It goes without saying that the cybersecurity landscape is changing… rapidly. We’re seeing a huge rise in attacks like ransomware, phishing, extortion, and more. More to the point, we’re seeing a huge rise in these attacks amongst the small to medium business sector. Cybersecurity is so much more than a bag of tools, and we’re getting into a space where we can’t do it on our own. Let’s review some complexities we are seeing or that I feel we will see in 2022.
Matt and I recently hosted a stream in which we reviewed a cybersecurity insurance questionnaire. From that one, and other ones I’ve been gathering for research, it’s clear that insurance companies are getting smarter. As well they should, they are probably tired of writing checks for loss after loss after loss.
The stance of most reputable insurance underwriters in changing. They’re asking more pointed and relevant questions around cybersecurity, sometimes even going over the top. The key thing to keep in mind here is that the questionnaire is just the beginning. Once you experience an incident, you’re likely going to want to make a claim. Once you do so, most insurance companies will bring in their own incident responders, investigators, PR firms, et al. If their incident response vendor takes one look and realizes you weren’t doing what you said you were in your answers, they probably aren’t going to take care of your claim.
The cybersecurity insurance business is a tough one, because they’re insuring a certain loss. The ke
Changing Threat Landscape and Defender Demands
Cybersecurity defense isn’t what it used to be. There was absolutely a day wherein a small business owner could purchase reputable antivirus software and think twice before visiting the more… questionable parts of the internet. Those days are so far gone.
Nowadays we’re fighting increasingly convincing phishing and BEC attacks, a seemingly weekly dose of zero-days, smarter and smarter drive-by attacks, and even relatively well done SMS phishing. The sheer number of angles threats approach from requires a professional approach. It’s like trying to keep people out of your office when they’re using drones, armored vehicles, fighter jets, spies in disguise, and invisibility cloaks.
From a pure technology point of view, the resource level necessary to mount a truly effective DefSec operation has increased drastically. We live in a world where we must understand that we can’t win every play. We’re going to lose from time to time. As a result, we need to also have our ‘special teams’ that can detect a discrete incident and respond to it (like a SOC Analyst). We also need defenders capable of using the state-of-the-art tooling we have available today, the surgeons trained in using the scalpels if you will.
One of my favorite Matt Lee talk tracks is his track on defensibility. If you’re going to have assets in the digital landscape, you need to understand that – at some point in time – you’re going to experience incidents and breaches. It’s just a fact of life. The biggest shift in cybersecurity we’ve seen by far is the demand for defesibility.
Defensibility is pretty easy to sum up. I see it in two parts:
Accepting that we can’t always win. Cybersecurity is a sport, sometimes a sick sport. We put our players out on the field with as much energy and skill as we can provide, and they do their best to gain all the yards. Even so, we do it with the understanding we will lose some.
Being confident we’ve done the “reasonable thing” to protect ourselves/our clients. This is the most important one. Just like a coach in football, we need to be able to say we’ve done the reasonable thing when reviewing our choices. What I mean is that we need to say we covered all the positions. If we end up in court, we need our attorneys to be able to explain, in no uncertain terms, that we applied smart and reasonable defensive security practices. The best way to do this by far is to leverage a recognized cybersecurity framework. Personally, I like the CIS controls.
State of Change
Cybersecurity is one of the most dynamic fields on the planet. Things are always changing. Thing about lawyers. Once you pass your bar exam, you are held to certain continuing education requirements to ensure you’re kept up to date on the changing legal landscape as it pertains to your area of practice.
Cybersecurity is similar, except it changes exponentially faster. Unfortunately, there’s not yet a requirement of cyber professionals to meet education or skill standards. However, many professionals choose to do so through collegiate or certification efforts. Most reputable certifying bodies in cybersecurity have similar continuing education requirements.
Keeping up with the changing landscape requires a lot of time and commitment, time that you really shouldn’t spend unless this is your industry of choice. My point is the days of getting help from your middle school niece who also happens to be good with computers are gone. Proper IT management and cybersecurity requires a professional touch.
In summary, we’re at the point where the small to medium business sector just simply should not be managing their own technology. It is imperative that professionals are involved in the design, implementation, maintenance, and security of your technology footprint.