Need older or more specialised versions? Join the server mentioned above and ask us.
In 2018 I was asked to brief the European Parliament about the risks of cyberterrorism. In talks after the public hearing there was a desire for a checklist of sorts. One that would allow an organisation to at least assess a status of where they are from a cybersecurity perspective.
What ensued was a painstaking search for something out there… yet there was nothing that wasn’t a sales pitch by some company.
All publicly available information was then merged into, and spiced up into ACRAC, the Advanced Cybersecurity Risk Assessment Checklist.
Whether or not your organizations data as valuable to outsiders depends heavily on what business you’re in.
Generally said, your organizations data is valuable :period.
There is an ever increasing amounts of data being taken from paper, and digitized.
Therefore they are not only victim to attempts of corporate espionage, but also to data collection spies, And even more persistent threats.
While ago I worked on a case of CEO Frade, in which the main enabler was the fact that the email server of the organization had a vulnerability, which was exploited, and allow the perpetrators to monitor email communication between the chief executive officer, and The chief financial officer.
This angle was then exposed by the attackers to lose a couple of million euros; unretrievable.
So you see, it’s not only corporate espionage that as a threat of valuable information, but much less appearing information can be utilized to harm your organization.
Getting cyber insurance coverage that is adequate and up to speed to current threats: totally different story.
Currently, very conservative and traditional insurance companies are trying to deliver top-of-the-line products; mostly to customers who don’t need them.
So what’s up with that?
While ago, I tried to sign an e-commerce business with an insurance company that appeared to be very advanced in signing cyber insurance contracts.
During the negotiations however, it turns out that they generally ruled out e-commerce businesses.
The main argument was that an e-commerce business could fall victim to a denial of service attack.
My counter argument was that any conventional business could burn down, and still they wrote insurance policies for the buildings of this client.
I went on to argue that denial of service attack’s are easily mitigated through various means; the most important one of which is a content distribution network.
Still, the insurance company wouldn’t budge.
Having close connections inside the insurance company I went ahead and looked at their exclusion list. And it was terrifying!
I ended up working with them to reduce the general exclusions, and softened up some of their strict policies towards certain types of businesses. And now, they are doing tremendously well and signing up risks, which are manageable.
Phishing has always been a rather difficult issue to solve.
I’ve spent countless hours trying to create programs to successfully keep employees from opening suspicious emails, believe me!
The new generation of phishing, however, is even more complex and the threat is even more difficult to mitigate.
In the most recent cases I worked on, the email sent to the victim was either announced or followed up by a phone call from a seemingl legitimate source.
Thereby, the victim was dooped into opening the attachment to infect the system/network, and there is pretty much no training that will help to reduce that risk.
One of the issues we began working on was to have existing contacts confirm their identity through an IM. Of course this only works if the source is internal, and/or the source is available on an IM service.
Stay safe folks! These new attacks are devious with potentially devastating consequences, essentially with no one to blame.