[MUSIC PLAYING] I tell you, first and foremost, as we look, we have some challenges going on with the chip shortage and things. So we're doing our part, as any function within an organization, to help drive synergies, cost savings, and initiatives. So that's a gimme. And that helps us build credibility with the business and things.
From strictly a cybersecurity perspective, there's a few things of interest for us. One is converging the teams together because we're like this giant Titanic of an organization. So getting all the people in the transition plan but from protecting the organization I would tell you we're definitely looking at supply chain.
We just had our second annual security supplier symposium which we did jointly with General Motors and Ford Motor Company. This is something the OEMs got together and started this initiative to help try to bring education and resources to the supply chain. And it started with the OEMs. And that was a great event that we had just on Wednesday, the second annual one.
And also for us, it's about building our muscle memory and understanding that we are going to get attacked. I was just looking at some stats that almost, I think it was like 71% of organizations last year had some type of ransomware attack. I haven't validated the statistics but I've just seen some of it but we know for sure manufacturing is increased, we're the third targeted industry. So as I said, we're building muscle memory doing tabletops, doing our red team engagements, really trying to build our offensive security so we can be more proactive in how we address things.
It's really two things we should be focusing on, our identities and our data. That's the simplest form of where we should be putting our focus. And interesting enough, we're starting-- just to add to that, we're starting our insurance roadshow, which is basically it's time for cyber insurance, so what we're hearing right now is that multi-factor is now a requirement to get cyber insurance. So you ask me how to protect identities, by all means, multi-factor is key for us, not just in our email and what our collaboration service is but getting multi-factor expanded to our SaaS solutions.
But the complexity is as you said, the identities is key for us because we have so many dispersed identities, meaning we have identity management that could be local in some SaaS provider, we have our identity management system. And so it's really about converging and having one identity, one single source of truth for identities, and the right controls wrapped around it to make sure. Because as you know as we provision and de-provision, there's things that can get lost in the shuffle. And that's where we see incidents like what you're talking about happen.
I would say to me what zero-trust is, what I think is the most basic form is if you go back to when we first started and when people were moving from Novell to Active Directory, the concept of least privilege. Remember that, it was like only the access that you needed to your file shares or to the applications. It's really just that expanded to everything. To outside of those file shares and systems but now apply it to your network resources, apply it to every other thing that you're using in your technology portfolio. And that to me is what zero-trust is.
And when you look at, let's say, VPN everybody built up their VPN capabilities, which was more the traditional way of doing things when COVID first hit. And what that gave is you've seen all the attackers now shifted to what? Our VPN technologies, looking at vulnerabilities on VPN and exploiting that because that was the avenue to get into the organizations.
And to me, I think VPN is a technology that should be very-- should be used very few and far between. Maybe for remote support but our user community shouldn't be using VPN. We should be doing something different with our applications. If I think of a general employee, there's probably about a handful I can count on one hand how many apps that they're accessing internally because most of the stuff is SaaS now, your payroll, your financial stuff.
So it's really about getting those applications somehow reverse proxy or somehow front-ended, or using some type of system but I think VPN should probably go away and some of those other technologies. We need to rethink how we approach things. And like you said, it's like I said earlier, the concept of least-privilege, it's I only have access to a handful of things, why do I need access to the whole network?
My opinion is there is not going to be room, there is to be less tolerance and room for mistakes when we talk about architecture. And let me expand on that, when somebody asked me what's the difference between building on-prem and the cloud? And I said the reality is, is that there's more advantages in the cloud because you have the availability of all those tools and security features, feature sets right there. You just got to pay for it. I said, the issue is we're taking the same mistakes we made on-prem into the cloud, which is mostly configuration management, we misconfigure something in the cloud, it gets-- it has a bigger threat landscape, a bigger exposure.
So I think we're going to be more disciplined in how we-- baselining our configuration. We have to be, we've got to get it right the first time. And I think too is that there's going to be a lot more automation in the cloud, more updating. Because we're going to take advantage of those things to make sure that we promote from development to test, and from test to prod, all those things that we're taking advantage while we update the code that we're going to update everything else that needs to be done. So I think that's going to be some of the biggest advantages for us as we do things more in the cloud and everything. Is we're going to get more high availability of updated more up-to-date software, and less-- hopefully less known vulnerabilities when we move all those things in the cloud.
It's not that we're going to have an incident. I think we're-- it's about are we prepared to handle the incident? That's probably the biggest thing is making sure we have the right tools and things. For my team, it's making sure that we-- one is that we identify the incident, not some third-party letting us know. And two, that we're able to handle and mitigate the incident, contain it, and mitigate. And that our partners let's say, other areas of IT and other stakeholders, they have their stuff in order for the recovery. Because out of every incident we have to have some type of recovery, either restoration of services or backups or things. So that's going to be key. I would tell you just our ability to respond appropriately, that's what keeps me up at night.
I think like anything, it's going to be regulation or it's going to be tweaked. So at first, you're going to understand the boundaries, OK what classifies as an incident? And I think that still needs to be defined. And they're going to have to set some boundaries around that. And I think once that data starts coming in, I think we'll get a better idea of what the true amount of incidents that we're seeing, the ones that are-- but I will tell you, it's first-- for me I think we're going to-- most organizations are going to stumble a little bit because they're going to say is this really an incident or not?
I mean, we do it all the time, coming from a tier-one or an OEM or anything, we have contractual requirements to report incidents, OK. And now we've seen the language change, OK, report incidents, what kind of incidents? Now the language will say, OK, incidents that affect our data, or incidents that now affect our data that's classified as confidential. Because it's understanding what are-- we have tons of incidents, which ones do you want to know about? The ones that are important. So that criteria still hasn't been defined yet.
[MUSIC PLAYING]
08:22