Risk Management

The majority of CISOs and other IT security leaders, almost 4 in 5, say they have felt pressure from their corporate boards to downplay the severity of cyber risk, according to a study commissioned by Trend Micro.

The study highlights ongoing tension within the upper ranks of corporations between C-suite executives, investors and security operations over how to properly manage and communicate security risk.

“The board is focused on the overall business and typically there is a big effort to ensure the company supports their investors,” Jon Clay, VP of threat intelligence at Trend Micro, said via email. “As such they want to ensure the reputation, revenue and profitability is tantamount.”

Among those security leaders feeling pressure from their boards, the report found 43% say they are seen as nagging or repetitive and 42% say they are seen as being overly negative about cyber risk. The report is based on a worldwide survey of 2,600 IT security leaders conducted by Sapio Research. 

The debate is particularly relevant in the U.S., as the Securities and Exchange Commission requires publicly traded companies to disclose material cybersecurity incidents within four business days of such determination. 

Companies must also annually disclose information about their cyber risk strategies.

The SEC in 2023 filed charges against SolarWinds and its top cyber risk executive, alleging the company misled investors about the company’s cyber resilience.   

Brian Walker, CEO of the CAP Group, which advises corporate boards and executives on cyber risk, disagrees with the findings about board pressure, but agrees communications between CISOs and board directors are often misaligned. 

“Most boards are aggressively trying to understand cyber risks in context of all other enterprise risks,” Walker said via email. 

The findings are somewhat contradicted by a report from Proofpoint, which shows increased alignment between CISOs and their respective companies. The 2024 Voice of the CISO report shows 84% of CISOs say they see eye-to-eye with their boards on cyber risk, a significant improvement from a year ago, when only 62% saw such alignment. 

Despite the improvements, CISOs still feel tremendous pressure to carry the weight of cyber risk on their backs. Proofpoint's study shows 66% of CISOs say they are faced with excessive expectations, compared with 61% in the year-ago study. 

“While CISOs are enjoying closer ties with key executive partners, stakeholders, board members and regulators, this proximity also brings higher stakes, more pressure and heightened expectations,” Patrick Joyce, global resident CISO at Proofpoint, said via email. 

Two-thirds of CISOs are concerned about personal liability, compared with 62% in the year-ago study. More than 70% of those surveyed said they would not join a company unless they had directors and officers coverage, which is personal liability insurance for top executives. 

Technology professionals say data privacy tops their list of ethical worries surrounding the deployment of generative AI in the enterprise, according to a Deloitte report. The firm surveyed 1,848 business and technology professionals. 

Nearly three-quarters of professionals ranked data privacy among their top three ethical concerns about the technology's use, according to the report. 

Two in 5 respondents flagged data privacy as their No. 1 concern this year, almost double the 1 in 4 that cited data privacy in Deloitte's 2023 survey.

Tech leaders are poring over the infrastructure and talent needs of their organizations as they help guide generative AI adoption. Ethical concerns should also make it on the checklist.

"GenAI collapses the ‘expertise barrier’: more people can get more out of data, with less technical knowledge needed," said Sachin Kulkarni, managing director, risk and brand protection, Deloitte LLP, in the report. "While a benefit, the potential for data leakage may also increase as a result."

Professionals are also worried about the impacts of generative AI on transparency, data provenance, intellectual property ownership and hallucinations. Job displacement, though often cited as a top concern, was only flagged by 16% of respondents.

Across emerging technology categories, business and IT professionals identified cognitive technologies — a category that includes large language models, machine learning, neural networks and generative AI, among others — as posing the most severe ethical risks. 

The category surpassed digital reality, autonomous vehicles and robotics, among other technology verticals. However, respondents also ranked cognitive technologies as the most likely to drive social good. 

Due to its reliance on data, the majority of executives are concerned about how generative AI tools can increase cybersecurity risks by expanding their attack surface, a Flexential survey published earlier this month found.

Sponsored content

By Imprivata

Safeguarding patient data is critical for healthcare organizations. Strong cybersecurity protects patients and avoids regulatory noncompliance. One essential solution to mitigating cyber risk is third-party access control.

In today's digital age, the healthcare industry faces numerous challenges in safeguarding protected health information (PHI). With reliance on third-party vendors and the near-constant threat of cyberattacks, it is imperative that organizations prioritize secure vendor access. Failure to do so can not only result in a cyberattack and grind operations to a halt, but also in noncompliance with HIPAA and can bring regulatory fines.

