Cyber Risk Governance Insights | July 22, 2024
WEEK IN HEADLINES
HUMAN RESOURCES - Employees Targeted with Impersonation Tactics
Cybercriminals impersonate HR departments, urging employees to review a modified employee handbook. The email creates urgency and leads to a fake login page.
INSIGHT: Again, Security Awareness Education! You should consider implementing or improving your employee education so they know why and how they should verify email requests, and implement email security measures.
FINANCIAL SERVICES - Geopolitical Hacktivist Attack & Target Sector
Security researchers report a surge in DDoS attacks against Romania, involving hacktivist groups like CyberDragon and the Cyber Army of Russia. These attacks coincide with discussions on defense cooperation and Romania’s arms exports to Europe.
INSIGHT: Consider deploying DDoS protection to ensure website availability. If you're an SMB, cloud-based DDoS protection services offer an affordable and scalable solution.
SOFTWARE - Global Outage Due to Faulty Security Update
A faulty CrowdStrike security update caused 8.5 million Microsoft Windows computers to crash, disrupting airlines, banks, hospitals, and more. The estimated financial damage exceeds $10 billion.
INSIGHT: For many organizations disaster recovery plans were exposed as insufficient. Ask about your plans and when they were last "tested" to ensure you can recover quickly when you're let down by a vendor.
APT - Global Campaign Targets Multiple Sectors
APT41, a persistent threat group from China, infiltrated organizations worldwide, extracting sensitive data. Their tactics included web shells, BEACON backdoors, and data exfiltration via OneDrive.
INSIGHT: Safeguarding your organization is with an effective Patch Management program that keeps your software and systems up to date to address known vulnerabilities.
GOVERNMENT - Smishing Scam Targets Unsuspecting Users
Cybercriminals exploit trust in USPS by sending convincing text messages, urging users to verify their addresses via a deceptive link. The attack leverages the victim’s trust in a public institution, making it dangerously effective.
INSIGHT: Security Awareness & Education can teach your employees to recognize suspicious text messages and avoid clicking on links from unknown sources.
TECHNOLOGY - SEC Charges Dismissed, but Misstatements Remain
A judge dismisses major SEC charges against SolarWinds post-breach but allows action for misrepresentations before the cyberattack.
INSIGHT: Don't find safety in this case, business executives must be looking for solutions that provide legally defensible evidence of implementing, at a minimum, best-practice cyber risk governance and mitigation strategies.
INSIGHTS & EXPERT PERSPECTIVES
Cyber Insurance 2024: Balancing Risk and Coverage
The research for a new report, Cyber Insurance and Cyber Defenses 2024 found that by combining strong cyber defenses with the right cyber insurance, you can achieve a lower total cost of ownership (TCO) for cyber risk management.
This "holistic approach" not only reduces the chance of a major incident but also makes cyber insurance easier and cheaper to obtain.
The research also found that some companies might buy policies that don't fully address their needs.
Treat cyber insurance like any other investment—make sure it covers the specific risks your organization faces.
Highlights:
Widespread Adoption: many mid-market organizations have some form of cyber coverage. Singapore leads in the preference for coverage.
Supply Chain Motivations: because of cyber impacts, insurance, and risk mitigation strategies are often required by customers or vendors.
Risk Management Holism: consider cyber risk governance holistically, and integrate compliance, defense, and insurance rather than treating them independently.
INSIGHT: Cyber insurance is a valuable tool, and it should complement—not replace—effective cybersecurity practices.
Cyber insurance is essentially a risk transfer mechanism.
However, far too often we're seeing through the news that organizations have a false sense of safety from cyber insurance to cover financial losses. But it doesn’t address operational disruptions, reputational damage, or customer trust erosion.
Companies that invest in measurable cyber resilience may qualify for better rates or broader coverage. Conversely, weak cyber mitigation could result in higher premiums or limited coverage.
You also need to read the small print, or details of the policy coverage - not fun, but necessary! Cyber insurance policies often have limitations, exclusions, and deductibles - which means that not all incidents are covered equally. You may find yourself inadequately protected if you rely solely on insurance.
You need to do a Business Impact Analysis (BIA). By doing this you'll have a better risk of all operational risks - including cyber. You'll also get input from your departments as to how to mitigate each risk or get them covered by insurance. This then helps you find a balance in investing in both appropriate defenses and insurance coverage.
Vigilance, risk awareness, and a proactive cyber risk governance mindset remain critical for companies of all sizes.
LINKEDIN LIVE EVENT - Cyber Risk Governance
5 Critical Questions Boards Must Ask
We're excited to invite you to our upcoming LinkedIn Live event, "Top 5 Questions for the Board to Ask," featuring special guest Alex Sharpe.
Alex is a well-known figure in the cybersecurity industry, with an impressive track record of success. He has built two startups, including one with a successful IPO exit. Alex has also developed strategic plans for over 10 global companies, with clients spanning more than 20 countries across six continents.
Importantly, Alex is an advisor to Netswitch, providing strategic guidance for the company and our product development. He and our host, Sean, have been discussing cybersecurity topics for over five years.
Alex has been one of our early contributors, sharing his insights at our virtual studio and providing valuable recommendations over the years. In fact, you can check out our last discussion when the SEC Cyber Rule was introduced: [https://youtu.be/eCiPUMNyKkg](https://youtu.be/eCiPUMNyKkg)
This upcoming event will be a sequel, focusing on the critical topic of Board 'readiness.' Alex will share his insights on the following key questions board members should be asking:
How are we ensuring alignment between the business strategy, the security strategy, and operations?
How are you integrating cyber into our Risk Management practices?
What do you want from us?
What do you want us to be asking you?
What is the plan for moving towards resilience?
Don't miss this opportunity to gain valuable insights from one of the industry's top experts. Join us for an engaging discussion on board readiness and cybersecurity best practices.
Date: Tuesday, July 30th 📅
Time: 1 pm ET 🕐
Register to Attend: 5 Critical Questions Boards Must Ask ✔️
Netswitch Sharpen Your Cyber Edge with Netswitch
Master Compliance & Minimize Risks:
Independent Security Audit: Identify network risks with our automated Security And Risk Assessment (SARA). Get a clear picture, prioritize improvements, and optimize resource allocation. Contact Netswitch.
Free "Quick Start" Program: Gain a free cyber risk and governance health check. Enroll now and start building resilience.
Deepen Your Knowledge:
Join Our LinkedIn Group: Collaborate with industry leaders in the CyberRisk Governance Group on LinkedIn. Share insights and stay ahead of the curve.
Live Events: Participate in interactive LinkedIn Live sessions. Explore cyber risk topics with executives, technologists, and governance professionals.
Don't wait.
Contact Netswitch today to take control of your cyber risk.
Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.