Category Archives: Risk Management

3 reasons that cybersecurity is in the state it is!

Posted on by

Cybersecurity is at a low level for several reasons.

One reason is that organizations, governments and individuals are not investing enough in cybersecurity measures.

This can include not allocating sufficient budget or resources for cybersecurity training, hiring, and technology.

Another reason is that many organizations and individuals do not have a clear understanding of the cyber threats they face, and as a result, do not prioritize cybersecurity.

Additionally, many companies and individuals are still using outdated software, hardware and systems that are vulnerable to cyber-attacks which could have been prevented if they were updated.

Furthermore, the sophistication and complexity of cyber attacks are increasing at a faster rate than organizations and individuals can keep up with.

All these factors combined have led to the current low level of cybersecurity.

Lowest entry-level ever

Today, the entry-level for cybercrime is at an all-time low.

This is due in part to the increasing availability of easy-to-use tools and resources that allow individuals with little technical expertise to engage in cybercrime.

For example, there are now numerous online forums, tutorials, and hacking tools that can be easily accessed and used by anyone with an internet connection.

Additionally, the rise of the dark web has made it easier for individuals to purchase and use malicious software, such as malware and ransomware, for criminal activities.

Furthermore, the increasing use of automation and AI in cybercrime has made it easier for cybercriminals to launch large-scale attacks and target a wide range of victims.

All these factors have led to the lowering of the entry-level and increase of cybercrime which is a major concern for organizations, governments and individuals.

Education and training from the wrong direction

Education and training that is delivered in a top-down manner, where the information and knowledge is passed down from the top level of an organization to the bottom, can fail for several reasons.

One of the main reasons is that it does not take into account the unique needs and perspectives of the individuals or groups who are being trained.

The information may not be tailored to their specific role or level of understanding, making it difficult for them to apply it effectively in their work.

Additionally, top-down education and training can lead to a lack of engagement and buy-in from the individuals or groups who are receiving the training.

Without their active participation and interest, the training may not be as effective in achieving its goals.

A bottom-up approach, on the other hand, is more inclusive and empowering, and it starts with the needs and perspectives of the individuals or groups who are being trained, ensuring that the training is more relevant and meaningful to them.

Software was written for the first to market, not as a secure platform

Software that is written with the primary goal of being the first to market may not prioritize security.

This means that the software may have vulnerabilities or weaknesses that can be exploited by cybercriminals or hackers.

These security flaws can lead to data breaches, loss of sensitive information, and other types of cyber attacks. Additionally, software that is not designed with security in mind may not comply with industry regulations or standards, which can lead to legal and financial repercussions for the company that developed the software.

To avoid these issues, it is important for companies to balance the need for speed to market with the need for a secure and compliant software platform.

Additional

AI

Artificial intelligence (AI) will have a significant impact on both cybersecurity and cybercrime.

On the cybersecurity side, AI can help organizations and individuals detect and respond to cyber threats in real time, by using advanced machine learning algorithms to analyze large amounts of data, identify patterns, and make predictions about potential attacks.

Additionally, AI-based systems can also be used to automate many security processes, such as patch management and incident response, which can help organizations and individuals become more efficient and effective in defending against cyber attacks.

On the other hand, AI can also be used by cybercriminals to launch more sophisticated and automated attacks, such as spear-phishing, social engineering, and malware campaigns.

AI-based malware can also be designed to evade detection by traditional security systems and can spread quickly across networks.

Additionally, AI can also be used to enable new forms of cybercrime, such as deepfake generation, which can be used to impersonate individuals or organizations in order to steal sensitive information or money.

Therefore, AI can have a significant impact on both cybersecurity and cybercrime and it’s important for organizations and individuals to stay aware and adapt to the new technology.

No one waits for a car accident before investing in insurance why would cyber insurance be any different

Posted on by

The use of technology has become an integral part of our daily lives.

From the way we communicate with others to the way we conduct business, technology has transformed nearly every aspect of modern society.

As a result, the risk of cyber-attacks and data breaches has also increased significantly.

Unlike car accidents, which are typically one-time events, cyber attacks can have long-term consequences.

They can result in the theft of sensitive personal and financial information, damage to a company’s reputation, and even legal action.

The costs associated with these types of attacks can be substantial.

This is where cyber insurance comes in.

We invest in car insurance to protect ourselves in the event of an accident, cyber insurance can provide protection against the financial consequences of a cyber-attack.

It can help cover the costs of recovering from an attack, such as legal fees, data restoration, and public relations efforts.

There are several reasons why people and businesses should consider investing in cyber insurance.

It provides financial protection in the event of a cyber attack.

It’s impossible to completely eliminate the risk of a cyber-attack, but having insurance can help alleviate some of the financial burdens that comes with dealing with the aftermath.

