Welcome to the November edition of the Consortium Networks Monthly Newsletter. This month was very exciting at Consortium as we welcomed several new team members Greg Squires, Sharon Stanton, Brianne McKenna, and Noel Seivright. Consortium was also honored to be named by CIO Bulletin as a “Top 10 Security Company of 2022.” Now, on to November!
The Problem: CEOs, boards of directors, CISOs, and CSOs are not on the same page when it comes to cybersecurity risk. In two separate studies in 2022, Proofpoint found that globally, 65% of board members believed that their organization was at risk of a material cyber attack in the next year while only 48% of CISOs said the same. In the U.S., these numbers are much more widely varied with 78% of board members expressing this concern but only 34% of CISOs agreeing. The only counties with similar portions of boards and CISOs in agreement were France and Singapore.
The Reason: For the board of directors, this perception gap can be attributed largely to human nature and proximity. Board members are likely getting a large amount of information surrounding cybersecurity from regular media outlets and maybe a few more tailored cybersecurity-focused outlets. The vast majority of these stories will be about large-scale breaches and attacks. Without an intimate knowledge of the controls their organizations have in place and the actual risk profile they have, these events will feel more likely, increasing their perception of risk.
CISOs have the inverse relationship to their organizations. They are typically knowledgeable of the controls in place and what threats are actually worth worrying about for their organization. They are also more likely to read reports that get in the weeds of the most relevant threats.
Communication, as in so many things, is crucial here. Boards are often given one of two responses when CISOs update them on current risks and/or changes since the last update: it’s all good or it’s all terrible. This lack of consistent actionable information sharing between the two groups is at best, unhelpful and at worst, a liability. Neither response provides practical steps to reduce risk and both add to a lack of collaboration between the board and its cybersecurity team.
On a similar thread of communication, the rhetoric around cybersecurity is also damaging to the real preparedness of an organization. We are constantly reminding ourselves and those around us that the threat of a cyber incident “is not if, it’s when.” While this helps draw attention to the topic of cybersecurity as an integral part of risk management at every organization, it also anchors the conversation around the issue at a point that is not necessarily transferable to the real world. Risk needs to be communicated in a way that is tailored and specific to the organization rather than in these grandiose rhetorical terms if we want to get everyone on the same page.
The Importance: The SEC’s proposed rule that would put more responsibility on boards of directors to ensure the cybersecurity of their organizations and to disclose the board’s cybersecurity expertise highlights the need for a full understanding of the real cybersecurity risk by the board. Particular attention is being allocated to CEOs, according to Gartner, even ahead of CTOs, CIOs, or CISOs, especially in tech-heavy industries.
Luckily, the same study shows that boards and CISOs see a similar hierarchy of risks with email fraud/BEC and cloud account compromise being the most concerning and ransomware, supply chain attacks, DDoS, malware, insider threats, and smishing/vishing following in that order. This means that while everyone is in agreement over what the threats are, plans to mitigate threats may vary widely between the two groups.
The Solution: This issue shines a bright light on the need for strong communication and information sharing between the technology-oriented and business leaders in an organization. Tools like Consortium Networks’ Metrics that Matter® that put cyber risk into dollar amounts are designed to do exactly this– translate between CISOs and business leaders in a way that both understand.
Though the pandemic likely accelerated the transition from the segmentation of work and personal devices, we have been headed that way for quite some time. Most people don’t have a work cell phone and instead are likely logged into their work email, zoom, slack, and other apps on their personal phones that they use for everything including TikTok, Twitter, and texts. This melding of personal and business devices makes accessibility more convenient and makes forgetting your device at home less likely while also significantly expanding a company’s attack surface and risk level.
This month, the spotlight has been placed squarely on Microsoft for its apparently lax security controls and failures to properly solve discovered vulnerabilities. On October 19, the company announced a large data breach caused by a misconfigured Microsoft endpoint. A week later, on October 25, Microsoft announced a fix for MFA push notification spam that will institute number matching to approve a request. Though this will not stop MFA spam, and it is not clear if there will be an override option for those simply wishing to make the spam stop, it will, in theory, make it more difficult for someone to accidentally authorize MFA by making them have to type in a specific number on a device. A Wired article this month noted the substantial lag time across Microsoft products for solving security issues. Even if an organization has moved away from Microsoft, it cannot guarantee that the personal devices of its employees are free from these apps, leaving the organization open to attack through these means in a way it wouldn’t have been in the past.
This issue is at the heart of the Biden Administration’s push for shoring up internet of things (IoT) device security. IoT devices are often connected to an employee’s phone through unsecured channels and are ripe for hacking attacks. Think about how many devices an individual employee may have connected to via Bluetooth on their phone: an Amazon Alexa, smart light switches, a coffee maker, the refrigerator, an interactive dog toy, a thermostat, and more. None of these devices were built with security in the foreground and most of them have not bothered to add security on the back end. Many IoT devices were manufactured with hard-coded passwords that cannot easily be changed, leaving them particularly vulnerable. All of these provide opportunities for attackers as a way into an employee’s cell phone which is integrated into the organization’s network via VPN, corporate email, company apps, and third-party apps used by the company.
