Risk & Compliance, cyber security budgets must ultimately be aligned to an organisation’s overall strategy and approach to risk. However, in many cases, improving cyber security postures doesn’t automatically equal increased spend. In Buchanan’s words, there is ‘no magic bullet’ that can make an organisation 100% secure; instead, it’s often a matter of ‘tuning up’ capabilities, simplifying your security estate and making informed decisions in line with existing controls, rather than investing in new tools. At all times, aim for a holistic approach to enterprise risk management. A cyber attack has the potential to affect every aspect of an organisation, whether finance, HR, procurement, IT and so on. Understand how they would be impacted by a breach, and speak to those challenges. If payroll systems are affected, what problems does that create for finance departments? Would IT teams require additional resource to restore systems? Factor these considerations into investment decisions. Remember, too, that the fall-out of a breach can have a very long tail, and therefore require long-term financial support.

There’s no getting away from it cyber security remains one of the biggest existential threats to organisations across the globe. In 2023, this is further compounded by a tumultuous threat landscape - which NCC Group’s Global Head of Threat Intelligence delves deeper into on page 12.

There is ‘no magic bullet’ that can make an organisation 100% secure; instead, it’s often a matter of ‘tuning up’ capabilities, simplifying your security estate and making informed decisions Maya Buchanan, NCC Group’s Global Director of Risk & Compliance

Here we look at the latest developments in cyber investments and cyber insurance and how best to strengthen your cyber security posture in 2023.

Balancing risk appetite with key security investments in 2023

Research from Enterprise Strategy Group suggests a mixed picture: though 65% of organisations are expected to increase cyber security spend in 2023, the same survey found 48% predicted overall IT budgets to remain flat or decrease throughout the course of the year. Cyber security is clearly a non- negotiable - but how do you reconcile this with scrutinised budgets? Organisations are increasingly forced to strike the delicate balance between cyber risks, and where (and how much) to invest when it comes to ensuring an adequate level of cyber security protection.

Data Breach 7 %

Evolving insurance for an evolving market - which brings us to cyber insurance

Banking malware 7 %

As one of the newer insurance markets, it’s an area that has been subject to intense discussion of late - from new product launches, to claims that cyber could be ‘uninsurable’. Whether this statement is entirely correct or not, it is fair to say the market is hardening and latest studies are demonstrating that the scope of what cyber insurance covers is decreasing, at the same time that premiums are increasing. Previously, cyber insurance has been seen as a substitute for cyber security. This is certainly not a recommended approach, and the squeeze on what policies cover and how much insurance costs is forcing many to re-evaluate this ‘risk transfer’ approach. Instead, cyber insurance must be viewed as an enhancement of a robust control environment.

Attack Impact Stages 2022

Ransomware 40 %

Where to begin? What’s driving it and review this on a continuous basis Are there any regulatory changes (see more on page 16)?

Coin mining 13 %

Cyber insurance must be viewed as an enhancement of a robust control environment.

Does your organisation handle vast volumes of confidential data? Could a breach cause significant reputational damage, that you cannot afford to be exposed to?

Business Email Compromise 33 %

Understanding your risk appetite is key, as is clearly defining it when entering any budget discussions. Lawrence Munro, NCC Group CISO, explores this further on page 8.

The latest developments in Cyber Investment & Insurance

Cyber insurance coverage by sector

Has Cyber Insurance

Has Cyber Insurance that covers ransomware

88%

Energy, oil/gas and utilities (204)

Premiums on the rise Increases of 100% to 300% not uncommon throughout 2022

62%

continued

88%

Media, leisure and entertainment (164) Business and professional services (480)

66%

Tim Rawlins, Director and Senior Advisor at NCC Group, highlighted just how involved the process to obtain cyber insurance has become in recent years. ‘Underwriters are issuing far more detailed requirements to make better risk assessment[s], which affects the premium.’