Another reason to consider cyber insurance is the increasing frequency of cyber attacks. It’s not a matter of if a company will be attacked, but when.

There are potential legal consequences to consider.

A company may be held liable for a data breach if it fails to adequately protect customer data.

Cyber insurance can help cover the costs of legal action and settlements, which can be substantial.

Despite the clear benefits of cyber insurance, many people and businesses still don’t invest in it.

This may be due to a lack of awareness about the risks of cyber-attacks and the potential consequences.

Others may believe that their company is too small to be a target or that they have sufficient in-house security measures in place.

It’s important to remember that cyber attacks can happen to anyone, regardless of size or industry.

Small businesses and non-profits are often targeted because they may have fewer resources to devote to cybersecurity.

Cyber insurance can provide an extra layer of protection against the unexpected.

No one waits for a car accident before investing in insurance, it’s important not to wait for a cyber attack before considering cyber insurance.

The risks of a cyber attack are real and the consequences can be severe.

Don’t wait until it’s too late – consider cyber insurance for your business today.

It is the responsibility of the board of directors to carefully consider and manage these risks.

Posted on by

Business risk is an inherent part of any enterprise, and it is the responsibility of the board of directors to carefully consider and manage these risks.

When it comes to cybersecurity, there are several factors that the board of a small, medium or non-profit enterprise should consider in order to determine what is an acceptable business risk.

First and foremost, it is important for the board to understand the potential consequences of a cybersecurity breach.

This includes not only the financial costs of responding to the breach and repairing any damage but also the impact on the company’s reputation and customer trust.

The board should also consider the likelihood of a cybersecurity breach occurs, as well as the potential severity of the consequences.

One way to manage cybersecurity risk is through the implementation of robust security protocols and technologies.

This includes ensuring that all software and systems are regularly updated and patched, using strong passwords and implementing two-factor authentication, and regularly training employees on cybersecurity best practices.

The board should also consider investing in cybersecurity insurance, which can help to mitigate the financial impact of a breach.

Another aspect of managing cybersecurity risk is having a robust incident response plan in place.

This should outline the steps to be taken in the event of a breach, including how to communicate with employees, customers, and the media, as well as how to restore systems and recover from the incident.

It is important for the board to consider the potential for external threats, such as cybercriminals.

This includes considering the use of security tools such as firewalls and intrusion detection systems, as well as implementing processes for monitoring and detecting potential threats.

In addition to these technical measures, the board should consider the role of company culture in managing cybersecurity risk.

This includes promoting a culture of cybersecurity awareness and education among employees, as well as setting expectations for responsible behavior online.

Ultimately, the acceptable level of business risk when it comes to cybersecurity will depend on the specific circumstances and needs of the enterprise.

The board should carefully consider the potential consequences of a breach, the likelihood of such an incident occurring, and the measures in place to mitigate and manage these risks.

By taking a proactive approach to cybersecurity, the board can help to protect the company’s assets and reputation, and ensure the long-term success of the enterprise.

Cyberattack – Why are we so vulnerable

Posted on by

By the end of 2022, it is predicted that not for profits, associations, charities and SMEs will face more than 50,000 cyberattacks per day.

99% of those attacks are automatic, random generated attacks that can be counteracted by available basic systems (AV, Firewalls, SPAM filters, SPAM blockers).

These automatic random attacks are created by in-training cybercriminals and cyber activists (script kiddies).

Although the numbers are astounding they also indicate that we need to be vigilant at all times.

Because we still need to address that 1%.

That approximate 500 attacks are targeted at YOU and your organisation.

That is focused on gaining access to your stuff, stealing your money or encrypting your data.

How do we stop that?

We do not and can not stop it by believing “it will never happen to me”, “we are not a target” “we have nothing worth stealing”

We stop it by being proactive.

We stop it by taking security seriously.

We stop it with increased awareness!

We stop it with capability.

Doing nothing is not an option.

If you are frozen like a kangaroo in the headlights of a fast-moving truck then you need a push

A push in the right direction.

A direction that delivers better business security.

Like any complex and dangerous journey, we start with a single step.

That first simple step is to have a conversation with someone like me.

Cyberattacks

Ransomware – why is it such an issue?

Posted on by

In 2020 we saw a 100% increase in ransomware attacks.

In 2021 we saw a 100% increase in ransomware attacks.

Ransomware attacks are literally doubling each year.

This year can we expect any differently?

With those sorts of statistics, we should be afraid, very afraid.

But we are not.

You would think that we would be concerned.

But we are not!

In fact, in most cases, we make it overly easy for a cybercriminal to steal our stuff.

We need to look at this another way as the bad guys have changed – again.

