Is your team prepared for the biggest cyber security threats, and to protect your people, revenue, and brand? If 2020 taught us anything, it’s that cyber attacks will only continue to get worse in 2021 and beyond.
Curricula’s CEO, Nick Santora, and Joshua Motta, Co-Founder & CEO of Coalition, sat down to discuss how to take an all-hands approach to prepare your business for a variety of threats. Together they shared best practices for security awareness training, risk mitigation, and employee preparedness, plus resources and tools to help manage these types of events.
TL;DR – ransomware will continue to be the biggest threat in 2021. Read more to learn why or watch their webinar recording.
Here’s what our cyber security experts had to say about the biggest cyber threats to organizations
If we look at the cyber threat landscape, not much has changed. Coalition insures tens-of-thousands of businesses, and looking at the claims they processed, the majority of losses happened due to some type of email failure through phishing or social engineering.
“The bad things start with email,” Joshua said. “It’s still the same things that were tripping up companies 10 years ago: phishing, opening up remote access to the global internet… they’re the same things opening up companies to risk today. It does not require a sophisticated hacker to pose a big threat; it’s our employees that could expose an organization to that risk.”
From Coalition’s data in processing more than 1,000 claims, the largest claims in 2019 and thus far in the 2020 policy year were ransomware, social engineering, and breach response.
Ransomware accounted for 41% of all cyber insurance claims filed in the first half of 2020. And from these claims, the majority of incidents started due to a business email compromise from human error.
“Human error is in almost every claim we process,” Joshua said. “Even more common, it’s a partner or third-party who was tricked.”
Plus the cost of ransomware claims only continues to increase. Ransomware claims used to cost $10,000, and now it’s not uncommon to see those price tags at multi-millions of dollars paid to the hacker extortionist.
Nick and Joshua discussed how it’s the very basic things that are tripping businesses up, and even when you juxtapose that with the nature of the nation-state world, those actors don’t use sophisticated tools if they don’t have to.
As Joshua worked as a nation-state adversary for the CIA before founding Coalition, he has firsthand knowledge of how these bad actors work. “If I can get into your network with a phishing email offering an employee a $20 Starbucks gift card, I’m not gonna blow a ‘zero day’ I’ve been working on for the past 12 months,” he said.
Meanwhile, there’s also an illusion of safety when it comes to defending against cyber threats. There’s a true distinction between compliance and security when it comes to mitigating cyber risks, and often a correlation misleading people believing because they had met compliance requirements therefore they were also secure.
Before founding Curricula, Nick worked as a Critical Infrastructure Protection (CIP) for the North American Electric Reliability Corporation (NERC). “I would analyze what human error actually meant,” Nick explained. “We would look at an event that occurred and work backwards to see what really caused it.” He would go on-site to see what controls were put in place by organizations, and what investments were made for their approach to risk management.
“From a compliance auditor’s approach, our goal was to find compliance violations, ultimately when compliance controls come in, adopt for the first time, lose sight of the ‘why’ behind doing security compliance,” Nick said.
Compliance rules were put into place so that people would design processes for security, and then align technology to support those processes, but a lot of times people would buy technology and then try to retrofit their people or processes into it, and that doesn’t work.
Nick explained that it’s about preparing for things that will happen — which is why organizations need security awareness training — and part of being prepared is having the ability to recover relatively quickly. This is the approach that organizations need to take when examining the biggest threats to their people, processes, and technology.
The future of cyber security is not a technology problem, it’s a risk management problem.
When someone says ‘cyber’, we immediately think of crime, but it’s often about technology risk. Technology fails, humans make errors, and it can be devastating. Businesses don’t realize how dependent they are on technology until it’s gone.
Joshua says that if you think about cyber threats as a form of risk, there are three (3) things you can do as an organization:
- You can accept the risk (often unknowingly)
- You can mitigate the risk (where technology plays a role)
- Or you can transfer it
“There are different ways you can transfer cyber risks through insurance providers like Coalition,” he explained. “You can also transfer it to your vendors, contractually to make sure they have an insurance policy that responds to third-party claims, so if they suffer a failure on their side that results in a loss for your business, then you have the ability to recover those losses under their insurance policy.”