87%

68%

Surveys containing upwards of 300 questions are now often required, assessing everything from the type and volume of data held, organisational structure, control maturity, supplier networks and advisors - essentially reviewing the robustness of an organisation’s cyber security posture. Even after overcoming the hurdles of accessing coverage, organisations must fully familiarise themselves with exactly what their premium covers, says Kevin Dunn, NCC Group’s global co-head of professional services. Cyber policies today don’t cover everything they used to, and policies often exclude ransomware pay-outs - a particularly costly aspect of attack.

87%

IT, technology and telecoms (979)

70%

Financial services (547)

86%

72%

Retail, distribution and transport (666)

83%

62%

Manufacturing and production (648)

83%

63%

300%

Other (542)

83%

61%

Construction and property (272)

80%

62%

Public sector (498)

72%

Coverage limits declining

51%

0

20%

40%

60%

80%

100%

Source: Sophos

Remember to consider the cost of insurance coverage alongside your wider control network and indeed over policies. Taking a holistic view will help to see if there are areas of overlap that could be consolidated, or gaps in protection that need addressing. So, amongst a hardening insurance market, increasing barriers to accessing coverage and the recognition that even with cover, there are costs organisations are required to cover, some might ask: is cyber insurance worth it? And the answer is often yes, when you needed it most.

Some companies are seeing limits halved

100%

A CISO Perspective

First, understand your organisation’s evolving risk appetite If your exposure has shifted - whether due to external market forces, or internal changes - it is likely risk appetite has shifted too. New or updated regulation and legislation is being introduced at a rate of knots, and this can impact risk appetite.

It is fair to predict that 2023 will be a financially challenging one for many organisations. As is often the way in times of economic difficulty, budgets will be reviewed across the board, and could face cuts? Set against this backdrop, the cost of a cyber attack is rocketing: IBM Security’s The Cost of a Data Breach report found the global average cost of a data breach reached $4.35m in 2022. At the same time, threats are becoming more complex and frequent in nature. Clearly, cyber security is a non-negotiable for any organisation. What is up for discussion, however, is how to invest in their security posture, to ensure the investment meets its needs and provides a ‘strong enough’ level of protection against risk. And if budgets are being reviewed by the board, CISOs have an important role to play in guiding these discussions.

Lawrence Munro, shares his take on how CISOs can balance fluctuating budgets as the threats advance in volume, complexity and impact.

Evolving risk appetite.

With this in mind....

Lawrence Munro CISO at NCC Group

How can CISOs ensure that cyber security remains a spending priority?

Do your current controls meet all mandatory requirements?

Are you possibly overspending to meet certain frameworks or guidance?

Could your spend be better used for other controls?

How do you ensure no gaps in your protection at a time when budgets remain static, if not reduced?

$4.35m average cost of breach in 2022

And where should you focus your spend?

A CISO Perspective

Reputational risks also influence appetite

Don’t ‘over’ insure to mitigate risk Though insurance is a key tool in the arsenal to mitigate the impact of an attack, it should not be seen as a risk transfer strategy. With your premiums adjusted according to your risk profile, there’s a danger that some organisations may seek to ‘over’ insure, rather than putting the controls in place to prevent attack. Instead, take a balanced approach, where cyber insurance complements your security architecture, that helps to mitigate the immediate and long-term costs you could face in the event of a breach.

continued

As we know, breaches can be financially costly, and reputationally so, too. Ensuring your security set-up has the right spend behind it to protect against or mitigate the fall out of an attack will be important if reputational damage is a key concern for your organisation.

Though cyber insurance is a key tool in mitigating the impact of an attack, it should not be seen as a risk transfer strategy

Collaboration with peers, clients and even competitors

Making sure the tools you have at your disposal work smarter , rather than investing in a number of different solutions, should be a key focus for CISOs too. Undertake a detailed review of your control requirements, contracts and licenses. Is there overlap, where you have multiple licenses for the same type of solution - and can you opt to use the services from one provider, if so? Are there other solutions available that would better work together than your current tools, and provide more holistic protection?

