www.cybersecuritydive.com Open in urlscan Pro
2606:4700:4400::6812:2860  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content
 * post
 * share
 * post
 * email

   
 * Reading Now CISOs under pressure from boards to downplay cyber risk: study
   By: David Jones
 * Reading Now Data privacy concerns swirl around generative AI adoption By:
   Roberto Torres
 * Reading Now How to manage the rising tide of CVEs By: Rosalyn Page
 * Reading Now Risk escalates as communication channels proliferate By: Robert
   Freedman
 * Reading Now Dark web exposure is ‘highly correlated’ with cyberattack risk
   By: Alexei Alexis
 * Reading Now How cyber insurance coverage is evolving By: Sue Poremba
 * Reading Now Phishing remains cloud intrusion tactic of choice for threat
   groups By: Matt Kapko



Trendline


RISK MANAGEMENT


.shock via Getty Images

NOTE FROM THE EDITOR

Cyber risk management strategies entered the spotlight as new rules from the
Securities and Exchange Commission took hold. Now, public companies have to
detail their cybersecurity risk management, strategy and governance in annual
filings, raising awareness on what many cyber experts already knew — security
issues are business issues. 

Governance is a critical aspect of cyber risk management, but it’s also up to
security leaders to educate business stakeholders on what threats exist and how
to navigate them. 

The conversation is changing thanks to the rapid emergence of generative AI and
a general rush to adopt technology without fully understanding its risk.

What organizations also miss, however, are the threats that come from legacy
technology that languishes in enterprise stacks. 

Naomi Eide Managing Editor
 * Reading Now CISOs under pressure from boards to downplay cyber risk: study
   By: David Jones
   
 * Reading Now Data privacy concerns swirl around generative AI adoption By:
   Roberto Torres
   
 * Reading Now How to manage the rising tide of CVEs By: Rosalyn Page
   
 * Reading Now Risk escalates as communication channels proliferate By: Robert
   Freedman
   
 * Reading Now Dark web exposure is ‘highly correlated’ with cyberattack risk
   By: Alexei Alexis
   
 * Reading Now How cyber insurance coverage is evolving By: Sue Poremba
   
 * Reading Now Phishing remains cloud intrusion tactic of choice for threat
   groups By: Matt Kapko
   




CISOS UNDER PRESSURE FROM BOARDS TO DOWNPLAY CYBER RISK: STUDY

Research from Trend Micro shows tension between CISOs and senior enterprise
leadership. Many security leaders say they’re perceived as nags.

By: David Jones • Published May 30, 2024

The majority of CISOs and other IT security leaders, almost 4 in 5, say they
have felt pressure from their corporate boards to downplay the severity of cyber
risk, according to a study commissioned by Trend Micro.

The study highlights ongoing tension within the upper ranks of corporations
between C-suite executives, investors and security operations over how to
properly manage and communicate security risk.

“The board is focused on the overall business and typically there is a big
effort to ensure the company supports their investors,” Jon Clay, VP of threat
intelligence at Trend Micro, said via email. “As such they want to ensure the
reputation, revenue and profitability is tantamount.”

Among those security leaders feeling pressure from their boards, the report
found 43% say they are seen as nagging or repetitive and 42% say they are seen
as being overly negative about cyber risk. The report is based on a worldwide
survey of 2,600 IT security leaders conducted by Sapio Research. 

The debate is particularly relevant in the U.S., as the Securities and Exchange
Commission requires publicly traded companies to disclose material cybersecurity
incidents within four business days of such determination. 

Companies must also annually disclose information about their cyber risk
strategies.

The SEC in 2023 filed charges against SolarWinds and its top cyber risk
executive, alleging the company misled investors about the company’s cyber
resilience.   

Brian Walker, CEO of the CAP Group, which advises corporate boards and
executives on cyber risk, disagrees with the findings about board pressure, but
agrees communications between CISOs and board directors are often misaligned. 

“Most boards are aggressively trying to understand cyber risks in context of all
other enterprise risks,” Walker said via email. 