Cyber insurance policies work the same way any other policy works such as workers compensation purchase liability coverage, but most people don’t think about it in those terms, and most people don’t realize until it’s too late.
How organizations can mitigate risk for cyber threats
Most IT teams are focused on operations, security often isn’t the #1 priority. So how do we make it easy?
“We proactively work with our customers to help them prevent losses, so we are just as much a cybersecurity company as we are an insurance firm,” Joshua said. “All the technology we build is provided at no cost to our policyholders. Why? Because, of course, we have the incentive to help protect them.”
While it’s impossible to defend a network 100% of the time with 100% efficacy, particularly when a hacker has to only exploit one employee by obtaining their credentials, there are steps an organization can take to mitigate those risks.
Knowing the majority of cyber security incidents come down to human error, it’s important to look at what there are some basic things organizations can do today to stop bad actors, such as enabling two-factor (2FA) or multi-factor (MFA) authentication.
Coalition takes this a step further by providing both tools to protect themselves by offering security awareness training with its partnership with Curricula (Coalition customers can access up to 15 free licenses) and by offering incident response services to its policyholders in the event of a breach.
So in conclusion, what are the biggest cyber threat predictions for 2021 and beyond?
Joshua used the metaphor of ‘exposed nails’, as hackers are ‘looking for a nail, and they’ve got the hammer,’ he explained. “You don’t want any nails sticking out.
One scary prediction Joshua shared is that organizations that have industrial control systems will be the target for ransomware, e.g. if you don’t pay us, we’ll shut down this chemical refrigeration system. “It’s only going to get worse, and criminals are getting a lot more leverage, and the cost to the organization will go up,” Joshua said.
And this can be quite devastating, as an example Joshua shared was from a $2 billion organization (not a Coalition customer) was the victim of a $100 million demand following a ransomware attack. Nick shared that following those types of ransomware attacks, structural changes have to occur within an organization, as they do following major incidents.
Another major disruption that will continue to have an impact in 2021 and beyond is a remote workforce due to COVID-19.
“Throughout this year, in a matter of days, the entire world changed from a technology point of view,” Nick said. “A lot of organizations sent people home and asked them to operate remotely for what has turned out to be months.”
The concern is remoteness now creates a larger scope of what can be exposed across devices, networks, and everything in between. This will have a massive impact on the cyber side.
Joshua agreed that we’re ‘more dependent on technology today than we’ve ever been in human history’ and organizations are scrambling to solve business challenges while continuing to operate. “A lot of companies were enabling remote access to facilitate at home work, and if it’s not configured appropriately, that’s a nail that’s sticking out,” he said. “Now you’re just playing roulette on if someone will target you attempting to get into the network.”
Another big threat with potential risks to mitigate is behavioral changes such as educating employees about phish-y emails claiming they’re COVID stimulus checks or wire transfers. Joshua shared an example of a Florida non-profit they insure at Coalition that experienced a loss of $1.5 million.
Fortunately, Coalition was able to work with the non-profit to recover the funds but so many cyber insurance claims are happening on this scale. “We have to be conscious of these behavioral trends that people are taking advantage of,” Joshua said.
Nick noted that a lot of organizations didn’t prepare for so many of these situations. “A lot of these hackers are using this as a flavor-of-the-week to convince people to click on things. That’s all it takes. They don’t play by any rules.”
Also, a potential threat to note is how bad actors are on the lookout to see if there are DNS changes. “If you’re changing service providers, such as Microsoft 365 to GSuite or vice versa, hackers can actually see if this change has been made, and they’re pouncing on that to send ‘welcome’ or ‘setup’ emails,” Joshua said. “It’s spear-phishing campaigns that are being done entirely opportunistically.”
It’s important to be aware of what Joshua referred to as ‘TTP’ or ‘Tools, Tactics, and Procedures’ that these bad actors are using. Nick agreed, sharing how people’s lives and livelihoods depend on this – to prepare, practice, and learn – and not to point the finger. “Ultimately, it’s bringing this up with your management team, your executives, to raise awareness about these cyber threats,” Nick said, “so we have to make sure there’s communication across the company.”
Curricula and Coalition are here to be allies for information technology and infosec professionals. For more information, contact Coalition or request a free trial of Curricula’s security awareness training.
We’re all in this together to keep everyone safe from hackers in 2021 and beyond.