Cyber Hacks - Prevention Versus Cure

Getting sick is a really nasty experience. Being forced to stay in bed because you cannot move an arm and a leg, your nose dripping constantly and a headache bouncing in your skull all day is the opposite of a pleasant experience. When you then take into account, you could’ve prevented this by just taking out a flu-shot at the beginning of autumn, you still wonder why you didn’t. No time? Did not want to fork out $30,00 as cost of living is hard enough?
Not being able to work and missing opportunities for your business is far more costly, and regaining customer confidence when it comes to business continuity can be a real challenge.

Extrapolate this to a cyber hack where your customer data is threatened to be exposed to the outside world and criminals are able to reach into the deepest of pockets of your customers by extortion methods, identity theft etc.

Linking this back to the flu, you would need a serious box of paracetamols to get over these incidents. The Australian Insurance Council is seriously lobbying everywhere they can in order to oppose proposals to new legislation that would ban ransomware attack payouts. The main reason is of course that insurers thrive on risks vs rewards, and their premium calculations are based on this. The insurers want to act as your box of very expensive paracetamol and sort things out when things turned really bad. The

As in the health care sector, when you live a healthy lifestyle and do not engage in activities like skydiving, deep-sea diving explorations etc, the risk for insurers is low, and they are able to give you a discount on premiums. The same applies in the Cyber Insurance world. If you’re able to show an insurer the measures you’ve taken to prevent cyberattacks and reduce the risk of potential breaches, the premiums can be significantly reduced. Again, the risk vs reward jigsaw does have the same effect.

The problem with cyberattacks is that you’re dealing with criminal organisations who have only two things in mind, create as much damage as possible and obtain an as big as possible, financial reward. The damage to a company can be anything. Whether it is financial, reputation or otherwise, you can be assured that companies will struggle to handle the fallout of any security breach.

If the company is a multi-billion dollar entity, they will have some more breathing space and can very often fall back on external expertise via various, including government, organisations. When the company is much smaller, external expertise is most often not available, as this is a very costly exercise. Insurers can help in this, but again, you would need to do some serious spreadsheet workouts to try and find out the risks you’re exposed to vs the rewards an insurance company can provide.

Especially in the case of ransomware attacks, where your data gets encrypted and only a key provided by the criminal organisation can unlock this, the help of an insurance company may not be very beneficial. They could help in negotiating, but when a blanked ban on ransomware payout is made by law, the negotiation part is plainly reduced to a begging game. Most criminal organisations will simply leave the table and your data will still be locked away indefinitely. This is the reason why insurance companies don’t want this ban to become legislative, as it reduces the service portfolio, there is no risk vs reward schema they can offer any benefit and the only thing that is then possible is to provide a service restoration policy where they could potentially insure the costs of obtaining expertise in getting your digital business up and running again.

Don’t get me wrong, I think being able to take out an insurance policy in order to get assistance on both the financial and organisational side in these restoration activities is very welcome, I’m 100% convinced that taking preventative measures against cyberattacks, outweighs any form of resolving an aftermath of a breach.

It is therefore of the utmost importance to prepare for and defend against cyberattacks as much as possible.

The cybersecurity flu-shot: QUADSEC

The package EvL Consulting provides is your annual “flu-shot” and addresses topics in the layer 6 and 7 of the diagram above. Preparing and defending comes in a few areas.

Phishing

Most of the cyberattacks these days come from phishing and social engineering attempts where criminals try to lure unsuspecting people, from executives in the boardroom, to the canteen lady in the restaurant and the external contractor who’s doing freelance work as a developer. Preventing phishing attacks via email is a massive task as the currently well established frameworks may no longer work and a more sophisticated approach is required.

Usernames and passwords

Securing credentials is the second headache many companies struggle with. Even though the IT industry is making great strives in getting rid of username/password credential by creating passkey based authentication, the truth is that the vast majority of software out there, will still require a username and password combination for the foreseeable future. Having a solution that creates, stores and manages this in an easy, secure and well integrated piece of software is paramount.

Knowledge

Being able to apply common sense and have the ability to spot something “phishy”, comes with being exposed to existing threats and therefore create a human firewall. The attempts that scammers and hackers use are becoming far more sophisticated with the advance of Artificial Intelligence, and the existing advice of looking at certain criteria of an email may not be enough anymore. The challenging landscape is shifting almost on a monthly basis, if not quicker, and being able to keep up with this requires continuous training and up-to-date content.

Phising Resistant MFA

Even though the perimeter defence mechanisms are state of the art, the criminals and cybersecurity people are always engaged in a bunny-hop game. There could potentially be a phishing attempt that could breach the perimeter of the defences. Having the ability to stop further access to your environment by securing accounts and systems with a Multi-Factor Authentication (MFA) solution that cannot be circumvented is an extremely solid solution to have in place. Existing methods of push notifications via SMS or phone app are still prone to being exploited in various ways.

Solution package

The QUADSEC solution package provide all 4 of the above. When implementing these in your organisation, your entire risk profile will be downgraded significantly and will also give you a good bargaining chip with your insurance company.