October Risk Roundup: Financially-motivated attackers and disincentives from leadership are a bad combination

by Stephanie Mangold.
The Risk Roundup is our weekly collection of curated content that relates to all things digital risk management. Members of the Coalition team have pulled together their favorite posts from the week that highlight relevant trends in cybersecurity and cyber insurance. Enjoy our TL;DR and useful snippets on topics we’re keeping a close eye on.

Cybersecurity is a team sport and it takes the right mix of incentives, training, and risk management to thwart threat actors' efforts. That’s why it’s disheartening when leadership fails to motivate people to care — and during cybersecurity month at that. As we’ve said before, no technology is completely secure, and that’s why good cybersecurity is a risk management problem that demands motivating the people you work with each day.

1. Governor seeks to prosecute journalist who identified website bug

Less of a hot take and more of a chilling take: going after someone who responsibly discloses a vulnerability creates a disincentive for researchers to disclose in the future, which instead leaves vulnerabilities out there for the bad guys to find. Recognizing that there are many elements at play here (lack of technical knowledge, saving political face, news media sensationalism), the governor’s response is troubling at least and counterproductive at worst. Security researchers deserve clear legal definitions and protections. Aaron Kraus, Security Engagement Manager

View tweet here

2. How strong is your cyber defense?

Insurance agencies remain an excellent target for threat actors, and thanks to remote work environments, smaller independent carriers stand out from a cyber risk perspective. Once inside a carrier's network, threat actors hit the jackpot from an intel perspective. From here, they can quickly launch attacks against all of the carrier's clients. As a result, insurance carriers must be proactive about their cyber risk and not rely on insurance to respond. Ross Warren, Production Underwriter

View tweet here

3. Ransomware attack hits small county

Ransomware attacks, for many organizations, is not a matter of if; it’s a matter of when. Whether you are a small town on the famous Oregon Trail route or a large financial institution, everyone is vulnerable to ransomware attacks. Threat actors are agnostic toward class of business or industry type and instead scan networks for low-hanging fruit to monetize quickly and move on.Kirsten Mickelson, Claims Counsel

View tweet here

4. Psychology and cybersecurity awareness

This is actually more than just weaving psychology into training; but it hits the mark exactly. Security awareness and training programs need a good pedagogical design (basically educational design using tested learning theories), including repetition and multiple delivery methods. The organization's culture is also critical — if you train people to spot phishing emails and then fire them if they fall victim and report it, then the training was worthless. That situation is a learning and growth opportunity where additional training is needed.Aaron Kraus, Security Engagement Manager

View tweet here

If you enjoyed this post be sure to check our blog weekly; the Risk Roundup runs Friday mornings in addition to more enlightening content we post related to the ever-evolving landscape of digital risk. Follow us on Twitter (@SolveCyberRisk), LinkedIn (Coalition Inc), and Youtube. If you have any suggestions for content that we should be adding to our reading list, let us know!