Enhancing Cybersecurity Measures for Business Continuity

Cyber threats are top of mind for many individuals, businesses, and public entities. The Global Risks Report?2024 version ?from the World Economic Forum identified “cyber insecurity” as the 4th most severe short-term and 8th in the long-term risk, as just one indication of its worrisome global presence (1). The repercussions of insufficient cyber security can be devastating if it fails to protect sensitive data, maintain operational uptime, and limit financial or reputational damage caused by cyber incidents. An investigation of the landscape provides a valuable starting point for understanding both the gravity of trials facing today’s business climate and how to navigate threats to build resilience and improve business continuity.

A few months ago, there were multiple cases in which a single point of failure within a third-party software provider brought disparate industries to a temporary halt. In one instance, malicious threat actors targeted the software provider with ransomware and, as a result, impaired customer relationship management tools, financing, payroll, support and service, inventory, and back-office operations for approximately 15,000 client operations.

Affected businesses are cumulatively expecting losses to exceed $1 billion (2), which does not include the impact on the service provider or the estimated $25 million ransom that was paid to limit data loss (3).

In a separate case of severe supply chain disruption, a security software provider issued a broken update to customers. While there was nothing malicious involved, more than 8 million users could not access their devices because of the process error (4).

Both cases, while dissimilar in their particulars, offer a stark reminder that the information technology (IT) supply chain is vulnerable and fragile, and that in some instances there is no foreseeable prevention. However, with a focus on preparation and enhanced resilience, individuals and organizations can be better equipped to withstand and recover from such technological trials.

Considerations for Cyber Risk Preparation & Development of Cyber Resilience

Businesses must be forward looking and prepare for unknown cyber threats, which can be daunting and feel impossible. Having a robust and well-developed cyber program is a must in today’s technological era. But what does this entail?

A resilient and prepared organization is one built with a culture that prioritizes managing cyber risk. The two overarching goals of cyber maturity are enhanced visibility and sufficient preparation: Do you have visibility into all the devices and user activity on your network so you can monitor for both approved and suspicious behavior? Do you have an appropriate and effective incident response plan when something problematic is inevitably detected? While no infallible program exists to prevent all malicious threats or avoid costly insider breaches, visibility and preparation go a long way to building lasting organizational resilience.

For those looking for guidance, proactive risk and vulnerability assessments offer valuable starting points. The first order of gaining optimal network visibility requires awareness of what devices, users, and other technologies are connected to that network. Vulnerability scans, penetration tests, web application assessments, and other examinations of your organization’s digital blueprint can provide a baseline for network activity while also identifying potential blind spots in need of patching or remediation. Addressing gaps in your business’ processes, policies, or personnel regarding cyber readiness can help you better protect sensitive information, business-critical data, and operational continuity.

These thorough assessments should extend to third-party service or software providers that in any way handle, store, or maintain access to sensitive, business-critical data. Third parties are vital resources, necessary to help organizations develop and enhance market opportunities. In most cases, these relationships are mutually beneficial; however, there are associated risks. According to?data ?published by the?U.S. Securities and Exchange Commission ?(SEC) from a Security Scorecard study, 98% of companies are associated with a third party that has experienced a breach (5). While this does not necessitate any significant downtime or data loss, there should be a healthy concern of the safety in working with distant third parties.

One reason for third-party risk is the lack of control of data flow. Third parties, in their scope of service provision, manage your data and accessibility to their systems. If a vendor fails to update their own software—or that of a third-party with whom they contract—succumb to a security issue, or experiences a breach themselves, the repercussions will inevitably trickle down to the contractor and, in some instances, into the larger supply chain.

Conducting a thorough risk assessment that includes vetting the relevant internal policies, historical efficacy, and adherence to industry or regulatory compliance standards of any vendor that will have access to sensitive data will likely reveal gaps and vulnerabilities in their operations, which can then be addressed. This might mean working to ensure all data flowing to and from your business is encrypted or that additional resources need to be developed or contracted to enhance overall security posture, including 24/7 Security Operations Center (SOC) monitoring, the implementation of policies requiring strong passwords and MFA (multi-factor authentication), incident response planning, and general vulnerability management via risk assessments.

Furthermore, enhancing overall collaboration and communication with any third-party vendor can be beneficial. There is value in maintaining your agency when contracting for software or complementary services.

A?recent report published by global business consulting firm?Protiviti ?further highlights both the perception and gravity of the challenges facing organizations regarding third party vendors. In their “Executive Perspectives on Top Risks for 2024 and a Decade Later”,?third-party risks?are the 4th greatest concern this year and 6th projected for 2034. Cyber threats, which are inextricably linked, rank 3rd this year and first for 2034 (6).

Preparation for the Inevitability of a Cyber Incident

Without regard to the quality and specifics of your cybersecurity program, there is no prescription that will keep your organization 100% protected against all potential threats. It is incumbent on organizational leaders to have a well-developed and tested Incident Response and Recovery (IR) plan in place if something were to threaten business continuity or data loss.

