Most organizations sit on a mountain of data they don’t know exists. This data not only increases the risks of ransomware attacks it’s also a major contributor to the skyrocketing cyber insurance premiums, which have moved in lockstep with ransomware attacks. Why?

Because fundamentally businesses can’t manage risk for data they don’t know exists. Organizations really need to understand all their data and its purpose.

In 2021, as global ransomware damages soared above $20 billion, cyber insurance pricing climbed nearly 40 percentage points. In the U.S. alone, premiums have been increasing to the tune of 96% year-over-year, according to insurance broker Marsh. And while the rate hike has delivered a tremendous blow to businesses, it’s only part of the story.

Many are struggling to even secure coverage. Companies that do often find critical coverages omitted from their policies. Yet, cyber insurance has become an integral part of ransomware response.

This paradox has only underscored the urgency for businesses to start investing in their risk reduction now rather than wait until privacy laws are in place or they need cyber insurance––and it starts with understanding where data lives.

Contain data sprawl

The volume of digital content being created has progressed at a rapid clip. IDC anticipates that digital content will grow by four times over the next four years. And it’s mostly unstructured data.

In 2020, 6.4 zettabytes of new enterprise data was created and captured, most of which (51%) will get stored in the cloud by 2024 – and this has a lot of CIOs worried. Digital file sprawl has become a chief concern among privacy and security professionals simply because it’s becoming near impossible to account for all of it, particularly when it ventures into unstructured territory.

Unstructured data represents approximately 70-80% of most organizations’ data by size, whereas structured data often has more elements, but makes up only the remaining 30%. But despite its prevalence, there’s a lot of ambiguity around what constitutes unstructured data.

Understand the nature of data

With enterprises now dealing with massive amounts of data and the threat of attacks like ransomware rising, organizations have to understand where their data resides and who has access to it.

While it’s easy to locate and manage structured data, unstructured leaves organizations vulnerable to a breach. Most organizations are investing upwards of 80% in the governance of structured data though it only represents a relatively small portion of the pie.

It’s often easier for companies to start with structured data because it lives in places that are easily searchable. This includes databases such as customer relationship management (CRM) systems, spreadsheets, inventory management software, and enterprise resource planning (ERP) management systems.

Unstructured data flows into the organization via internal logs, online chats, social media exchanges, and email. This data accumulates faster and it can also originate from structured sources, quickly propagating throughout the organization. An easy example of this: when data gets pulled out of a CRM or spreadsheet and is shared internally in a report, presentation, or via email or internal chat. This is where it becomes hard to locate and manage.

With unstructured data soon coming into scope under the new privacy laws, privacy professionals now realize they need to get a hold of it. But also, companies need to understand the difference between the two types of data and where each lives because it’s one of the best ways to reduce cyber insurance rates and ensure approval.

Why rates have risen and approvals and renewals have declined

Cyber insurers, coming off their own losses over the past couple of years, have tightened up the criteria for issuing cyber policies. Conditions for payouts have become more stringent, major protections, such as ransomware are being excluded from policies, and some are being outright denied coverage.

“The insurance sector has been hit hard for the past few years and this goes well beyond the cyber insurance sector,” said David Bowcott, chief commercial officer, Aon Global Construction and Infrastructure. “Insurers globally are diving deeper into their losses to better understand their origins and are seeking innovative risk controls to help prevent and mitigate the losses that have driven the current hard market.”

With insurers cracking down on risk mitigation, it’s imperative for companies to go into the application process fully prepared and with a clear picture of their data. This means approaching applications with a comprehensive data map and incident response plan. But many organizations start the process by asking what the underwriter needs from them then backfilling or preparing everything––and this doesn’t set the stage for a positive outcome.

Today, most insurance carriers want to see:

  • A comprehensive data map.
  • A demonstrable understanding of data usage and outflows.
  • Attestations by vendors that they are accurate and compliant.
  • A comprehensive incident response plan.
  • Proof of tabletop exercises that span all organizations to clarify roles and responsibilities in the event of a breach.

Data maps are foundational to any sound data security infrastructure. It lets organizations understand where their data resides and where it flows––insight that will inform a more thorough incident response plan.

Depending on the structure of the organization, these are often time-consuming and resource-intensive to prepare and keep current, especially when done manually. Many organizations are using technology to automatically scan their structured and unstructured systems daily to keep data maps up-to-date and automate the vendor attestation process. This gives cyber insurers a complete picture and demonstrates that the organization knows what it’s doing when it comes to data and privacy protection. Businesses must invest in risk reduction now and data maps are the place to start. 

Dan Clarke, president, Truyo; Jeff Sizemore, chief governance officer, Egnyte