The findings are somewhat contradicted by a report from Proofpoint, which shows
increased alignment between CISOs and their respective companies. The 2024 Voice
of the CISO report shows 84% of CISOs say they see eye-to-eye with their boards
on cyber risk, a significant improvement from a year ago, when only 62% saw such
alignment. 

Despite the improvements, CISOs still feel tremendous pressure to carry the
weight of cyber risk on their backs. Proofpoint’s study shows 66% of CISOs say
they are faced with excessive expectations, compared with 61% in the year-ago
study. 

“While CISOs are enjoying closer ties with key executive partners, stakeholders,
board members and regulators, this proximity also brings higher stakes, more
pressure and heightened expectations,” Patrick Joyce, global resident CISO at
Proofpoint, said via email. 

Two-thirds of CISOs are concerned about personal liability, compared with 62% in
the year-ago study. More than 70% of those surveyed said they would not join a
company unless they had directors and officers coverage, which is personal
liability insurance for top executives. 

Article top image credit: FangXiaNuo via Getty Images



DATA PRIVACY CONCERNS SWIRL AROUND GENERATIVE AI ADOPTION

IT and business professionals fear the technology’s adoption will expose
critical data, according to a Deloitte report.

By: Roberto Torres • Published Sept. 25, 2024

Technology professionals say data privacy tops their list of ethical worries
surrounding the deployment of generative AI in the enterprise, according to a
Deloitte report. The firm surveyed 1,848 business and technology professionals. 

Nearly three-quarters of professionals ranked data privacy among their top three
ethical concerns about the technology’s use, according to the report. 

Two in 5 respondents flagged data privacy as their No. 1 concern this year,
almost double the 1 in 4 that cited data privacy in Deloitte’s 2023 survey.

Tech leaders are poring over the infrastructure and talent needs of their
organizations as they help guide generative AI adoption. Ethical concerns should
also make it on the checklist.

“GenAI collapses the ‘expertise barrier’: more people can get more out of data,
with less technical knowledge needed,” said Sachin Kulkarni, managing director,
risk and brand protection, Deloitte LLP, in the report. “While a benefit, the
potential for data leakage may also increase as a result.”

Professionals are also worried about the impacts of generative AI on
transparency, data provenance, intellectual property ownership and
hallucinations. Job displacement, though often cited as a top concern, was only
flagged by 16% of respondents.

Across emerging technology categories, business and IT professionals identified
cognitive technologies — a category that includes large language models, machine
learning, neural networks and generative AI, among others — as posing the most
severe ethical risks. 

The category surpassed digital reality, autonomous vehicles and robotics, among
other technology verticals. However, respondents also ranked cognitive
technologies as the most likely to drive social good. 

Due to its reliance on data, the majority of executives are concerned about how
generative AI tools can increase cybersecurity risks by expanding their attack
surface, a Flexential survey published earlier this month found.

Article top image credit: Laurence dutton via Getty Images


HOW TO MANAGE THE RISING TIDE OF CVES

As the volume and complexity of vulnerabilities grows, organizations are
struggling to manage and mitigate the security defects.

By: Rosalyn Page • Published Sept. 11, 2024

Software defects across MOVEit file-transfer services, Log4Shell and Citrix
Bleed are among the highest-profile vulnerabilities that have been exploited in
recent years, but they represent just a sliver of the total CVEs causing
widespread damage.

The volume of CVEs is steadily increasing each year — SecurityScorecard recorded
29,000 vulnerabilities in 2023 and already this year it tracked nearly 27,500
vulnerabilities.

That number is expected to hit 34,888 in 2024, a 25% increase, according to
Coalition’s 2024 Cyber Threat Index report. It underscores the challenge for
organizations to continuously manage vulnerabilities and strengthen defenses
against potential exploits.

While three-quarters of organizations employ a formal program to manage
vulnerabilities, many are struggling with a backlog they cannot fix and a
growing number that need vendors or the open-source community to remediate,
according to the SANS 2022 Vulnerability Management Survey. 

