Unprecedented Increase in Cyber Attacks
Cyber-attacks have seen unprecedented growth with attack increasing world-wide, with a 30% increase in weekly attacks on corporate networks in in Q2 2024 compared to Q2 2023, and a 25% rise compared to Q1 2024 .
With an average of 1,636 attacks per organization per week, according to a recent report by Checkpoint, the relentless onslaught of attacks, highlights the growing sophistication and persistence of threat actors.
With an increasing digitisation of most enterprises, and the growing regulatory requirements of data storage and protection, it has become increasingly difficult to protect a company’s system from all eventualities.
“However, protecting the organisation from cyber-risk needs to look beyond only the digital walls and systems surrounding it”. “Today it is equally important that companies provide a multi-pronged approach to ensure enterprise resilience and to reduce their risk”, explains Richard Frost, Head of Consulting at Armata Cyber Security
The International Monetary Fund (IMF) describes an organisation’s active commitment to securing both its digital perimeter and financial assets as fundamental to reducing risk to company solvency. Right now, cyber security is so volatile it presents a significant, ongoing threat to financial stability.
The Global Financial Stability Report found that while cyber incidents have thus far not been systemic, the risk of extreme direct losses—at least as large as $2.5 billion—to firms from such incidents has increased. Moreover, indirect losses from cyber incidents are also significant and tend to be substantially larger than the reported direct losses by firms.
The price tag of such incidents includes repairing and protecting against the damage caused by the incident.
Proactive Protection Approach Required
Companies should be taking a proactive approach towards a full spectrum of protections in their policies, including cyber-resilience and responsiveness.
These however only form one aspect of their cyber risk mitigation strategy.
The firewalls, training, endpoint security, alerts and security operations centre (SOC) teams are on the front line, but standing beside them is a digital piece of paper –
a policy designed to protect your assets, reputation and make your business more resilient.
“Currently, there are two ways of approaching this: A cyber security-insurance or a cyber security warranty”, says Frost. “Both are designed to provide companies with more cyber-defence muscles, but each one fulfils a different role and comes at a very different price point”.
Cyber-insurance is designed to provide the business with protection of its assets in the event of a successful cyber-attack. The goal is to cover your business with a financial umbrella and offer support throughout the recovery period after the incident.
Some cyber-insurance policies and service providers also offer clients businesses hands-on cyber security expertise from their specialists during and after an attack.
In most cases, cyber-insurance not only covers the actual claim for restoring or remediating the actual threat, but the legal costs which can be invaluable for companies that deal with highly confidential data or operate in highly regulated sectors. If your business can prove that it has done everything possible to mitigate risk prior to an attack, then this insurance will have your business protected.
However, if an investigation by the cyber-insurance company finds you to be negligible – that your organisation has dropped some cyber security balls – then they can refuse to pay the claim.
Even though companies prioritise ensuring they have the right levels of risk mitigation in place, there is always the chance these are not enough.
Another downside of cyber-insurance is the cost, especially for smaller companies. This is particularly true in South Africa where the cost of insurance as a general rule is extremely high and the monthly fee can be crippling.
Another option available to companies is a cyber-warranty. This is a product that will pay the business a set amount in the event of an incident and covers the gaps that cyber-insurance leaves behind.
Often, managed security services companies will offer a cyber-warranty alongside their products as a mark of faith in their own solutions. That said, if your company invests in a cyber-warranty this doesn’t exclude you from meeting specific requirements around security standards or products. Many warranties are underpinned by an agreement that specifies exactly what levels of security a customer should have in place and what types of products they should be using.
To Insure or To Warrantee? That is the Question!
So, now what? Do you cyber-insure or do you cyber-warranty? Which road leads to resilience?
The answer lies in your risk profile and budget. Cyber-insurance is more expensive and calculating the cost paid out to a company after an incident is complex. Many insurance companies aren’t sure what the actual cost of a breach will be or how this cost balances out against the protections they’ve put in place.
A cyber-warranty is premised on the foundation of cyber-resilience and offers a guaranteed payment amount in the event of an attack. It provides a degree of resilience in the event of a successful attack, and this can make the difference between bouncing back or bouncing to the bank.
Either way, ransomware and risk are rampant and a policy providing much-needed protection is vital.
“Cyber resilience means putting the right security in place and investing in a digital policy that best meets your costs, delivers the right value, and minimizes the impact to your business”, concludes Frost.