Is vital to understand shifting risk appetite and priorities that affect budgets. How an attack impacts your financial teams, is very different to how it will impact HR departments. So addressing individual team concerns and demonstrating how your organisation’s cyber security budget affects this, is important. Increasingly though, there is a need to go beyond talking about cyber security solely in the language of breaches or reputational damage.

Never compromise your businesses risk. In the face of economic difficulties, look to take a more pragmatic approach - whether this relates to risk appetite, insurance, tools or suppliers.

Managing suppliers The stability of your supply chain and their vulnerability to attack is another aspect of managing suppliers; procurement due diligence often demands these checks, but increasingly, ongoing monitoring will be needed. Do they have vulnerability disclosure programmes you can review? Can you access its software bill of materials (SBOM), which details the patch statuses, versions, licenses and components present in its codebase? Consider this in budget discussions, as internal resource or third parties, such as software escrow services, may be needed to support recovery, just as it would if your organisation was the intended target of attack.

A 2022 report from Forrester, CISOs’ Tactics To Win Every Budget Battle, discussed the need to factor in cyber security costs when calculating cost of sale (CoS) and cost of goods sold (CoGS); reviewing controls by ‘costs per customer’, the return on insurance policy coverage and costs per regulation, could aid Board-level budget discussions.

How the threat landscape may drive cyber investment in 2023 Matt Hull explores the 2022 threat landscape and considers how this will influence cyber spend and investments in 2023.

The overall decline in ransomware incidents is not to be mistaken for a halt in the persistence of such attacks, however. There was a notable surge in such incidents between February and April in particular, coinciding with the Russian invasion of Ukraine, with prominent group LockBit increasing its activity in particular. Given continued conflict and wider geopolitical turmoil, alongside the lucrative nature of such attacks, organisations need to remain vigilant against ransomware. They must actively take steps to review internal vulnerabilities and strengthen protective barriers to develop resilience against such attacks – particularly considering how cyber insurance policies are now less likely to cover the cost of ransom pay-outs in the event of attack. Looking at wider ransomware trends, North America (44%) and Europe (35%) suffered the most ransomware attacks in 2022. North America bore the brunt, with 44% of all incidents (1,106), a 24% decrease from 2021’s figures (1,447).

Our Annual Threat Monitor Report unpicks the trends and patterns in the cyber security landscape, based on our proprietary research and observations from our Managed Detection Response (MDR) and Cyber Incident Response Teams (CIRT). It equips you with the knowledge to inform your security investment and spend decisions in 2023. Each organisation’s governance and risk strategy will be unique, but one thing that remains constant is the need for threat intelligence to inform it. What has shaped the threat landscape in 2022? The ongoing conflict between Russia and Ukraine has had a major impact, with both countries deploying their full arsenal of offensive cyber capabilities. This led to an increase in disinformation, defacement, and Distributed Denial of Service (DDoS) attacks, as well as the use of destructive malware to cripple critical national infrastructure in Ukraine and other countries. We could expect a rise in DDoS attacks in 2023 as this trend continues, especially amongst growing network of connected devices. Such attacks effect the availability of systems or services, including customer portals or websites, significantly reducing the ability for an organisation to function. When conducting risk assessments of critical assets, due consideration needs to be given to ensure adequate protections are in place to mitigate the effects an attack may have on operations. Companies could run attack simulations as a regular practice, testing the implementation of protective processes provide the necessary protection in the event of such an attack. We have already seen in 2023 targeted attacks against healthcare and government institutes that operate in countries that support Ukraine. These attacks are being carried out by the pro-Russian hacktivist group, Killnet. There was a 5% decline in ransomware incidents in 2022 as compared to 2021. There are many possible reasons for this decline include the conflict in Ukraine, but also in part, to a strengthened response to such threats from law enforcement agencies and governments around the world, which resulted in the arrests of key members of cyber-criminal groups and intelligence operatives.