Individual applications on an employee’s phone provide yet another security risk for an organization. Earlier this month, Forbes reported that TikTok’s parent company, ByteDance, planned to use data collected by TikTok to track the locations of U.S. citizens. For many companies, this cyber-related intrusion presents a physical security concern, especially for high-profile employees that may be a target. McAfee reported this month that a malicious clicker was found in various apps in the Google Play store that were downloaded by over 20 million users demonstrating once again the cybersecurity risk that the use of personal cell phones in a corporate environment presents to organizations as a way for well-meaning employees unknowingly to open the door to cyber criminals, hacktivists, or nation-state threat actors.
The increasingly blurred lines between a person’s professional and personal life are creating greater security risks. As technology policies are changed to increase productivity and accessibility while lowering costs, a company’s attack surface grows and the job of an attacker is made easier and easier. Bifurcation may create challenges for both the organization and the employee, but it makes managing an attack surface much easier and may be worth the cost in the long run.
In the News
Hacks: October may have been Cybersecurity Awareness Month, but that did not stop the hackers from continuing business as usual. It would be impossible to recount every hack over the last month, but here is our view on some of the trends and highlights of October.
The two main sectors targeted were various governments and critical infrastructure, especially within energy, telecommunications, and manufacturing. In addition to hacktivist attacks by Guacamaya and Black Reward on Chile, Iran, and Australia, the British, Australian, and American security sectors were targeted along with the Parliaments of both Slovakia and Poland. As for critical infrastructure, the United States was not hit heavily with the only major attacks being on the Common Spirit hospital group (ransomware) and various airports (DDoS). Australia’s telecommunications company Telstra was hit with a data breach following a flurry of activity in September while Germany saw its energy company Enercity, news agency Stimme Mediengruppe, and copper mining company Aurubis hit over the month. Toyota in Japan suffered a data breach as well. A Ghanian energy company, ECG, Indian power company, Tata Power, Iran’s atomic energy organization, Singapore telecommunications company, Singtel, Brazilian television group, Record TV, and various transportation and logistics businesses in Ukraine and Poland were hit with several attacks over the month as well.
We are continuing to see data exfiltration catch up to ransomware, especially in the big-hitter cases. Out of the attacks that Consortium was watching this month, 7 were ransomware, 6 were data exfiltration, 4 were hacktivism, and 3 were DDoS.
In the Courts: Courts across the U.S. and the world came to play this month. In Brazil, a suspected member of the group Lapsus$, the same group recently in the public eye for hacking Uber, was arrested and a court in the United Kingdom fined the Interserve Group £4.4 million for a data breach.
In the United States, a notorious Georgian hacker was sentenced to 25 years in prison for stealing almost $10 million through cyber financial fraud and Canadian Sebastien Vachon-Desjardins was sentenced to 20 years in addition to the 7 handed down to him by the Canadian court system. Accountability has been in the spotlight as the former Uber security chief was found guilty of obstructing an FTC probe into a 2016 data breach at Uber and Drizly CEO James Cory Rellas is being personally named by the FTC as liable for a data breach under his leadership in 2018. The FTC is going after Chegg for inadequate security measures. In striving to minimize the unauthorized collection of biometric data, the Texas Attorney General is suing Google for collecting it while a group of Illinois railroad employees is being rewarded $228 million in damages for the unauthorized collection of their data.
Chatter: As is appropriate for Cybersecurity Awareness Month, many reports on cybersecurity were released across the government and private sector this month and many statements by experts across the plane were given. We would like to highlight four: the Gartner report, a scathing article from Wired about Microsoft, the 2022 Cisco Consumer Privacy survey, and a Washington Post “Securing Cyberspace” post-event analysis.
- Gartner forecasts that spending on public clouds will continue to grow over the next year by 20.7%, or to nearly $600 billion worldwide. Even with the looming economic woes of this post-pandemic world, cyber services are not among the first expenditures companies will look to cut.
- The Wired article notes the danger of faulty Microsoft servers, discussed further in the Trend Line article above.
- The Cisco Consumer Privacy Survey showed that what consumers want most from the organizations they trust is transparency on what their data is being used for, rather than for organizations not to collect it in the first place.
- At the Washington Post event, Crowdstrike and Silverado Policy Accelerator founder Dmitri Alperovitch said that we are entering “the most dangerous times that we’ve had in the history of the cyber domain when it comes to our infrastructure here in the West, both because of what Russia may be doing against us as well as China, where we are both simultaneously entering a time of confrontation with both countries.”
Food for Thought: This month saw the introduction of three big tech solutions: a Windows 11 anti-phishing protection, Microsoft’s number-matching anti-MFA push notification spamming protection, and Google’s GUAC software supply chain management tool. It also saw the Department of Treasury put out a request for comments on how a potential federal cyber insurance program might look and credit reporting companies beginning to consider how a company responds to a cyber attack as part of its rating. All of these are interesting developments to watch over the coming months.