The consequences of noncompliance

It’s no secret that noncompliance with privacy regulations has financial and reputational consequences. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been actively enforcing compliance with the Health Insurance Portability and Accountability Act (HIPAA) for years. But now we’re seeing more enforcement related to cybersecurity best practices, especially in the event of a ransomware attack.

We recently saw this when the OCR settled a $40,000 fine after a ransomware attack at Green Ridge Behavioral Health affected the PHI of more than 14,000 individuals. According to the OCR's investigation, there was evidence of HIPAA Privacy and Security Rule violations leading up to, and at the time of the breach. This included failure to:

Conduct regular and thorough reviews of potential risks and vulnerabilities to PHI

Implement security measures to reduce risks to a reasonable level

Sufficiently monitor system activity to guard against cyberattack

The settlement highlights how compliance must include proactively addressing security risks. Third-party access is a critical component to consider, as healthcare vendors often have over-privileged and broad access that greatly increases the organization’s vulnerability to data breaches, loss of PHI, and regulatory noncompliance.

What organizations can do to prevent noncompliance

According to the OCR, the primary cyberthreats in the healthcare sector are hacking and ransomware. The OCR observed a 256% increase in reports of large breaches involving hacking in the last five years, along with a 264% increase in ransomware reports. In 2023, the large breaches reported to the OCR affected more than 134 individuals — an increase of 141% from 2022 – and 79% of those breaches were hacking incidents.

The OCR recommends the following cybersecurity best practices for any organization covered by HIPAA:

Provide regular training specific to employee workflows, reinforcing everyone’s role in data security and privacy

Employ multifactor authentication to ensure that only authorized users can access PHI

Make sure that all business associate agreements appropriately address obligations relating to security incidents

Regularly conduct risk analysis and management processes, particularly when planning for new technology or operations

Implement audit controls to record and analyze system activity, and regularly review this information

Encrypt PHI to protect against unauthorized access

Use prior security incidents to determine how security processes should be improved

With the importance of securing third-party access, it’s clear that a vendor privileged access management solution is essential to meet many of the above OCR recommendations.

How vendor privileged access management helps with HIPAA compliance

A vendor privileged access management solution provides third-party identity management to prevent unauthorized vendor access. It also provides granular controls to ensure that vendors can only access what they need, and nothing more. If they don't need access to PHI, they don't have it. If they do need access, granular controls and policies ensure that it is as least-privileged as possible.

Meanwhile, robust audit capabilities allow organizations to monitor and review system activity. Video recordings enable organizations to record, examine and regularly review information system activity of their vendors. This allows organizations to address potential issues before they escalate. Along with granular controls, regular audits demonstrate a commitment to HIPAA compliance. In addition, audits help organizations understand how to update access control policies to align with continually evolving regulations.

Control third-party access to ensure regulatory compliance

Healthcare organizations face increasing regulatory scrutiny and cybersecurity threats. Consequently, a strong vendor privileged access management solution is crucial in mitigating vendor access risks and avoiding noncompliance and hefty regulatory fines, while also protecting patient data.

These proactive measures safeguard sensitive information and enhance the overall trust and confidence patients place in their healthcare providers.

Learn about how Imprivata Vendor Privileged Access Management (formerly SecureLink Enterprise Access) can help.

Software defects across MOVEit file-transfer services, Log4Shell and Citrix Bleed are among the highest-profile vulnerabilities that have been exploited in recent years, but they represent just a sliver of the total CVEs causing widespread damage.

The volume of CVEs is steadily increasing each year — SecurityScorecard recorded 29,000 vulnerabilities in 2023 and already this year it tracked nearly 27,500 vulnerabilities.

That number is expected to hit 34,888 in 2024, a 25% increase, according to Coalition’s 2024 Cyber Threat Index report. It underscores the challenge for organizations to continuously manage vulnerabilities and strengthen defenses against potential exploits.

While three-quarters of organizations employ a formal program to manage vulnerabilities, many are struggling with a backlog they cannot fix and a growing number that need vendors or the open-source community to remediate, according to the SANS 2022 Vulnerability Management Survey. 

Organizations need effective CVE management to mitigate the risks posed by these vulnerabilities, but many struggle with the complexity of identifying and prioritizing the most critical threats amid a constant influx of new vulnerabilities. 

