Don’t Get Burned

,

History is full of famous last words. There’s some controversy as to the famous last words of a daredevil: They’re either, “Watch this,” or “What could go wrong?.” And the famous last words of many surfers and swimmers have been, “Are you kidding? “I’ll never get bit by a shark.”

Likewise, the famous last words of more and more business owners have been, “Cyberattack? Me? Never happen.” That, unfortunately, constitutes a very expensive way to find out you’re wrong.

Reality Check

According to the October edition of Best’s Review magazine, in an article entitled “Cyber Coverage Hits Landmark but Challenges Remain,” we learn this:

This insurance coverage celebrates its 25th year of existence in 2022 … Not only have the policies changed dramatically over those 25 years but so have the exposures [and] the risks … The average cost of a data breach globally averages to US$4.35 million in 2022 … [affecting] not just major corporations, but middle-market and even small businesses … cyber insurance rates for 2021 had risen the most in the following industries: energy/oil/gas and utilities; media/leisure/entertainment; professional services; IT/technology/telecoms; financial services; and public sectors.

If you work in those industries — and others — your chances of suffering a cyber attack are greater than your chances of being bitten by a shark or struck by lightning. And given the exponential proliferation of cyber attacks, running the risk of suffering such an attack seems to fall somewhere on a scale between unwise and self-destructive. There might be good reason for running such a risk. But we don’t know what it is. And it certainly isn’t money.

Follow the Bouncing Ball

The chart below shows increases in cyber attacks and their related implications for the past 17 years.

The good new is there was a slight decrease in data compromises from 2021 to 2022. The bad news is the bad guys who perpetrate cyber attacks haven’t taken any time off, but they have gotten increasingly more adept at getting what they want. And what they want is your data and the opportunity to hold you at ransom for it.

Here’s the bottom line: You can play fast and loose with your cybersecurity if you want to. But if you do, the thing that’s likely to suffer most is your bottom line.

Don’t get struck by lightning.

/by

Where Are You?

,

There’s an old saying that goes like this: “Wherever you are, that’s where you are.” We could never decide whether that’s really profound or really obvious. But it doesn’t matter. What does matter is a question we get all the time.

Whenever we talk to companies about cybersecurity, someone always asks, “Where do we start?” The answer is, “Wherever you are.” That means — whether you’ve done a little or a lot to protect your company from cyber attack — the best place to start is with the next logical step.

If you haven’t done anything, we’ll start with a gap analysis: How prepared are you for an attack? What’s your ability to recover? We’ll assess the level of vulnerability of your remote access points and the ease with which your networks and systems could be compromised. Then we’ll categorize your risks and prioritize our remediation efforts.

Next, we’ll act like hackers and do our darnedest to breach your environment. That will enable us to evaluate your network, your software, your security controls, and your defenses. Beyond that, we’ll keep an eye on your IT infrastructure to make certain it remains secure and compliant. We’ll even monitor dark web data for evidence of data theft, immediately reporting breaches or abnormalities. And we’ll help you prevent or minimize risks to your operation and your reputation from hacked or exposed credentials.

If You Already Have Some Protection

If it ain’t broke, there’s no need to try to fix it. Start from the most recent thing you’ve done and build on it. Fortify your defenses. Shore up your firewall. Replace your end-of-life network equipment. Check all of your perimeter and internal defenses and system configurations to ensure they’re as tight and secure as they were when you put them in place. And make sure you keep them up to date.

Attempted cyberattack is no longer if. It most definitely is when. You owe it to yourself, your company, your people, and your customers to make sure you’re prepared to ward off those attacks and to recover from them should they occur.

Wherever you are on your journey to cybersecurity, that’s where you start your efforts to become more secure.

We don’t know if that’s profound. But it’s necessary, now more than ever.

/by

Don’t Borrow Trouble

,


We remember a wise man once saying to us, “Never trouble trouble, till trouble troubles you.”

We thought of that during a conversation with a prospect the other day. He asked if we thought adding cybersecurity protection — and buying the cyber liability insurance for which his protection would qualify him — was inviting trouble.

“How so?” we asked.

“Well,” he said, “if hackers know I’ve gone to the trouble of securing my network and my data — and if they know I’ve purchased cyber liability insurance — they’ll think I have something valuable to protect.”

“You do have something valuable to protect,” we said, “your business, your assets, and your working relationships with your customers and partners.”

“Yeah,” he said. “But if I advertise that fact with all these cybersecurity measures and an insurance policy, won’t they think I’ve thrown down the gauntlet?”

“No,” we said. “They’ll think you’ve gotten smart and safe.”

Better Safe …

We also remember the line from Batman, in which Bruce Wayne says to Vicki Vale, “It’s not a perfect world.”