White House: The Biden Administration has kept focused on cybersecurity this month. Some policies and initiatives it pursued over October include:
- The Cybersecurity Labeling program aims to help consumers identify secure Internet of Things devices
- An EU-U.S. data flow Executive Order to facilitate secure information sharing. This agreement is meant to replace the Safe Harbor and Privacy Shield agreements struck down by the European Court of Justice for not protecting user data adequately. The White House claims this plan has the necessary security safeguards in place but some privacy advocates are skeptical.
- The 2022 National Security Strategy was released. Though the plan is light on details about cybersecurity, the forthcoming National Cybersecurity Strategy will be “tough,” according to National Cyber Director Chris Inglis.
- The White House announced its next 100-day cybersecurity sprint sector: chemicals. Previous sprints have included the electric, pipeline, and water sectors.
- President Biden hosted representatives from 36 other countries and the EU for a two-day summit on ransomware as part of the global fight against cybercrime during the last week of October.
CISA: This month, CISA released guidelines on reducing the impact of DDoS attacks alongside the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) and on tightening cybersecurity controls for critical infrastructure organizations operating on a tight budget. CISA also released a binding operational directive for federal civilian agencies to report software vulnerabilities regularly. In mid-October, CISA announced that it will focus on shoring up the cybersecurity of hospitals, schools, and water providers for the next year.
Other Executive Branch Agencies: Several other agencies within the Executive Branch turned their eyes towards cybersecurity this month, including:
- The Department of State launched an outreach program for Silicon Valley technology firms as a vital part of solving the nation’s top national security challenges
- TSA released cybersecurity regulations for passenger and freight railroad
- The FCC finalized cybersecurity requirements for emergency alert systems
- The National Cyber Director requested comments on building the cyber workforce and cybersecurity training and education
Congress: Congress introduced four bills related to cybersecurity in October. They are the “Ensuring Cybersecurity at the National Institute of Health Act” (H.R. 9228), the “Department of Health and Human Services Cybersecurity Coordination Act” (H.R. 9229), the “Critical Electric Infrastructure Cybersecurity Incident Reporting Act” (H.R. 9234), and the “Cybersecurity Skills Integration Act” (H.R. 9259).
United Kingdom: The United Kingdom announced plans to fully drop the GDPR data privacy framework in favor of new legislation modeled after Israel, Japan, South Korea, Canada, and New Zealand.
Australia: Australia has seen many high-profile attacks lately and is responding with a stronger data privacy protection law that carries harsher fines against companies not doing enough to protect consumers.
Canada: Canada released its National Cyber Threat Assessment for 2023-2024 this month. Canada listed ransomware as the most disruptive cybercrime for Canadians, noted increasing state-sponsored cyber attacks, highlighted the risk to critical infrastructure, and underscored the threat of mis- and disinformation.
Thank you to everyone who stopped by our booth at September’s Fal.Con and those who attended our get-together in New York City. We loved seeing all of you at the Advisen Cyber Risk Insights Conference, the Women in Cybersecurity Reception, and many other events over the past month.
November 8-10: Oktane 22
- San Francisco and Online
November 9: IT Nation Connect USA
- Orlando and Online
November 9: Washington Technology Summit CMMC 2.0
- Washington, DC
The Official Cybersecurity Summit
November 14: Security 500
- Washington, DC
November 16: Security Week’s Threat Hunting Summit
November 17: Cybersecurity and Data Protection Summit
November 30: Wall Street Journal Pro Cybersecurity Forum
- New York
December 1-2: Global Entrepreneur Summit
- CEO and President Tim Murphy will be a featured speaker
Your Cyber Concierge: Our team is ready to help you find solutions for all of your cybersecurity needs. From Endpoint Detection and Response to Multifactor Authentication to Threat Hunting, we will work with you to find the best solution for your organization and your specific budget, needs, and goals.
Cybersecurity Assessments: Trust our team to quickly and consistently measure your controls against the NIST Cybersecurity Framework, including coverage against each specific domain and sub-domain, maturity of implementation, and provide actionable, prioritized recommendations. Our assessment will satisfy common compliance and regulatory requirements related to regular cybersecurity risk assessments.
Incident Response Planning, Playbook Development, and Tabletop Exercises: To be effective, incident response planning must be relevant to the core functions of your organization. By developing documents to guide actions in a time of crisis, and testing those approaches regularly, your organization will be maximally prepared to minimize the operational impact of a cyber event. Contact Consortium Networks for more information.
Cybersecurity Policy Development, Review, and Refresh: The threat landscape is constantly evolving. So, too, are regulatory and compliance requirements, as well as expectations from clients and third parties. Cybersecurity policies need to anticipate future threats and be kept up to date with accepted best practices while at the same time balancing ease of understanding and implementation. Let us take care of this process for you.
Request for Proposals (RFP) and Procurement Advisory: The requirements set forth in an RFP will determine not only the breadth and depth of potential responses but will also shape all future interactions on the topic with the responding parties such as contract negotiation, payment terms, deliverables, and acceptance criteria. The RFP sets expectations for both parties and outlines avenues available to hold each accountable. Avoid frustrating and costly amendments by making sure your organization has appropriately scoped your RFP from the start.
Any questions? Contact our policy analyst for more information on how events this month may impact your organization by emailing email@example.com