Cyber Risk Governance Insights | October 7, 2024

WEEK IN HEADLINES

REPORT - ASEAN Data Breach Costs Soar to Record High

IBM's 2024 Cost of a Data Breach report reveals that the average cost of data breaches in ASEAN reached $4.34m in 2024, a 7% increase from the previous year. Financial services, industrial, and technology sectors were the most affected. Organizations using AI and automation for cybersecurity spend less time identifying and containing breaches, resulting in lower costs.

INSIGHT: We have seen ASEAN companies doing the bare minimum for basic cyber hygiene if they do anything.? ASEAN companies need to change the "check the box" mindset. We've successfully worked with ASEAN customers to cost-effectively improve their cyber risk management and the efficiency of their resources.

SKILLS GAP - Persistent Cybersecurity Talent Shortage

A recent survey reveals that 60% of CISOs consider staffing shortages their primary challenge. Despite increased budgets, organizations struggle to attract and retain skilled professionals. The talent gap is exacerbated by burnout, with 66% of security teams experiencing high-stress levels. CISOs are exploring various strategies to address these issues, including automation and outsourcing.

INSIGHT: To address this gap, we've developed the Inspiration Leadership Model (ILM) for SMBs to bridge the gap between academic learning and professional expertise in Cyber Risk Management. The ILM offers three tracks: “Setting up for Success,” which pairs students with practitioners to develop essential skills; “Professional Engagement & Internship,” providing real-world experience through mentorship; and “Exploring Life and Career Goals,” focusing on career development from entry-level to advanced positions. Participants help build a skilled workforce ready to tackle cybersecurity challenges, contributing to a secure digital future.

RaaS - Africa Used As Testing Ground

Ransomware-as-a-Service (RaaS) organizations are increasingly targeting African nations to test and refine their attack methods before launching campaigns in more developed countries. This trend exploits Africa's generally lower cybersecurity maturity, putting the continent's rapidly growing digital economy at risk and highlighting the urgent need for improved cybersecurity measures and international collaboration

INSIGHT: The countries as a region must address the current lack of preparedness where only 9 out of 44 African countries qualified for the top two tiers of cybersecurity maturity. A regional cyber strategy could create a more secure cyber environment, deterring criminals from using these nations as testing grounds for RaaS campaigns.

RANSOMWARE - 100+ Organizations Fall Victim Monthly to New Variant

A cybercriminal dubbed "PaidMemes" has been infecting over 100 organizations monthly with a new MedusaLocker variant called BabyLockerKZ since 2022. The attacks, primarily targeting small and medium-sized businesses across various industries and regions, have resulted in ransom demands ranging from $30,000 to $50,000. The attacker uses a combination of publicly available tools and custom wrappers for credential theft and lateral movement.

INSIGHT: Said it once if we've said it 1,000,000 times - MFA, MFA, MFA…

HEALTHCARE: Provider "Fined" $240K for 3 Ransomware Attacks

Providence Medical Institute, a Southern California physician services organization, faces a $240,000 HIPAA fine following three ransomware attacks in 2018. The breaches, occurring within three weeks, compromised 85,000 patients' data. HHS OCR's investigation revealed HIPAA Security Rule violations, including lack of a business associate agreement and inadequate access control policies.

INSIGHT: While the attacks occurred ~6 years ago, the fine appears relatively modest given the governance failures and frequency of the breaches.? We need to remember that the fine reflects the HHS Office for Civil Rights' (OCR) goal is often to ensure compliance and improvements rather than to impose crippling fines. The actions against Providence underscore the critical need for appropriate cybersecurity measures, proper business associate agreements, and comprehensive HIPAA compliance programs in healthcare organizations of all sizes. Remember on top of the fines, the public disclosure of the breaches and fine will likely have a lasting reputational and business impact.

EDUCATION - Ransomware Attack Forces September Shutdown

Highline Public Schools confirmed a ransomware attack led to the shutdown of all schools in early September. The district is collaborating with third parties and the FBI to investigate and recover from the incident.

INSIGHT: The ransomware attack on Highline PS highlights the vulnerability of public schools due to budget constraints; however, the one action they could have taken at no cost and prevented this breach was the implementation of multi-factor authentication (MFA).

