Issue Twenty Five
May 2023
Organizations are facing increasingly complex challenges, such as the convergence of business and IT risk, the rise of misinformation-driven cyberattacks, and the critical importance of password security. The post-pandemic era has accelerated the integration of business and cybersecurity threats, forcing companies to adopt a holistic approach to risk management. Cybercriminals, adept at exploiting misinformation, have crafted sophisticated financial scams, targeting businesses and individuals. Additionally, the often-overlooked aspect of password management poses significant risks, with the potential for misuse by former employees.
These interconnected challenges emphasize the importance of proactive and integrated risk management strategies. As we examine the rapidly changing risk landscape - driven by globalization, supply chain reliance, and cloud dependencies - we must discuss the urgent need for organizations to prioritize cybersecurity conversations and digital stewardship.
As business leaders, these discussions should investigate the growing threat of misinformation-driven cyberattacks and the vital role executives play in fostering a culture of cybersecurity awareness. They should highlight the pressing issue of password security, emphasizing effective policies, coordination between HR and IT departments, and the implementation of technical solutions such as multi-factor authentication.
By examining these intertwined challenges, this issue of Target Lock provides valuable insights for organizations seeking to fortify their defenses and navigate the complex digital world with confidence. Enjoy.
ZEROING IN
Cyber risk is a business risk
Security Magazine
The once-distinct line between business and information technology (IT) risk is rapidly vanishing, as increasing financial uncertainties and legal liabilities become intertwined with cybersecurity risks. Risk Management Officers are now finding it crucial to work closely with their organization's Chief Security Officers. The merging of cyber and business risk has been accelerated by post-pandemic trends, such as globalization, supply chain reliance, cloud dependencies, economic downturns, and the return of employees to offices.
These changes are forcing organizations to reassess their risk exposure, mitigation, and monitoring strategies. Cyber defenses must address compliance, architecture, and post-breach scenarios, while also preventing cyberattacks by identifying external attack surface security vulnerabilities. As the average cost of a data breach in the US reached an estimated $9.4 million in 2022, businesses must recognize that operational risk is inherent and could have significant financial implications.
"The business imperative is always “don’t be breached;” however, there is no such thing as operating a business without operational risk and that includes breaches. That risk can translate to dollars and cents."
As the "Great Reset of 2023" unfolds, organizations are likely to transform and upgrade their infrastructure to create more sustainable, affordable, and manageable systems. However, this IT restructuring introduces risks, as security teams must support legacy platforms while transitioning to new ones, with the potential for misconfigurations or overlooked assets leaving holes in their external attack surface and risk profile.
Globalization, as well, has resulted in a new risk landscape, with Secretary of Homeland Security Alejandro Mayorkas asserting that the US faces a "new kind of warfare" that blurs the lines between private and public organizations. This shift has led to a wave of new federal and private regulations around risk identification, analysis, assessment, mitigation, and monitoring, such as the Cybersecurity and Infrastructure Security Agency's Binding Operational Directive 23-01.
"...C-level security and risk leaders are taking a fresh look at cybersecurity liabilities as regulators take a more aggressive stance against companies that they believe are being negligent when it comes to breaches."
Industry standards have also been revised to address emerging cyber threats, but compliance alone is not enough. Cybersecurity risk management must become integrated into overall organizational risk management to ensure business continuity. According to a 2022 PwC survey, 49% of CEOs identified cyber risks as their primary concern, recognizing the potential for cyberattacks or macroeconomic shocks to undermine their company's financial goals.
Addressing business risk now requires a thorough understanding of cyber risk. Involving business leaders in cybersecurity conversations is crucial for effective digital stewardship, business leadership, and financial stability.
"That focus on critical business activities is a priority that begs the questions: What’s likely to be attacked and why, what exploits might an attacker use to strike and what effect will it have on business continuity?"
SQ Insight: Kenneth Holley - Chairman
Cyber Thieves Are Getting More Creative
The prevalence of cybercriminals exploiting misinformation to orchestrate financial scams against businesses and individuals has reached a critical juncture. The severity of how cybercriminals deftly combine misinformation with genuine data, often obtained through cyberattacks, is evident in the execution of these damaging schemes. Executives must confront this urgent threat and proactively protect their organizations.
Three primary examples of cybercriminals successfully profiting from misinformation are: wire transfer fraud, payroll theft, and social engineering attacks targeting employees. These instances illustrate the cunning nature of cybercriminals, emphasizing the importance of constant vigilance in an ever-evolving threat landscape.
"Although misinformation, in the form of fake news, is a problem - combining lots of real information with just a tiny bit of misinformation can be devastating."
To mitigate these risks, business leaders must prioritize the following critical takeaways:
Implement rigorous verification processes: "Companies must implement stringent procedures to validate wire transfer instructions and other financial transactions." By doing so, businesses can prevent wire transfer fraud and other scams from causing significant financial losses.
Cultivate a culture of caution: Educating employees about the latest scams and tactics employed by cybercriminals is vital. Encourage vigilance in verifying requests, particularly those involving financial transactions or sensitive information.
Emphasize proactive security measures: Organizations must prioritize holistic cybersecurity solutions and employee training programs to identify and prevent potential threats before they manifest into damaging attacks.
This is a crucial reminder of the significant threat misinformation-driven cyberattacks pose to organizations. Executives must champion a culture of cybersecurity awareness, instill caution among employees, and invest in robust security measures. These proactive efforts will help mitigate the risks associated with misinformation-based cyberattacks and safeguard the organization's financial and reputational assets.
SQ Insight: Adam Brewer – Chief Executive Officer
The Importance of Enterprise Cybersecurity and Password Management
Introduction:
Password management remains one of the most basic yet critical aspects of cybersecurity. Unfortunately, many companies still struggle to implement effective password policies, leaving them vulnerable to attacks. In this comment, we will highlight the importance of enterprise cybersecurity and provide recommendations for improving password security within organizations.
The Problem of Password Misuse by Former Employees
A recent survey conducted by Password Manager has revealed some alarming statistics about password misuse by former employees. Nearly half of the workers admitted to using their passwords to access accounts of their former employers, including email, paid subscriptions, and other company data. While most suggested doing so only for personal use, ten percent acknowledged accessing the accounts “to disrupt company activities.” One in three workers said their former employers' password security was ‘unsafe’ or ‘very unsafe.’ These findings underscore the importance of implementing effective password policies that include onboarding and offboarding procedures.
Improving Password Security
Here are a few things you should ensure now:
Require robust and unique passwords: Companies should require employees to use strong, unique passwords for all accounts, including those used for personal use. Change passwords regularly and encourage password managers where feasible.
Coordinate with human resources: The HR department should coordinate with the IT department to confirm disabling all accounts or network access simultaneously with termination.
Implement technical solutions: Technical solutions or safeguards will help manage the human element. Maintaining and centralizing employee accounts and network access inventories will facilitate disabling upon termination.
Require multi-factor authentication: Access to any company network or data should require multi-factor authentication to reduce the risk of unauthorized access.
Reiterate expectations at termination: While the company should maintain and enforce a code of conduct that includes appropriate use and misuse of intellectual property and proprietary information, the responsibilities should be reiterated (and acknowledged by the employee) at termination to emphasize post-employment expectations.
Looking ahead
It’s crucial for companies to keep up with password security and not lose sight of the simple things. By implementing effective password policies and coordinating with HR and IT departments, companies can reduce the risk of password misuse by former employees and enhance their overall cybersecurity. Remember, cybersecurity is everyone's responsibility.
SQ Insight: Tony Ogden – President, GRC
