October is National Cybersecurity Awareness Month — a chance for all users of cyber structures to reflect on how to better contribute to overall safety. While it’s safe to say that cybersecurity has changed quite a bit since this observation’s creation in 2004, certain aspects remain essential in today’s landscape. As users remain more and more connected and rely more and more on cyber infrastructure, keeping systems secure becomes increasingly crucial.
Here at Tetra Defense, we’ve helped organizations of all shapes and sizes recover from equally varied cyberattacks. Whether it’s ransomware, business email compromise, or wire transfer fraud, we see first-hand how users brush shoulders with malicious actors more often than one would expect.
While it may be difficult to see what lies ahead in the overall threat/security landscapes, we can take this time to reflect on what’s changed since 2004, what organizations are doing now, and how thought leaders are preparing for the future. We’ve gathered insights from C-Suite & IT teams, Incident Response experts, and cyber insurance professionals for this year’s National Cybersecurity Awareness Month. Here are their thoughts on how cybersecurity can be brought to mind and better understood for organizations that need it most.
C-Suite and IT Teams
Tetra’s Director of Business Development, David Kruse highlights the communication challenges that some organizations may encounter when discussing cybersecurity as a whole: “C-Suite and IT teams can often feel like they’re speaking different languages. Even as we all work towards the same goal (securing a client’s future), there are different processes, priorities, and seemingly competing viewpoints.”
In alignment with David’s goals, Tetra hopes to bridge this gap in working towards a more mutual and robust “awareness” of cybersecurity. In featuring voices across several teams and industries, we hope to find a more common language.
First up is Micah Howser of NetDiligence®, including his advice from the C-suite in particular: “Top cyber insurance companies offer risk management resources to their policyholders. If you’re responsible for buying the policy, it’s important that you share what those resources are with company leadership, and more importantly, your IT and cybersecurity staff. For example, if you get hacked because an employee clicked a link they shouldn’t have and afterwards you found out that you could’ve gotten employee awareness training resources for little to no cost, that’s going to make for some very uncomfortable conversations.”
Individuals are a crucial gatekeeper for any network. If they are not equipped with the education or awareness required to conduct their emails, internet usage, or other network tools safely, they can open the door to malicious actors.
How Cybersecurity Adapts
Lauren Winchester from Corvus Insurance expands the importance of thoughtful cyber policies. With her extensive experience in the cyber insurance world in handling complicated claims, she has had a front-row seat (and in some cases, the driver’s seat) to the industry’s continual evolution. For IT and information security professionals, here’s her insight on what to keep in mind when it comes to insurance protection:
“We can move fast, just like you. This wasn’t the case a few years ago, and perhaps still isn’t with some carriers, but the most forward-thinking cyber insurers are now capable of performing security assessments that include the most urgent and current risks. CISOs and CIOs are trying to make their companies safer, in terms of reducing risk of an attack and responding effectively to an incident to mitigate loss when bad things happen. Insurers are able to be an active participant in both sides of this effort, not just a financial transfer!”
Keeping in mind how much a good broker or a good underwriter can contribute to cybersecurity is a vital part of protecting a network. Just as technical safeguards keep organizations safe, adequate, in-depth coverage when it comes to cyber insurance is an equally important component of security.
Choosing the Right Tools
As Lauren mentioned above, insurance underwriters are always trying to better understand the reality of their client’s risk. Accomplishing this usually requires long applications (regarding the numerous controls, tools, and processes are in place) that are dropped on an executive’s desk every year. Usually the documents make their way to the head of IT, the CISO, or someone with more technical knowledge. With so much at stake within one application, it raises the questions: What insights are being gained here? And are we asking the right questions?
Tetra Defense’s Digital Forensics and Incident Response Analyst, Zach Dayton brings us an interesting insight to the discussion between cybersecurity and cyber insurance. Instead of (or perhaps in addition to) focusing on what tools are in place, let’s ask questions about whether or not companies are devoting energy and resources to finding people who actually know how to use those tools.
“A primary constant of a poor security program is having tons of tools and not enough (if any) personnel that have the time or knowledge to utilize them.” Cybersecurity is never an “out-of-the-box” solution, and all the tools in the world don’t help if you don’t have the right people using them.
Good information security is often about simplicity over complexity — and doing more with less (especially when faced with tight budgets and limited resources). This philosophy is echoed by Aric Asti, Tetra’s DFIR Forensics Director: “When it comes to infosec, you don’t need new tools or products. Pay attention and utilize the ones you have.”
More Advice from Incident Response
The conversation between cyber insurance and cybersecurity wouldn’t be complete without the real-world threat intel from Incident Response. Tetra’s Senior Director of Digital Forensics and Incident Response, Drew Hjelm contributes the following:
“Here’s what cyber insurers should keep an eye out for: don’t skip the initial scanning. Evidence shows that this can reduce claims. Scanning isn’t the cure-all it’s sometimes made out to be, but it will help you find some very obvious holes in the system that should be fixed before an insurance policy is issued.”
As scanning can offer clear insights to a cybersecurity environment, it’s important for insurers to use this information in writing more appropriate policies. As Drew and his teammates from Incident Response know all too well already, threat actors will take any easy opportunity they come across. Scanning does not realistically take the place of a full security assessment, but it can offer information on the “vital signs” of cybersecurity before they are exploited.
While cybersecurity awareness training is vital for an organization’s day-to-day security, it is equally important to make sure communication stays clear between users of all industries. As C-Suite teams make the most appropriate decisions, IT teams implement the most suitable precautions, and cyber insurers write the most appropriate policies, they all work towards a common goal. While their approaches differ, their language is the same at the end of the day, and even beyond the month.
For more information regarding National Cybersecurity Awareness Month initiatives, head over to www.cisa.gov/ncsam.