FINANCIAL SERVICES - Group Targets U.S. Sector in New Wave of Cyber Attacks

The Andariel hacker group, linked to North Korea, has shifted its focus to financial institutions in the United States, launching sophisticated cyber-attacks aimed at stealing sensitive data and disrupting operations.

INSIGHT: Network segmentation would have been an effective prevention layer restricting the hackers' ability to access and exfiltrate sensitive financial data, thereby mitigating the overall impact of the breach.

INSIGHTS & EXPERT PERSPECTIVES

RISK MANAGEMENT - Reduction

Prioritizing Alpha Could Be a Costly Mistake

A recent article in Forbes by Philip Maymin emphasizes the critical importance of risk management in finance, arguing that it should take precedence over the pursuit of alpha. By focusing on risk, financial professionals can better navigate uncertainties and ensure long-term stability. The author highlights the need for a paradigm shift in the industry, advocating for a more comprehensive approach to managing potential threats.

Three Key Insights:

1. Risk Over Alpha: The finance industry often prioritizes alpha (returns) over risk management, which can lead to significant vulnerabilities.
2. Comprehensive Risk Strategies: Effective risk management requires a holistic approach, integrating various strategies to mitigate potential threats and ensure resilience.
3. Long-Term Stability: Prioritizing risk management can lead to greater long-term stability and sustainability in financial operations.

INSIGHT: Our opinion that organizations need to shift from reactive to adaptive cyber risk strategies aligns with Maymin's view of prioritizing risk management over the pursuit of returns.? Often, executives only see cyber risk management as a cost center, not as a value generator leading to long-term value creation, stability, and reliability.

Adaptive cyber risk management involves continuously monitoring and analyzing behaviors and events in real time to identify potential threats before they materialize. This proactive stance mirrors Maymin’s advocacy for a comprehensive approach to risk management, ensuring that potential risks are addressed before they can impact the organization.

A holistic approach to financial risk management, adaptive cyber risk management integrates various strategies to mitigate threats. Such a comprehensive strategy ensures resilience against a wide range of cyber threats.

When organizations focus on adaptive measures that evolve with the threat landscape, organizations can achieve greater long-term stability and resilience.

To educate yourself on this cyber strategy, you may like to listen to this Cyber Risk Governance Live Event with @Steven Paul Walker, an expert in operational risk and financial IT regulatory compliance.

CYBERSECURITY CHRONICLES

Will Quantum Computers Steal Your Job or Save the World

?In this episode of Cybersecurity Chronicles, host Sean Mahoney sits down with quantum computing expert John O’Malley to talk about the world of quantum computing.

John worked with the NIST Post Quantum Encryption Standards Committee, after having previously led Change Healthcare's Identity and Access Management (before the breach).

They delve into the current state of quantum technology, its potential applications in various industries, and the challenges that lie ahead. From cybersecurity advancements to the future integration of quantum computing in everyday business operations, this conversation provides a comprehensive overview of how quantum computing is set to revolutionize the tech landscape.

The topic was chosen following the recent NIST release of the long-awaited post-quantum encryption standards.

Key Takeaways:

1. Basics of Quantum Computing: Quantum computers use qubits that can represent both 0 and 1 simultaneously, enabling complex calculations beyond classical computers.
2. Current and Future Applications: Quantum computing promises advancements in cybersecurity, medication development, and electric car batteries, with broader integration expected in 5-10 years.
3. Challenges and Preparations: High power requirements and sub-zero temperatures are major hurdles. Businesses should start preparing by mapping encryption strategies and training teams.

Netswitch Sharpen Your Cyber Edge with Netswitch

Master Compliance & Minimize Risks:

1. Independent Security Audit: Identify network risks with our automated Security And Risk Assessment (SARA). Get a clear picture, prioritize improvements, and optimize resource allocation. Contact Netswitch.
2. Free "Quick Start" Program: Gain a free cyber risk and governance health check. Enroll now and start building resilience.

Deepen Your Knowledge:

• Join Our LinkedIn Group: Collaborate with industry leaders in the CyberRisk Governance Community on LinkedIn. Share insights and stay ahead of the curve.
• Live Events: Participate in interactive LinkedIn Live sessions. Explore cyber risk topics with executives, technologists, and governance professionals.

Don't wait.

Contact Netswitch Technology Management today to take control of your cyber risk.

Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.