In today’s rapidly evolving digital landscape, cybersecurity takes a front seat in the minds of business owners. As cyber threats grow in sophistication and impact, the question isn’t ‘if’ but ‘when’ your business will be a target. To help business owners gain a comprehensive understanding of this complex field, we’ve sought the expertise of Norman Dougherty, a seasoned cybersecurity specialist from Solis Security. Solis is known for delivering best-in-class managed cyber security services and incident response for businesses around the world.

Norman shares his experienced insights, technical advice, and strategies to assist businesses in comprehending cyber risks, keeping abreast of the latest trends, and deploying effective mitigation tactics.

Q&A with Norman Dougherty

The intricacies of battling ransomware and email compromise

Norman sheds light on the intricate challenge of dealing with ransomware (the practice of getting inside your systems and encrypting the data and holding it for ransom), stating, “Ransomware stands out as a highly menacing threat due to its potential to inflict severe damage on businesses. Organisations must not only proactively prepare with clear strategies but also respond swiftly and decisively.”

“Email compromise has also been on the rise, it’s a bit more subtle as it involves getting into the system and monitoring for an opportunity, such as invoices coming in for payment and then they’ll interject and change the details on the invoice or request payment in a different format and then unwillingly and unknowingly the business will pay potentially hundreds of thousands of dollars to the wrong entity (the threat actor).”

“To avoid becoming the low-hanging fruit for cyber attackers, businesses should employ multiple layers of defence. Cyber attackers are going for the easy targets, where possible – they just want to get in, get their money, get out and move on. So having a layered approach is likely to help deter them from persisting in their efforts.”

An interesting fact in cyber attacks is that the person who initially accesses your systems is not always the one that creates the problem. The initial access role is sometimes known as an ‘access broker’ and they’ll then sell off that access on the dark web to whoever sees that as valuable access to have. There are not just access brokers, there are other roles including customer service agents, supervisors and ‘CEOs’ of these illegal but rather organised cyber-attack businesses.

Norman offers insights into preparation and incident response strategies, stressing the significance of informed actions to combat this nefarious threat. This can include proper incident response planning, cybersecurity audits, employee training, regular updates and backups and a focus on continuous improvement.

The evolution of cyber insurance and mitigation

No longer is applying for cyber insurance just a tick-a-box exercise. Given the prevalence of cyber-attacks, insurers are requesting or even requiring more risk mitigation before they accept the risk. Most cyber insurers will require evidence of your risk mitigation, such as multi-factor authentication, system updates and data back-up procedures, data encryption and employee education.

Asked what type of protections Norman would be looking for, he says “As a minimum I’d want to see an ‘EDR’ which is an endpoint detection and response, which is basically an antivirus on steroids, giving us visibility on every single device in the organisation and monitoring any suspicious or malicious activity that may be occurring.”

In the meantime, the types and sources of cyber risk continue to evolve, and Norman and his team are taking a proactive approach.

“I can’t comment about what other large security firms do, but Solis Security’s parent company CFC (previously CFC Underwriting) invests heavily in threat intelligence to stay abreast of developing cyber risk. Covert intelligence is also gathered from within the ‘dark web’ and forums where cyber threat actors exchange information. Once a possible vulnerability is known, pre-emptive measures can be deployed.”

When in doubt, having an IT security assessment or cyber health check is a great way to provide visibility across your organisation and help you prioritise where to improve.

The obligation of disclosure and effective breach response

In the aftermath of a cyber breach, businesses grapple with a multitude of responsibilities, both legal and ethical. Norman elucidates, “A cyber incident where the threat actor has taken a copy of, or accessed sensitive personal or health information may trigger a notification requirement under the Privacy Act. As incident responders, our role includes coordinating breach response activities, working with legal professionals to assist in understanding risk and regulatory requirements, and potentially assisting in communication with affected parties.”

The impact of AI on cyber risk

The rise of artificial intelligence-related technology is a bit of a double-edged sword when it comes to cyber risk. It can certainly help threat actors to speed up their processes quite a bit and do things like create ‘deep fakes’, but it is also equally being used to help identify risks and prevent the attacks from happening.

Back to ‘basics’

While thinking about the future of cyber risk, AI and security can be daunting, many successful attacks happen when your risk management falls over at the first hurdle (that collective sigh is from those of us whose passwords could definitely be stronger).

Norman underscores the pivotal role of education in fortifying an organisation’s cybersecurity posture. He comments, “People are often the first line of defence and the weakest link simultaneously. Ensuring that employees are well-informed and vigilant is crucial in preventing sophisticated scams.” He suggests implementing comprehensive employee training programs to educate staff about recognising phishing attempts, social engineering, and other deceptive tactics used by cybercriminals. The more resilient the human firewall, the more challenging it is for attackers to breach an organisation’s defences.

Educating your employees is not just a one-time affair but an ongoing process. Regular training sessions and simulated phishing drills can significantly reduce the risk of falling prey to scams and bolster your organisation’s overall cybersecurity posture.

One frequently referenced framework is the ‘Essential Eight‘ which is designed to help organisations protect themselves against various cyber threats.

The ‘Eight’ include: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication and regular backups.

Acacia Insurance Director Martin van Rhoon says “Insurance should be your last line of defence. It’s meant to be a safety net that you can rely on if all else goes wrong, but an overreliance on insurance without any other risk mitigation may cause the solution to be unsustainable in the long term, leaving businesses even more exposed. We’re already seeing hardening of rates and narrowing of the scope of cover in this space, however for many organisations discontinuing the cover isn’t an option because cover is often a standard requirement for those dealing with external organisations and evidence of same is often required in Requests for Proposals (RFPs). We’ve been advocating for our clients and for all of us to do our part in helping to manage the scale of cyber threat.”

When things do go wrong, having a trusted cyber security expert on hand can help recover the situation through technical expertise, or negotiate with the threat actor to stall for time or achieve a more favourable outcome. An insurance adviser that understands cyber risk can also help you financially weather a cyber-attack.

Conclusion

Norman Dougherty’s insights remind us that a well-rounded cybersecurity strategy encompasses not only robust technical defences but also a vigilant and educated workforce. As the threat landscape continues to evolve, the ability of employees to identify and thwart scams becomes increasingly crucial. Cybersecurity is a shared responsibility, and businesses must invest in empowering their teams with the knowledge and skills required to counteract even the most sophisticated cyber threats. By implementing education programs and fostering a culture of cybersecurity awareness, organisations can effectively reduce their susceptibility to scams and fortify their defences in this digital age.