Why cyber risk (exposure) is increasingly challenging to manage

Companies appear to be having an increasingly difficult time assessing cyber risk exposure, making managing cyber risk a more challenging task than ever.

There are a bunch of reasons why such is the case. Before looking in more detail at them, let’s sum up a few factors that made things worse in recent years. Take the enormous increase in cyber threats and cyberattacks since the global health crisis began in 2020, for one. Cyber risks became more diverse and numerous with increasing complexity and visibility challenges throughout the pandemic, even if it started before.

Cyber risk visibility and management

Add to this the rise in the use of digital tools, the acceleration of digital transformation, and the increasing digital footprint that characterized previous years, and the cyber risk challenge becomes even more understandable.

Managing cyber risks in times of digital transformation and ecosystems

In a broader context, the increased digital attack surface and greater exposure to cyber risks is the inevitable flip side of a higher degree of digitization, more connectivity, and increased investments in digital infrastructure.

Moreover, this digital transformation evolution goes hand in hand with an increasingly complex cybersecurity reality and need for cyber resilience.

The end goal of gaining visibility and control of the digital attack surface is ultimately to better understand and manage cyber risk. Yet over half (54%) of organizations admit their method of assessing risk exposure isn’t sophisticated enough. Less than half (45%) claim to have a completely well-defined process for this (Why global organisations are struggling to manage cyber risk, Trend Micro)

For a while now, cybercriminals have found the easier and more lucrative route of third-party cyber attacks and the software supply chain. It goes hand in hand with the increasing use of digital ecosystems (especially in large Industry 4.0 sectors and areas of activity), partner networks, or simply partners and vendors to help with digitization and business transformation. The results are – again – more cyber risks as well, however.

Those cyber risks will continue to be a challenge in the future. The end of the pandemic does not mean the end of increasing digitization. We previously described how several digital evolutions that occurred in 2020, 2021, and 2022 would continue to exist, at least in part, in ‘some new normal‘.

According to McKinsey, COVID-19 has pushed many companies past the technology tipping point whereby business has changed permanently in many areas. Besides, we’re not going to stop digitizing right away either. And building connected partner networks will also be around for a while.

Lastly, we already see very different risks emerge worldwide. Many also overlap with cyber risks as the link between geopolitical challenges and specific types of cyber attacks and threats clearly shows.

Key challenges in assessing cyber risk exposure and cyber risk management

In short, it is becoming increasingly difficult to see all these cyber risks, assess exposure to them, and manage cyber risk overall. At the same time, the need to do it well is higher than ever with ever more digital business activity and the cost of data breaches continuing to rise.

Why it is so difficult to understand and manage cyber risk - source and courtesy Trend Micro
Why it is so difficult to understand and manage cyber risk – source and courtesy Trend Micro

So, time for a more detailed look into some of the main challenges in managing cyber risk as promised.

As part of a series of surveys, Trend Micro looked deeper into the challenges of digital attack surfaces and, more recently, at those cyber risk management woes.

We already knew that organizations are concerned about a fast-expanding digital attack surface with limited visibility. Now we know that they also need urgent help to discover and manage cyber risk across this environment. In many cases, the challenge is compounded by siloed point solutions (Bharat Mistry, Technical Director at Trend Micro)

According to the latest research, 54 percent of global organizations believe their cyber risk assessments are not sophisticated enough, leading to exposure to ransomware, phishing, IoT attacks, and other threats. Respondents also say that overly complex IT stacks and lack of leadership awareness exacerbate the problems.

Respondents were asked why it is so difficult to understand and manage cyber risk.

The majority (38 percent) stated that it is simply hard to quantify, while a third (33 percent) said they don’t have the resources to manage cyber risk. Another third of respondents (32 percent) replied that they have limited visibility into cyber risks. At the same time, for a fifth, data silos pose a problem (standing in the way of a clear, actionable understanding).

Quite some respondents also complained about too many tools (30 percent) and alerts (27 percent), the reason for Trend Micro to emphasize the need for a unified platform-based approach, precisely the strategy Trend Micro has followed on a solution level since it launched its Trend Micro One technology ecosystem. The latter is positioned as “a unified cybersecurity platform with a growing list of ecosystem technology partners that enables customers to better understand, communicate, and lower their cyber risk.”

Other reasons making it hard to manage cyber risk per the respondents include an explosion in remote working endpoints and shadow IT during the pandemic, the size and complexity of the modern distributed IT environment, and more reasons which you can discover here (select the paper “The challenge of managing cyber risk”).