North America ( 44% ) and Europe ( 35% ) suffered the most ransomware attacks in 2022

Percentage of Victims by Region for Hack & Leak Victims (2022)

Matt Hull Global Head of Threat Intelligence

35%

44%

Europe Asia South America Oceania Africa North America

5% decline in ransomware incidents in 2022

11%

5%

2% 3%

How the threat landscape may drive cyber investment in 2023

Europe observed 35% of all incidents, with an 11% increase in attack numbers, witnessing 896 in 2022 as compared to 810 in 2021. It was potentially influenced by surges in activity associated with the Russia- Ukraine conflict in the first half of the year. The Industrial sector found itself the most heavily attacked in 2022, with most targeted sectors in 2022, with 804 victim organisations (32%), followed by Consumer Cyclicals with 487 (20%) and Technology with 263 (10%).

While this remains consistent with previous years, our Annual Threat Monitor Report called attention to a relative 10% surge in victim numbers for ‘consumer cyclical’ organisations, especially hotel and entertainment, specialty retailers, homebuilding and construction supply retailers, and financial services. Organisations in this sector, particularly those with large Operational Technology or Internet of Things (IoT) estates are likely to come under continued targeting. This will inevitably call upon decision makers within organisations to review their spend with the significant threats to their cyber security in mind. We know that cyber incidents of all shape and size will persist in 2023, and as we saw from last year, they are likely to evolve in type, techniques, motivations and influence. From ransomware to DDoS, to business e-mail compromise, threat actors are advancing attack types. These advances call for organisations to ensure their security stance reflects the risks they face, and evaluate cyber security spending budgets appropriately.

continued

10% surge in victim numbers for ‘consumer cyclical’ organisations

IR Cases by Sector (2022)

Sectors most heavily attacked in 2022

Government Activity

Industrials

Financials

32 %

Industrial 804 victims

Consumer Cyclicals

Looking ahead to 2023

Technology

Academic & Education Services

Energy

Consumer Cyclicals 487 victims

We expect bad actors to focus their attention on compromising supply chains, by passing multi factor authentication (MFA) and taking advantage of misconfigured API’s. The threat will persist and organisations must remain vigilant and understand how they could be exposed and take steps to mitigate any risk. Preparation is key, from having robust recovery processes in place, to being able to quickly and effectively deploy thorough incident response plans. This way, organisations can be ready to take on the ever-evolving cyber threat landscape.

20 %

Healthcare

Preparation is key This way, organisations can be ready to take on the ever-evolving cyber threat landscape.

Consumer Non-Cyclicals

Basic Materials Institutions, Associations & Organisations Real Estate Operations

10 %

Technology 263 victims

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%

Regulatory & Legislative spotlight

Regulation and legislation is constantly adapting to the ever-changing cyber security landscape. As these requirements evolve it will undoubtedly influence the direction of cyber security spend. Indeed, The European Union Agency for Cybersecurity (ENISA) recently published its third NIS Investments report, which concluded that the NIS Directive and other regulatory obligations, alongside the threat landscape, are some of the main factors influencing information security budgets. Whether organisations are applying new regulations and legislation to their existing systems, products and services, or taking new products to market, they will need to invest to be compliant. Many will also face the challenge of navigating different requirements for the same products in different regions. But do legislation and regulation drive the right kind of investment? Or are the costs of compliance just another burden placed on businesses? It is our view that considered, evidence-based regulation can drive better security outcomes for all and reduce costs by enabling future-proof systems that, by their design, avoid mistakes that are expensive to fix later. Whatever the shape of these emerging laws and regulations, we support our clients to navigate this increasingly complex landscape and comply. Through this work, we have seen a host of regulatory changes introduced across the globe in the last few months alone, with three key trends emerging:

Increasing the cyber hygiene of all organisations has to be a positive move. Greater regulation can significantly help to influence decision-making, protecting organisations, end-users and consumers alike. It can help to level the playing field with malicious actors by making it harder to exploit vulnerabilities like legacy unprotected devices. However, we must also recognise that tougher regulations pose a challenge for multinational organisations that must comply with differing rules to remain compliant in all jurisdictions. Building a compliance program to manage these legislative requirements can be complex, time consuming and expensive. This drives a need for specialist security advisory services to help affected organisations achieve the right level of assurance to meet evolving, cross-jurisdiction obligations.