Organizations need effective CVE management to mitigate the risks posed by these
vulnerabilities, but many struggle with the complexity of identifying and
prioritizing the most critical threats amid a constant influx of new
vulnerabilities. 

“The sheer number of CVEs makes it difficult to keep track of all potential
vulnerabilities,” said Amit Bismut, head of product at Backslash Security.

With many vulnerabilities deemed critical, the challenge is deciphering which
ones pose the biggest risk. One way is to understand if the CVE can potentially
be exploited in your specific environment, Bismut said.

Organizations need to prioritize vulnerabilities that represent a specific risk
to the environment and direct resources so that the most dangerous
vulnerabilities are mitigated promptly.

“Context helps security teams focus on vulnerabilities with the most significant
threat to their unique setup, rather than trying to address every single issue,”
he said.


HOW CVE IDENTIFIERS HELP VULNERABILITY RANKING

Using the CVE number, which is a common identifier, security teams can rank
vulnerabilities according to a range of data sources and use vulnerability
scanners or intrusion detection systems to find them.

It wasn’t always this way. Before CVEs identification was formalized, security
teams had to piece together vulnerability information, according to TK Keanini,
CTO of DNSFilter and founding member of the CVE program.

The CVE program, now in its 25th year, has become foundational to many other
security standards including the International Organization for Standardization,
the payment card industry and the Healthcare Information Trust Alliance security
framework.

It’s used in compliance, risk management and cybersecurity protocols, providing
a standardized method for identifying and referencing specific vulnerabilities
with a common identifier used by security teams everywhere.

“By incorporating all of these different perspectives, it creates a better, more
actionable and more accurate workflow,” said Keanini.

With the rising tide of vulnerabilities, it’s not feasible to tackle every risk.
Ranking means every CVE has a risk weight, critical to prioritizing patching and
vulnerability management, especially as the scope of CVEs is only growing.

Every new line of code that’s introduced provides new opportunities for more
CVEs, noted Keanini.

“We’re not counting a static space. That’s why the scoring’s important to stack
rank and know which ones are on your network,” he said.


TACKLING CVES WITH A STRATEGIC BUSINESS LENS

While the headline number of CVEs is going up, there’s more to it than that,
given that a single CVE number can often refer to more than a single piece of
code.

“One CVE might affect multiple different versions of software or packages of
software, especially if that CVE is embedded in very pervasive code,” said
Dustin Kirkland, VP of engineering at Chainguard.

When a vulnerability is discovered, it is enriched with additional information,
although this doesn’t automatically mean it will lead to an attack as a
vulnerability may be a proof of concept or a theoretical problem. 

“Not every CVE comes with either a fix or even a proof of concept that shows
it’s a real problem that could be exploited in the wild,” Kirkland said.

If it warrants it, a fix is issued or the weakness declared so that security
teams and scanning tools are aware of it. 

The scoring system helps ensure that the most real, egregious vulnerabilities
get a higher priority than the lowest ones, which could be considered just nice
to fix.

While the usual practice is responsible disclosure so that it can be identified,
some CVEs are sold on the dark web by hackers and cybercriminals. 

“There’s certainly an underground market for zero-day [vulnerabilities] and for
undisclosed vulnerabilities, where they’re bought and sold on an underground
market by some shady organizations,” he said.

In neutralizing CVEs, scanning tools are vital, yet it’s not simply a process of
turning a vulnerability dashboard flashing red to green when consulted on a
periodic basis.

While vulnerability management is largely driven by adherence to some compliance
framework, security chiefs don’t usually have a singular goal of eliminating
CVEs. 

“It’s usually tied to a business objective,” said Kirkland.

Article top image credit: ar-chi via Getty Images



RISK ESCALATES AS COMMUNICATION CHANNELS PROLIFERATE

The chance of losing data to a breach rises in tandem with the number of
channels — like email and file sharing — that an organization uses.

By: Robert Freedman • Published July 10, 2024

Almost 60% of organizations can’t track what happens to their information once
it goes out in an email or through another communication channel, a survey by
data security company Kiteworks finds. 

