Cyber insurance has changed drastically over the past decade. The days of justifying why your organization needs cyber insurance and demonstrating cyber-insurance ROI are a distant memory. In recent years, the discussion around cyber insurance has gone from a small back-room discussion between individuals to involving multiple departments. Cyber insurance is no longer seen as a nice to have—it’s a must have.
“Zero Trust” is a term on the tip of every CISO’s tongue. However, certain misconceptions about zero trust continue to circulate in the cybersecurity community and into board rooms. CISOs in turn must educate their senior executives and directors on what the term means and doesn’t mean. For example, there is no such thing as zero trust products. In addition, implementing zero trust does not make a system trusted. Identifying and dispelling these misconceptions are critical when deciding if a zero trust approach is right for your organization.
Zero trust is not a new concept, but as times change, so too must cybersecurity strategies. The antiquated “trust but verify” model, for example, has proven insufficient. CISOs are now taking a secure by design approach. They don’t trust anyone or anything unless that trust happens through policy-based access control. Make sure people have access to what they need and only what they need, and not more than that. This approach makes sense given the heightened risk of unauthorized data access.
The threat landscape has changed dramatically since the start of the pandemic. Ransomware attacks have sharply increased and shifted in severity from standard to double extortion attacks. As organizations transitioned to a remote workforce, the threat landscape moved into the home, creating a whole host of vulnerabilities. A growing reliance on third parties, including cloud and SaaS services, put access to sensitive data like PII, PHI, and IP outside the corporate firewall. The best way to defend against this new threat landscape is to get in front of these risks. This means security needs to be top of mind all the time.
There is no silver bullet when it comes to preventing ransomware attacks. The best way to thwart an attack is to get back to basics. Require multi-factor authentication. Limit access to the network. Implement a zero-trust policy. Run user training programs. These are not the only steps CISOs should take, but they are necessary for building a secure foundation. Threat actors have banded together for decades to engineer attacks, but now it’s the “good guys’” turn to come together, share knowledge, and create processes to mitigate the risk of a ransomware attack.
Picture this: you’re a CISO at a hospital rushing from meeting to meeting, fielding calls in between, when suddenly you get the call. Bad actors infiltrated your system and are holding your digital assets for ransom. They’re demanding $500,000 or they’ll release your data. Data recovery isn’t your only concern. Many of these systems are literally keeping patients alive. What do you do?
When CISOs can see their organization’s data and track its lateral movement, they significantly mitigate the risk of a cyber attack or data breach. To achieve this level of cyber intelligence, your tools must be able to talk to each other. This includes the people in your organization who have access to your data; they must be able to talk to each other. With cyber intelligence, you can visualize the vulnerabilities in your organization. Without it, CISOs have only a matter of time before a threat actor takes advantage of the holes in their network.
The whole organization, not just the security team, needs to know how to respond when a cybersecurity incident occurs. Putting together an incident response plan that’s comprehensive and effective therefore can be a daunting task. Is it easy for management to execute? Is it easy for staff to follow? Do you conduct periodic table-top exercises? When was the last time you ran one? If you’re not sure where to start, or want to refresh your current IR plan, watch this video.
There’s more to information sharing than calling the Feds. You also need to inform your partners in the event of a cybersecurity incident, not just third parties but fourth and fifth parties, too. You need to consider what information to share and how to share it. If your Microsoft Exchange server was exploited, for example, information sharing via email is far from advisable. Information sharing can be especially difficult for smaller organizations who may not have processes behind information sharing. All organizations must establish processes that include information sharing and also demonstrate the value of it to their employees.