October Risk Roundup: Financially-motivated attackers and disincentives from leadership are a bad combination
Cybersecurity is a team sport and it takes the right mix of incentives, training, and risk management to thwart threat actors' efforts. That’s why it’s disheartening when leadership fails to motivate people to care — and during cybersecurity month at that. As we’ve said before, no technology is completely secure, and that’s why good cybersecurity is a risk management problem that demands motivating the people you work with each day.
1. Governor seeks to prosecute journalist who identified website bug
Less of a hot take and more of a chilling take: going after someone who responsibly discloses a vulnerability creates a disincentive for researchers to disclose in the future, which instead leaves vulnerabilities out there for the bad guys to find. Recognizing that there are many elements at play here (lack of technical knowledge, saving political face, news media sensationalism), the governor’s response is troubling at least and counterproductive at worst. Security researchers deserve clear legal definitions and protections. – Aaron Kraus, Security Engagement Manager
2. How strong is your cyber defense?
Insurance agencies remain an excellent target for threat actors, and thanks to remote work environments, smaller independent carriers stand out from a cyber risk perspective. Once inside a carrier's network, threat actors hit the jackpot from an intel perspective. From here, they can quickly launch attacks against all of the carrier's clients. As a result, insurance carriers must be proactive about their cyber risk and not rely on insurance to respond. – Ross Warren, Production Underwriter
3. Ransomware attack hits small county
Ransomware attacks, for many organizations, is not a matter of if; it’s a matter of when. Whether you are a small town on the famous Oregon Trail route or a large financial institution, everyone is vulnerable to ransomware attacks. Threat actors are agnostic toward class of business or industry type and instead scan networks for low-hanging fruit to monetize quickly and move on. – Kirsten Mickelson, Claims Counsel
4. Psychology and cybersecurity awareness
This is actually more than just weaving psychology into training; but it hits the mark exactly. Security awareness and training programs need a good pedagogical design (basically educational design using tested learning theories), including repetition and multiple delivery methods. The organization's culture is also critical — if you train people to spot phishing emails and then fire them if they fall victim and report it, then the training was worthless. That situation is a learning and growth opportunity where additional training is needed. – Aaron Kraus, Security Engagement Manager
If you enjoyed this post be sure to check our blog weekly; the Risk Roundup runs Friday mornings in addition to more enlightening content we post related to the ever-evolving landscape of digital risk. Follow us on Twitter (@SolveCyberRisk), LinkedIn (Coalition Inc), and Youtube. If you have any suggestions for content that we should be adding to our reading list, let us know!