That’s a risk management problem because data breaches are correlated with how
information leaves an organization.

The more communication tools an organization uses — email, file sharing, managed
file transfer, secure file transfer protocol, web forms, among others — the
higher the risk of information ending up where it wasn’t intended, the survey
finds. 

“Respondents with over seven communication tools experienced 10-plus data
breaches — 3.55x higher than the aggregate,” the survey report says. 

The risk is particularly high for organizations in North America because they’re
the biggest users of multiple types of communication channels. 

“An astounding 80% in North America employs four or more tools,” the survey
report says. 

High risk means high costs. There are costs stemming from the breach itself —
operational downtime, diminished productivity and lost revenue — but also
regulatory penalties and legal costs.  

For almost two-thirds of organizations, legal costs reach at least $2 million.
The bigger the company, the higher the costs. The biggest companies — those with
30,000 or so employees — reported spending more than $7 million on legal matters
after an incident.  

The connection between the number of communication tools and the higher risk of
breaches can be seen in data on the number of outside parties that are on the
receiving end of these communications. Two-thirds of organizations typically
exchange sensitive information with 1,000 or more third parties, creating a
tracking problem. 

“As organizations increasingly rely on digital communication and collaboration
and their third-party ecosystems grow, the risks associated with data breaches
continue to escalate,” Patrick Spencer, Kiteworks’ vice president of corporate
marketing and research, said in the report.  

The biggest companies are the most at risk. A third of those with about 30,000
employees typically exchange sensitive information with more than 5,000 outside
recipients. 

“Third-party risk has never been higher for organizations in all industries, and
the necessity of exchanging sensitive content accentuates the threat,” the
report says. 

The survey findings are based on responses from almost 600 risk and IT
professionals in countries around the world.

Article top image credit: .shock via Getty Images


DARK WEB EXPOSURE IS ‘HIGHLY CORRELATED’ WITH CYBERATTACK RISK

Organizations that are mentioned in dark web market listings are more than twice
as likely to experience an attack, Marsh McLennan found.

By: Alexei Alexis • Published Sept. 24, 2024

Any data relating to a company on the dark web significantly increases that
organization’s risk of suffering a cyberattack, a study by Marsh McLennan’s
Cyber Risk Intelligence Center found.

Organizations that are mentioned in dark web market listings or that have
compromised accounts on the dark web are more than twice as likely to experience
an attack, according to a report on the findings.

“Cybercriminals plan their attacks on dark web forums, marketplaces, and in
hidden communication channels, and the study has quantified the risk of each of
these areas of dark web exposure for the first time,” Ben Jones, CEO of dark web
intelligence firm Searchlight Cyber, which collaborated with Marsh McLennan,
said in a press release.

Cybercriminals use the dark web to communicate among one another, plan their
attacks, and buy, sell, and build the tools they need to execute them, according
to the Marsh McLennan report.

Dark web intelligence is “highly correlated” with forthcoming cyber incidents,
as well as cyber insurance loss frequency, the research found. 

“The first step has to be to gain visibility into your exposure on the dark
web,” the report said. “Understanding where the organization is vulnerable is
critical for informing defense and the value of pre-attack intelligence is that
it creates an invaluable window of time for the security team to act before the
network is breached.”

Marsh McLennan analyzed Searchlight’s dark web dataset against a sample of 9,410
organizations with an overall breach rate of 3.7% from 2020 to 2023 to determine
whether there was a correlation between data breaches and findings on the dark
web in the year before the incident.

The first of half of 2024 saw 1,571 data compromises, a 14% increase compared to
the year-earlier period, according to an analysis by the Identity Theft Resource
Center, a nonprofit organization established to support victims of identity
crime.

In one high-profile example, AT&T in late March disclosed a massive data
security breach impacting as many as 73 million current and former customers.
The company said it determined that “data-specific fields” from the company were
contained in a data set released on the dark web.

The compromised data varied by customer and account, but may have included full
names, email addresses, mailing addresses, phone numbers, Social Security
numbers, dates of birth, and AT&T account numbers and passcodes, according to a
set of frequently asked questions published by the company at the time.