“The sheer number of CVEs makes it difficult to keep track of all potential vulnerabilities,” said Amit Bismut, head of product at Backslash Security.

With many vulnerabilities deemed critical, the challenge is deciphering which ones pose the biggest risk. One way is to understand if the CVE can potentially be exploited in your specific environment, Bismut said.

Organizations need to prioritize vulnerabilities that represent a specific risk to the environment and direct resources so that the most dangerous vulnerabilities are mitigated promptly.

“Context helps security teams focus on vulnerabilities with the most significant threat to their unique setup, rather than trying to address every single issue,” he said.

How CVE identifiers help vulnerability ranking

Using the CVE number, which is a common identifier, security teams can rank vulnerabilities according to a range of data sources and use vulnerability scanners or intrusion detection systems to find them.

It wasn’t always this way. Before CVEs identification was formalized, security teams had to piece together vulnerability information, according to TK Keanini, CTO of DNSFilter and founding member of the CVE program.

The CVE program, now in its 25th year, has become foundational to many other security standards including the International Organization for Standardization, the payment card industry and the Healthcare Information Trust Alliance security framework.

It’s used in compliance, risk management and cybersecurity protocols, providing a standardized method for identifying and referencing specific vulnerabilities with a common identifier used by security teams everywhere.

“By incorporating all of these different perspectives, it creates a better, more actionable and more accurate workflow,” said Keanini.

With the rising tide of vulnerabilities, it’s not feasible to tackle every risk. Ranking means every CVE has a risk weight, critical to prioritizing patching and vulnerability management, especially as the scope of CVEs is only growing.

Every new line of code that’s introduced provides new opportunities for more CVEs, noted Keanini.

“We're not counting a static space. That’s why the scoring’s important to stack rank and know which ones are on your network,” he said.

Tackling CVEs with a strategic business lens

While the headline number of CVEs is going up, there’s more to it than that, given that a single CVE number can often refer to more than a single piece of code.

“One CVE might affect multiple different versions of software or packages of software, especially if that CVE is embedded in very pervasive code,” said Dustin Kirkland, VP of engineering at Chainguard.

When a vulnerability is discovered, it is enriched with additional information, although this doesn’t automatically mean it will lead to an attack as a vulnerability may be a proof of concept or a theoretical problem. 

“Not every CVE comes with either a fix or even a proof of concept that shows it’s a real problem that could be exploited in the wild,” Kirkland said.

If it warrants it, a fix is issued or the weakness declared so that security teams and scanning tools are aware of it. 

The scoring system helps ensure that the most real, egregious vulnerabilities get a higher priority than the lowest ones, which could be considered just nice to fix.

While the usual practice is responsible disclosure so that it can be identified, some CVEs are sold on the dark web by hackers and cybercriminals. 

“There's certainly an underground market for zero-day [vulnerabilities] and for undisclosed vulnerabilities, where they’re bought and sold on an underground market by some shady organizations,” he said.

In neutralizing CVEs, scanning tools are vital, yet it’s not simply a process of turning a vulnerability dashboard flashing red to green when consulted on a periodic basis.

While vulnerability management is largely driven by adherence to some compliance framework, security chiefs don’t usually have a singular goal of eliminating CVEs. 

“It’s usually tied to a business objective,” said Kirkland.

Almost 60% of organizations can’t track what happens to their information once it goes out in an email or through another communication channel, a survey by data security company Kiteworks finds. 

That’s a risk management problem because data breaches are correlated with how information leaves an organization.

The more communication tools an organization uses — email, file sharing, managed file transfer, secure file transfer protocol, web forms, among others — the higher the risk of information ending up where it wasn’t intended, the survey finds. 

“Respondents with over seven communication tools experienced 10-plus data breaches — 3.55x higher than the aggregate,” the survey report says. 

The risk is particularly high for organizations in North America because they’re the biggest users of multiple types of communication channels. 

“An astounding 80% in North America employs four or more tools,” the survey report says. 

High risk means high costs. There are costs stemming from the breach itself — operational downtime, diminished productivity and lost revenue — but also regulatory penalties and legal costs.  

For almost two-thirds of organizations, legal costs reach at least $2 million. The bigger the company, the higher the costs. The biggest companies — those with 30,000 or so employees — reported spending more than $7 million on legal matters after an incident.  

