Creating a genuinely robust cybersecurity program is a constantly moving target — it isn't as simple as installing patches, rolling out training, and staying on top of evolving trends. Staying one step ahead of would-be attackers requires flexibility; this may include throwing out old patch management processes for a more frequent schedule or rolling out a robust training program to avoid the minefield of manipulation employed by social engineers.
The complexity of many internet technologies combined with the fact that we’ve bolted on so much of our security apparatus to make poorly-secured underlying protocols like email secure (SPF, DMARC, and DKIM) means even a PhD struggles. Some security breaches are the result of negligence, but many are due to niche resources/knowledge needed to understand this stuff. – Aaron Kraus, Security Engagement Manager
New exclusions are coming out to put more pressure on insureds to fix and patch vulnerabilities quickly. It will be interesting to see if this causes coverage issues on those exclusions. Coalition does not add in exclusions to policyholders based on their patch management policy. – Ross Warren, Production Underwriter
Best practices around patch management are no longer sufficient. Thirty days to test and deploy a patch is way too long because these vulnerabilities are being weaponized in a lot less time (seven days in this case). – Aaron Kraus, Security Engagement Manager
Emotional manipulation is a good way to override security awareness training. Phishing emails are becoming far more difficult to avoid, and BEC remains the most widespread type of incident. Having a robust phishing training program and a risk transfer method (like cyber insurance) to protect your business is critical to avoiding and remediating phishing attacks. – Ross Warren, Production Underwriter
It's important for your exchanges and cryptocurrency custodians to have a robust security program. Once cryptocurrency assets are gone, it is incredibly unlikely they will be recovered. A favorite (and interesting) line from the article: "While the motive behind returning the stolen digital funds remains unknown, in a 'Q&A' held via Ether transaction notes, the hacker claimed it was 'for fun.'" Some people just want to watch the world burn. – Tommy Johnson, Cyber Security Engineer
If you enjoyed this post be sure to check our blog weekly; the Risk Roundup runs Friday mornings in addition to more enlightening content we post related to the ever-evolving landscape of digital risk. Follow us on Twitter (@SolveCyberRisk) and LinkedIn (Coalition Inc). If you have any suggestions for content that we should be adding to our reading list, let us know!