The incident triggered a flurry of proposed class action lawsuits. In June, the
Judicial Panel on Multidistrict Litigation issued an order that consolidated the
cases in the U.S. District Court for the Northern District of Texas.

Nearly half of U.S. businesses have suffered significant revenue loss due to a
data security incident, according to survey results published last month by data
protection company Arcserve.

Article top image credit: HenrikNorway via Getty Images



HOW CYBER INSURANCE COVERAGE IS EVOLVING

Cyber insurance coverage can help raise security baselines across businesses,
but organizations that have standalone policies are the exception to the rule.

By: Sue Poremba • Published July 25, 2024

One of the most effective ways to improve cybersecurity throughout an
organization is to purchase cyber insurance. 

It won’t eliminate the possibility of a data breach, but because there are
strict rules to gain approval during the underwriting purposes, an
organization’s overall cyber posture automatically improves, according to
research from Forrester. 

Despite the positive impact from cyber insurance, the Forrester study found just
one-quarter of companies have a stand-alone cyber insurance policy. 

There are plenty of reasons why organizations continue to shy away from
stand-alone cyber insurance. It could be that other insurance policies held by
the company include some cyber coverage. But concerns around cost and coverage
limits have also scared away potential buyers. 

Adding to the coverage gaps is the complexity of gaining coverage, with separate
coverage for first and third party policies. 

“First party is an insurance policy that covers you for your loss. The
third-party policy pays you to defend yourself against a third party and pays a
third party if there is a judgment against you,” said Peter Hedberg, VP of cyber
underwriting at Corvus Insurance, to an audience at the RSA Conference in San
Francisco in May. 

The first cyber policies provided predominantly third-party coverage focusing on
covering online media and computer errors, but in the 2000s, the exposures
evolved to include data breaches, explained Emma Werth, RVP Underwriting at
Cowbell Cyber, in an email interview. The need for first-party coverages emerged
with the increased exposure to viruses, ransomware, and cybercrime. 

“Now, we’re seeing further evolution as we face the new exposure of AI,” said
Werth.


NEW TECHNOLOGIES SHIFT COVERAGE

AI is front and center in the race to recognize new technologies and connected
devices at risk of cyberattacks. Organizations are trying to figure out how AI
is being used and how to differentiate an attack caused directly by AI rather
than as part of another attack or a rogue employee. 

It is a global change for everything, and even insurance companies are
struggling to figure out how policies will cover AI.

“AI is going to affect every type of insurance because it is going to affect
risk,” said Violet Sullivan, AVP solutions team leader at Crum & Forster, during
the RSAC panel.

But cyber insurance is shifting its coverage outside of the corporate network
and into a more personal realm.

“We have cyber [insurance] for autos now to protect against data breaches if an
auto’s information system is compromised,” said Monique Ferraro, Cyber Counsel
with HSB, during the RSAC panel. 

Personal insurance is also becoming more commonplace as more homes and
businesses are using smart devices. Cryptocurrency insurance protects wallets
and exchanges, and there is more attention for privacy protection.


THE PRICE OF COVERAGE

Cyber insurance procurement continues to be a lengthy process, but it is getting
easier for companies to obtain. 

“Overall, we are seeing stronger cyber hygiene across the industry,” said Werth.

Even small and medium-sized enterprises with fewer controls are able to obtain
insurance since measures like multifactor authentication, password managers or
passwordless technologies and data backups have become standard for most
businesses. 

It is also becoming more common for cyber insurance providers to partner with
companies to help them strengthen their cyber posture during their policy
lifecycle to become more cyber resilient.

Overall, prices of cyber insurance policies are either flat from year to year or
decreasing. But there are exceptions to this. 

“Industry classes that have experienced headline events, e.g. healthcare
technology; hospital systems, continue to see pressure on premiums and
deductibles,” said Ryan Griffin, partner and head of U.S. cyber at McGill and
Partners, in an email interview.