Tougher regulations pose a challenge for multinational organisations that must comply with differing rules

We explore the regulatory and legislative changes that will continue to drive cyber security spend in 2023.

Stricter cybersecurity laws for Internet of Things (IoT) devices

Stricter laws for Internet of Things (IoT) devices and software are also being enacted by governments – with some disparities across regions. The UK, for example, is taking a piecemeal approach – introducing product-specific laws and policies like the Product Security and Telecoms Infrastructure Act (which focuses on consumer IoT devices) and a new Code of Practice for App Stores and App Developers. Meanwhile, the EU is taking a more holistic approach with the cross-sectoral Cyber Resilience Act which covers almost all software and hardware products connected to the internet.

A focus on principles-based regulatory frameworks for emerging technology

Government activity to identify and secure critical infrastructure has ramped up

Duncan McDonald Global Head of Compliance Services

Governments are increasingly recognising that keeping up with the pace of technological evolution is nearly impossible. We are seeing this in the attempt to govern AI. AI decision- making is being opened up to greater scrutiny, whether in the US blueprint for an AI Bill of Rights, the UK’s forthcoming AI White Paper, or the European Commission’s AI Act. In all of these cases, policymakers are looking to develop broader, more flexible frameworks and principles rather than implementing detailed cybersecurity requirements. Given the nature of the cybersecurity landscape, the difficulty for regulatory bodies is to keep pace with technological change and remain relevant as the industry shifts. This creates challenges for organisations, as they attempt to navigate growing threats, and in turn balance cyber security investment and regulatory requirements. Though complex, it is not impossible – by striking the right balance based on need, organisations can build a truly resilient operation in the face of ongoing change.

A prime driver for these additional controls is to mandate good cyber hygiene practices where governments believe market forces have failed to deliver sufficient levels of cyber resilience

Several new cybersecurity laws and regulations have been enacted, introduced or signalled as nations attempt to protect critical infrastructure from threat actors. The European Union (EU) adopted NIS2 and DORA in December 2022, significantly expanding what it means to be critical infrastructure, strengthening supply chain requirements in financial services and implementing tight compliance deadlines. The United Kingdom (UK) also confirmed its plans to update and strengthen NIS regulations and the Australian Government has begun developing its new Cyber Security Strategy which will place the utmost importance on critical infrastructure resilience. The United States is also gearing up for the release of Biden’s national cyber strategy, aiming to enforce comprehensive regulation for the nation’s critical infrastructure.

Verona Hulse UK Head of Public Affairs

About Insights

Insights is our advice hub for senior executives – leading the way on all things cyber. Once you subscribe, you’ll receive everything you need to know on the cyber landscape, up to date threat intelligence and the latest research from us and your peers. You’ll also be invited to exclusive events with top experts in the cyber field. And best of all it’s free! About NCC group It’s a new era of risk. Defy it with NCC Group’s end-to-end cyber security and resilience solutions, and confidently embrace technology to support sustainable growth and success. From governments to tech giants, financial institutions to expanding businesses, for over 30 years we have proudly provided them with strong security solutions…and with a global team of over 2,400 experts, we’re ready to do the same for you. With NCC Group, take your business to the next level. Unleash innovation without the obstacle of cyber threats.

More than a solution. A partner. You’re not alone on your security journey.

NCC Group is your partner. Be it rolling up our sleeves with your in-house team or developing strategy with your board, we help you have control over your appropriate level of security. Yes, we deliver industry leading security solutions, but we’ll also reduce stress, save your business time, and help you prepare for, or even face, a crisis together.

www.nccgroup.com www.fox-it.com

UNI107110

Page 1 Page 2-3 Page 4-5 Page 6-7 Page 8-9 Page 10-11 Page 12-13 Page 14-15 Page 16-17 Page 18

Made with FlippingBook Online newsletter maker