On the internet, there is now “Ransomware as a service”.

As a criminal, If you have a little bit of money you can get a system that creates and delivers malware to anyone on the internet.

With the success of ransomware, they are guaranteed to make money.

We have to do more.

More than what we are doing because it is not good enough

We still use bad passwords.

Have you done a password review?

We have complete backups.

Have we ever tested them?

We have patched systems and operating systems.

Are there any systems that have not been patched?

How do you avoid a ransomware attack?

Is there recovery from ransomware?

Posted on by

That really does depend on you.

A ransomware attack can happen to anyone, at any time and on any systems.

If you think it will not happen to me then you could have a problem.

Ransomware is the scourge of cybercrime.

It can be enacted by people who have no technical knowledge and are just following a script and system that was downloaded from the internet.

It can be enacted by sending a couple of thousand email to a list of people that they purchased on the internet.

It can be enacted by targeting a group of internet addresses that they thought would be lucrative.

There use to be a thing called “security by obscurity” where you can hide on the internet and we’re relatively secure.

 

That capability is no longer a viable defence strategy.

If you think you will never be targeted, too small or have nothing worth stealing and you do have a cyber event there is little chance of you being able to recover.

But

If you have a different attitude.

If you think the opposite.

Then there is a chance that you will not be a victim.

If you think that you could be a target then you are already thinking about your response.

You are already thinking proactive.

You are ready to think of contingencies.

Even if you do have a ransomware attack then you already know and your team already knows what to do because you have thought about it.

You have plans, processes, procedures and policies in place.

If you have tested them and improved on them then that makes it even more possible that you will survive.

The old adage expects the best but plan for the worst is prevalent today against the cybercriminal.

Why didn’t I insure my bike?

Posted on by

wHAT iF

When I was in the Navy, I was based at Garden Island in Western Australia on and off for 5 years.

In that time I was relatively fit and I represented the Navy in a number of sports.

I would pedal to work (20Km each way) at least 4 days a week.

On a good day 40 minutes from the front door to the office.

90 minutes on the way home because you had to stop at the pub to get the goss

If you know the island you know that there is one problem.

No matter what direction you were going morning, afternoon or even if you had the luxury of knocking off early, you ran into the wind

On the causeway, the easterly and the sea breeze were always in your face.

Both of them could get up to 40Km per hour.

The only consolation was the flatness around the area.

One day my bike was stolen.

Taken out of the backyard.

It wasn’t until it was gone did I realize what it was doing in my life, apart from keeping me fit.

I didn’t have to drive so the wife could have the car to ferry the kids and do all of the other stuff she needed to do.

I didn’t have to drive so there was always extra money in the budget for everything we needed.

I could no longer come and go as I pleased, I now had to fit in with everyone else.

I could no longer go to the pub on the way home.

In fact, apart from the initial cost, the bike had cost me nothing.

This is what is happening in the digital world.

We do not know or understand the heavy lifting that our digital devices and services are doing for us.

That is until they are gone.

When they are gone, we realize that the business, organisation, association or ourselves have taken them for granted.

They were doing everything.

So an accidental loss, a cyber event or an insider will cause havoc unless you have stood back and thought:

What If?

What if we turn it all off?

Now what!

That “what if” makes you proactive.

It builds in resilience.

It is the first step to increased revenue, improved capability and scalability.

Have you looked at the business and thought WHAT IF????

Cybersecurity for the C suite executive (CEO, CFO,COO)

Posted on by

Cybersecurity for the C suite executive (CEO, CFO, COO).

Lets look at the facts!

No matter the size, shape or industry of an organisation.

No one is fully prepared for a full-on, bare knuckles, cyber ninja assault.

We are not talking about a random attack.

An attack that is being perpetrated against your organisation with Metasploit and a new copy of Kali.

This attack is from Mr. Creepy!

He knows what he is doing.

He knows what he is after.

But, more importantly, he also knows how to get it.

He has studied your organisation for months to find your weaknesses.

He has the skills and resources (very important) to break in and steal your crown jewels.

These are the people who give my industry grey hairs and stress lines.

Thinking that there is no way that you would be targeted by a professional is a grave mistake.

Because It no longer needs to be a professional!

They are quite happy to train others in the required skills.

They are quite happy to sell others their expertise.

They are quite happy to tell others where they are going wrong.

They have created capabilities and skills that they have incorporated into something to sell.

This increases the capability of the inexperienced cybercriminal immensely.

Want to avoid being on the radar as a prime target then YOU NEED TO DO SOMETHING.

Here is something to start with.

Cybersecurity checklist

#nonprofits #ExecutivesAndManagement #AccountingAndAccountants #ProfessionalWomen #ceo #CareMIT #cybersecurity #infosec