The nature of business risk has changed dramatically as cybersecurity attacks increase in volume, velocity and effectiveness. Data breaches have emerged as a new category of threat that can have catastrophic effects on a business of any size, and the growth of massive botnet armies controlled by threat actors signals that the attackers are becoming more powerful.
Cyber defenses have evolved in tandem, producing increasingly sophisticated solutions for the vast scale of threats organizations encounter as an inevitable result of leveraging the networking and computing infrastructure they need to compete in the modern business environment. Naturally, insurers began to develop processes and structure to serve their traditional role in guarding against this risk, but that development hasn’t proceeded smoothly.
In recent years, to comprehend the scale of their liability compared with the policyholders’ ability to protect themselves, insurers implemented standards and policy exclusions that require organizations to do far more to secure their attack surface than ever before. If they can’t, these organizations face severe threats on two fronts: the inability to effectively guard against first-order threats to their system as well as the inability to take advantage of the appropriate financial tools to limit the resulting damage.
While these threats present a short-term challenge for many companies, they also reveal an opportunity for the medium and long term. Organizations that build a safe and insurable cybersecurity posture will be better positioned for growth than companies that choose not to invest in those tools and processes. Even if the organization chooses to self-insure, having insurance-worthy cyber hygiene measures in place can reduce potential damage.
Many organizations recognize the need to improve their security: According to market research firm Market.US, the global cloud security market is valued at $20.54 billion in 2023 and is projected to grow to nearly $150 billion by 2032.
Most of the focus is on IT infrastructure. But for many organizations today, the most efficient way to build a safe and insurable cybersecurity posture is to focus on IoT (internet of things) security.
See also: A New Approach to Cyber Resilience
Why IoT?
IoT devices function differently than traditional IT computer systems. IoT devices have agents placed on them (the typical way IT systems are patched) and, until recently, could only be updated manually. Most organizations with IoT systems benefit by using them at scale – think of factory systems, transportation and logistics and automation systems that can physically exist anywhere (not just in datacenters). The devices must work as a team.
Naturally, this volume and sprawl makes manual updates prohibitively burdensome. As a result, more organizations than not are left with vulnerable, unpatched, out-of-date firmware on thousands of network-connected devices. This dynamic also produces a suboptimal organizational dynamic: Because devices need to be maintained manually on-site, they often fall under the authority of on-site teams rather than IT security experts. As a result, IoT networks generate the largest unsecured attack surface for most organizations. Any responsible approach to business risk will involve securing it.
Why now?
In recent years, there have been high-profile disputes between insurers and their policyholders who filed claims on data breaches and other cybersecurity incidents, and it’s clear that insurers are recalibrating their approach to cyber risk. They are implementing far stricter requirements to qualify for coverage, and an organization effectively must accept the insurer's security requirements as mandates.
The best way for organizations to approach this shifting climate is to work with their insurer so there is a two-way flow of information and the terms of the policy can be customized to the specific business. This helps the insurer understand both the technical and business realities, and through that collaboration, organizations will gain insight into how regulations will develop over time. At the same time, organizations themselves must evolve and take a leadership role when securing their own systems to minimize their cyber insurance premiums.
See also: Cyber Insurance at Inflection Point
How to build a safe and insurable cybersecurity posture
An efficient ecosystem of asset and application discovery tools that leverage automation has delivered IT security teams the capacity to find threats faster than ever. However, because of their distinct technical properties, IoT networks have remained largely untouched by these advancements. At best, teams have been able to mitigate threats (e.g. through port blocking), but to move to true remediation requires a focus on both automation and scale.
Organizations, first of all, must take advantage of the latest technology to secure their most vulnerable attack surfaces. For most organizations, this is IoT networks. Specifically, this means deploying agentless solutions that can support all types of IoT devices while managing the relationship among all devices and apps, along with their interaction with the broader network. IoT systems must be visible, operational and secure – no longer simply functional.
Organizations must also change how they approach resolving potential threats, which for IoT are increasing in both volume and velocity. Until now, the focus for most security teams has been on mitigation, or limiting the damage after an attack. In the best case, teams limit the potential for an attacker to use a particular vulnerability. In other words, security limits the potential damage but does not eliminate the threat.
This approach, while eminently understandable considering the scale of modern threat environments, is outdated. Organizations now have the tools to remediate the threat and bring systems back to full operational status.
Pairing discovery solutions with remediation solutions is an indispensable step toward establishing the cybersecurity posture necessary to do business efficiently and profitably in the modern threat environment. Naturally, companies should prioritize their most vulnerable attack surfaces – in many cases, IoT systems.
As recent CISA directives have shown, along with high-profile breaches from IoT entry points, visibility and security of IoT devices in tandem with all cloud assets must be a top priority for all businesses.
Organizations should develop collaborative relationships with their insurers to ensure that their underwriters have the appropriate level of knowledge and understanding of the landscape as well as how it evolves in real time. At the same time, they must accelerate investments in automation to bring all potential weak points, especially IoT, up to a standard of capability and resiliency that all stakeholders from the boardroom to insurers to the security team itself can feel confident about.
In this way, organizations that take advantage of the latest security technologies, especially as they relate to IoT, will be poised to grow unencumbered by the weight of unsecure, invisible networks accumulating risk as time goes on.