The fact is the world becomes less perfect as it becomes more complex. It also becomes more dangerous for the vulnerable and more advantageous for those who choose to prey on the vulnerable.

According to Statista:

Between November 2020 and October 2021, there were almost 24 thousand cyber security incidents worldwide. from this total, 2,065 incidents were detected in small companies. The professional and public administration sectors were the most targeted with 3,566 and 2,792 reported incidents respectively.

Also according to Statista:

Between November 2020 and October 2021, 5212 organizations worldwide experienced data breaches. Among selected industries, financial firms saw the highest number of data violations. Regarding organization size, smaller ones were victimized by data breaches more than large companies.

The common thread there is smaller companies.

Don’t Settle

If you’re a smaller company, you don’t have to settle for inadequate cybersecurity protection. You don’t have to settle for the exorbitant cyber liability insurance premiums you’ll be charged if you’re not adequately protected. You don’t have to settle for being vulnerable in a world of increasing risk and proliferating cybercrime. And you don’t have to be like the guy in the comic strip at the top of this post.

Be smart. Be safe. Be protected.

/by

The Earth is Not Flat

Okay. We admit the title of this post is a gotcha. But it’s also relevant to cybersecurity. How? We thought you’d never ask.

Consider: If the earth were flat — and unless it was two-sided like a sheet of plywood — it would always be daylight because it would never turn away from the sun. We suppose, on the other hand, that if the earth were more like a flying carpet and the sun rotated around it, the top would be light at times and the bottom would be light at other times. This is exactly why we’re not astronomers.

But because we’re cybersecurity professionals — and even if we weren’t reasonably sure the earth is round (we are) — the fact is while it’s light here, it’s dark there (wherever here and there are) and vice versa. And that brings us to relevance.

Let There Be Light
There’s a common misconception that the majority of cyberattacks are undertaken at night. That’s not true. But even if it were, it means somewhere in the world, in broad daylight, bad dudes are working hard to hack your digital environment while you’re sleeping. Since that’s true, the reverse is also true: Somewhere in the world, under cover of darkness, bad dudes are working hard to hack your digital environment while you’re wide awake.

To us, it really doesn’t matter if it’s dark or light. We don’t want bad dudes breaching our customers’ digital environments at any time of day or night. That’s why we do what we do.

Here are a few more thoughts: Viruses and ransomware don’t carry watches. They don’t care what time it is or that the earth is round. Neither does risk. That’s why it’s constant. You shouldn’t care, either. Regardless of what time it is, breaches and data theft are devastating and costly.

The actual time of day notwithstanding, if your environment is hacked, it’s going to be 0-Dark-30 for you, your business, your reputation, and at least some of the companies with which you do business.

We grant our bias, but that’s not a risk worth taking, day or night.

/by

It May Be Too Late

We don’t mean to be alarmist, but if you haven’t tightened up your cybersecurity, there may be millions of individual reasons to do so. Here’s one, from Ars Technica: “Hackers hammer SpringShell vulnerability in attempt to install cryptominers.” The article says this, in part:

“Malicious hackers have been hammering servers with attacks that exploit the recently discovered SpringShell vulnerability in an attempt to install cryptomining malware … SpringShell came to light late last month when a researcher demonstrated how it could be used to remotely execute malicious code on servers that run the Spring model-view-controller or WebFlux applications on top of Java Development Kit versions 9 or higher.”

If you’d like to read more about SpringShell vulnerability, you can start here.

It Doesn’t Stop There

Here’s another one from Ars Technica: “Hackers are exploiting 0-days more than ever.” That one is even more chilling:

Previously unknown “zero-day” software vulnerabilities are mysterious and intriguing as a concept. But they’re even more noteworthy when hackers are spotted actively exploiting the novel software flaws in the wild before anyone else knows about them.

Ouch. If you’d like to read more about zero-day vulnerabilities, you can start here.

And from Forbes, there this: “When Botnets Attack.” Brace yourself:

“Cybersecurity attacks can come in many forms and with various technical approaches. Breaches are constant among industry and government being targeted. One method of exploit used by criminal hackers can be deployed with devastating and widespread consequences, botnets … Such orchestrated Botnet cyber-attacks are not new and have been going on for almost two decades, but they are proliferating and pose major threats. They are not only carried out by state sponsored intelligence actors, but also by organized criminal hacking groups.”

Should you be scared by all of that? Yes. But not as scared as you should be if you don’t take the appropriate cybersecurity measures.

Bad News/Good News

The bad news there are bad dudes out there making very handsome livings by hacking systems for any number of reasons and many forms of data. The good news is you don’t have to risk being vulnerable.

If you don’t do it soon, it may be too late.

The money — and the business — you save may be your own.

/by