Ransomware is going to continue to be a sticking point in cyber insurance
coverage and expense. It was only a year or two ago that getting coverage for
ransomware was nearly impossible; however, the current trend is that payments
for ransoms have dropped. 

The real problem is the costs of business disruption that comes with a
ransomware attack, and that impacts costs and availability. 

The right insurance policy should align with the organization’s security policy,
just as it would be for any other security vendor agreement. 

“Cyber insurance is one of the many tools in your toolbox. It’s one of the ways
of mitigating risk,” said Sullivan.

Article top image credit: BNMK0819 via Getty Images


PHISHING REMAINS CLOUD INTRUSION TACTIC OF CHOICE FOR THREAT GROUPS

The long-lasting effectiveness and success of phishing campaigns underscores the
most central challenge in cybersecurity — people are the weakest link.

By: Matt Kapko • Published Oct. 2, 2024

Phishing is the leading initial-access vector for attacks in cloud environments,
IBM X-Force said in its latest Cloud Threat Landscape Report. IBM’s latest
findings are in line with a collection of other recent research from incident
response firms and cybersecurity vendors about the prevalence and impact of
phishing.

The mode of attack, which threat groups use to harvest credentials for systems
and network access, accounted for one-third of all cloud-related incidents IBM
X-Force responded to during the two-year period ending in June.

Threat groups most often use phishing emails to trick recipients into entering
login information on malicious sites for adversary-in-the-middle attacks, IBM
X-Fource found. AITM phishing is a more sophisticated form of a phishing attack
that can bypass some forms of multifactor authentication, the report found.

The long-lasting effectiveness and success of phishing campaigns underscores the
most central challenge in cybersecurity — people are the weakest link and
credentials are the root of the problem.

An entire industry is built around training professionals to think twice before
clicking a link in a text message or email that directs them to a login page
asking for credentials. Yet, year after year, phishing remains the king of
compromise.

Ultimately, organizations are responsible for defending their systems against
attacks.

Valid credentials were the initial-access vector for 28% of all cloud-related
incidents during the two-year period. Exploited vulnerabilities in public-facing
applications were the third-most common initial access vector, turning up in 22%
of all cloud intrusions, IBM X-Force said.

The top actions on objective, the avenues threat groups take to accomplish their
goals, further illustrates the problem. X-Force said 2 in 5 incident response
engagements over the past two years involved the abuse of cloud-hosted Active
Directory servers to conduct business email compromise attacks, making it the
top action on objective.

When attackers employ AITM phishing attacks to bypass MFA they put a proxy
server between the target and legitimate service to collect credentials and
tokens that victim’s generate after authenticating the session on a malicious
page, X-Force researchers said.

Once this level of access is granted, threat groups can do whatever they want
within that compromised application. Oftentimes, this results in downstream
compromises when cloud resources share the same enterprise credentials, the
report found.

While cybersecurity professionals and authorities resoundingly agree MFA in any
form is better than single-factor authentication, the relentless wave of attacks
in MFA-equipped environments shows the extent to which MFA defenses can crumble.

Phishing-resistant MFA aims to strengthen enterprise defenses against phishing
attacks by limiting or removing user interaction. These advanced modes of
authentication come in many forms relying on cryptographic techniques, such as
private and public keys, the Web Authentication API specifications, biometrics
or the FIDO2 standard.

Article top image credit: stefanovsky via Getty Images




HOW CISOS APPROACH RISK MANAGEMENT

Cyber risk management strategies entered the spotlight last year as new rules
from the Securities and Exchange Commission took hold. The conversation is
changing rapidly due to the emergence of generative AI and a general rush to
adopt technology without fully understanding its risk.

INCLUDED IN THIS TRENDLINE

 * Phishing remains cloud intrusion tactic of choice for threat groups
 * How to manage the rising tide of CVEs
 * Data privacy concerns swirl around generative AI adoption

Our Trendlines go deep on the biggest trends. These special reports, produced by
our team of award-winning journalists, help business leaders understand how
their industries are changing.
Davide Savenije Editor-in-Chief at Industry Dive.