IR planning should encompass several key areas with the principal goals of reducing downtime, limiting data loss, maintaining organizational reputation, and protecting revenue. First, the team responsible for coordinating the response to an active incident must have the capacity to isolate impacted systems. As soon as malicious activity is detected, affected systems should be disconnected from the internet and the rest of the network to limit spread and preserve evidence for any subsequent investigation. In coordination with isolating systems, it is critical to immediately change all passwords for network directories and any remote access solution. Failure to do so could allow a threat actor to return and further disrupt the environment.

In a significant number of attacks, a vulnerable remote access solution is leveraged. It is critical that you do not enable public internet access via remote desktop protocol (RDP) on any server or allow any unpatched virtual private networks (VPNs) back online. All software should be fully patched and updated, MFA enabled, and credentials reset prior to their restoration.

When developing an IR plan, there are several components to consider as soon as an incident is detected, including the personal response responsibilities of each organizational leader, who to contact for assistance, and how to manage backup systems so they are part of an unaffected network. Engaging in tabletop exercises as part of ongoing development and practice of the IR process can help significantly improve how executive, technical, and functional teams act when IR plan implementation is required.

All these preparation components are elements of a larger IR program that, to be optimally effective, must be in place before anything significant or problematic were to occur.

The rapidly evolving cyber threat landscape necessitates a comprehensive approach to cyber risk management and resilience building. The myriad challenges underscore the importance of developing robust cybersecurity frameworks tailored to each organization's unique needs. Fostering a culture of cyber awareness, ensuring visibility into all network activities, and maintaining effective incident response plans are critical components of a resilient cybersecurity strategy. With these components in place, a well-prepared organization can significantly mitigate risks and swiftly recover from incidents, thereby safeguarding its operations, reputation, and bottom line.

Sources?

1.???? World Economic Forum. https://www.zurich.com/en/knowledge/topics/global-risks/the-global-risks-report-2024 .

2.???? Smith, Christopher. MSN. https://www.msn.com/en-us/autos/news/dealers-are-set-to-lose-nearly-1-billion-over-cdk-cyberattack/ar-BB1pduyo?item=themed_featuredapps_enableD?loadIn=defaultBrowser .

3.???? Alspach, Kyle. CDK Paid $25 Million Ransom to Expedite Recovery After Attacks: Report. https://www.crn.com/news/security/2024/cdk-paid-25-million-ransom-to-expedite-recovery-after-attacks-report .

4.???? Reuters. Microsoft Says about 8.5 Million of Its Devices Affected by CrowdStrike-Related Outage. 20 July 2024. www.reuters.com , https://www.reuters.com/technology/microsoft-says-about-85-million-its-devices-affected-by-crowdstrike-related-2024-07-20/ .

5.???? Cyentia Institute. Cyentia Institute and SecurityScorecard Research Report: Close Encounters of the Third (and Fourth) Party Kind. https://securityscorecard.com/research/cyentia-close-encounters-of-the-third-and-fourth-party-kind/ .

6.???? Protiviti. Executive Perspectives on Top Risks for 2024 and a Decade Later. Protiviti Global Business Consulting, https://www.protiviti.com/sites/default/files/2024-03/nc-state-protiviti-survey-top-risks_2024-2034.pdf .

The information in this newsletter publication was compiled from sources believed to be reliable for informational purposes only. This is intended as a general description of certain types of managed security services, including incident response, continuous security monitoring, and advisory services available to qualified customers through SpearTip, LLC, as part of Zurich Resilience Solutions, which is part of the Commercial Insurance Business of Zurich Insurance Group.? SpearTip, LLC does not guarantee any particular outcome. The opinions expressed herein are those of SpearTip, LLC as of the date of the release and are subject to change without notice. This document has been produced solely for informational purposes. No representation or warranty, express or implied, is made by Zurich Insurance Company Ltd or any of its affiliated companies (collectively, Zurich Insurance Group) as to their accuracy or completeness. This document is not intended to be legal, underwriting, financial, investment or any other type of professional advice. Zurich Insurance Group disclaims any and all liability whatsoever resulting from the use of or reliance upon this document. Nothing express or implied in this document is intended to create legal relations between the reader and any member of Zurich Insurance Group. Certain statements in this document are forward-looking statements, including, but not limited to, statements that are predictions of or indicate future events, trends, plans, developments or objectives. Undue reliance should not be placed on such statements because, by their nature, they are subject to known and unknown risks and uncertainties and can be affected by numerous unforeseeable factors. The subject matter of this document is also not tied to any specific service offering or an insurance product nor will it ensure coverage under any insurance policy. No member of Zurich Insurance Group accepts any liability for any loss arising from the use or distribution of this document. This document does not constitute an offer or an invitation for the sale or purchase of securities in any jurisdiction.

In the United States, Zurich Resilience Solutions managed security services are provided by SpearTip, LLC.

Copyright ? 2024 SpearTip, LLC