The connection between the number of communication tools and the higher risk of breaches can be seen in data on the number of outside parties that are on the receiving end of these communications. Two-thirds of organizations typically exchange sensitive information with 1,000 or more third parties, creating a tracking problem. 

“As organizations increasingly rely on digital communication and collaboration and their third-party ecosystems grow, the risks associated with data breaches continue to escalate,” Patrick Spencer, Kiteworks’ vice president of corporate marketing and research, said in the report.  

The biggest companies are the most at risk. A third of those with about 30,000 employees typically exchange sensitive information with more than 5,000 outside recipients. 

“Third-party risk has never been higher for organizations in all industries, and the necessity of exchanging sensitive content accentuates the threat,” the report says. 

The survey findings are based on responses from almost 600 risk and IT professionals in countries around the world.

Any data relating to a company on the dark web significantly increases that organization’s risk of suffering a cyberattack, a study by Marsh McLennan’s Cyber Risk Intelligence Center found.

Organizations that are mentioned in dark web market listings or that have compromised accounts on the dark web are more than twice as likely to experience an attack, according to a report on the findings.

“Cybercriminals plan their attacks on dark web forums, marketplaces, and in hidden communication channels, and the study has quantified the risk of each of these areas of dark web exposure for the first time,” Ben Jones, CEO of dark web intelligence firm Searchlight Cyber, which collaborated with Marsh McLennan, said in a press release.

Cybercriminals use the dark web to communicate among one another, plan their attacks, and buy, sell, and build the tools they need to execute them, according to the Marsh McLennan report.

Dark web intelligence is “highly correlated” with forthcoming cyber incidents, as well as cyber insurance loss frequency, the research found. 

“The first step has to be to gain visibility into your exposure on the dark web,” the report said. “Understanding where the organization is vulnerable is critical for informing defense and the value of pre-attack intelligence is that it creates an invaluable window of time for the security team to act before the network is breached.”

Marsh McLennan analyzed Searchlight’s dark web dataset against a sample of 9,410 organizations with an overall breach rate of 3.7% from 2020 to 2023 to determine whether there was a correlation between data breaches and findings on the dark web in the year before the incident.

The first of half of 2024 saw 1,571 data compromises, a 14% increase compared to the year-earlier period, according to an analysis by the Identity Theft Resource Center, a nonprofit organization established to support victims of identity crime.

In one high-profile example, AT&T in late March disclosed a massive data security breach impacting as many as 73 million current and former customers. The company said it determined that “data-specific fields” from the company were contained in a data set released on the dark web.

The compromised data varied by customer and account, but may have included full names, email addresses, mailing addresses, phone numbers, Social Security numbers, dates of birth, and AT&T account numbers and passcodes, according to a set of frequently asked questions published by the company at the time.

The incident triggered a flurry of proposed class action lawsuits. In June, the Judicial Panel on Multidistrict Litigation issued an order that consolidated the cases in the U.S. District Court for the Northern District of Texas.

Nearly half of U.S. businesses have suffered significant revenue loss due to a data security incident, according to survey results published last month by data protection company Arcserve.

One of the most effective ways to improve cybersecurity throughout an organization is to purchase cyber insurance. 

It won’t eliminate the possibility of a data breach, but because there are strict rules to gain approval during the underwriting purposes, an organization’s overall cyber posture automatically improves, according to research from Forrester. 

Despite the positive impact from cyber insurance, the Forrester study found just one-quarter of companies have a stand-alone cyber insurance policy. 

There are plenty of reasons why organizations continue to shy away from stand-alone cyber insurance. It could be that other insurance policies held by the company include some cyber coverage. But concerns around cost and coverage limits have also scared away potential buyers. 

Adding to the coverage gaps is the complexity of gaining coverage, with separate coverage for first and third party policies. 

“First party is an insurance policy that covers you for your loss. The third-party policy pays you to defend yourself against a third party and pays a third party if there is a judgment against you,” said Peter Hedberg, VP of cyber underwriting at Corvus Insurance, to an audience at the RSA Conference in San Francisco in May. 

The first cyber policies provided predominantly third-party coverage focusing on covering online media and computer errors, but in the 2000s, the exposures evolved to include data breaches, explained Emma Werth, RVP Underwriting at Cowbell Cyber, in an email interview. The need for first-party coverages emerged with the increased exposure to viruses, ransomware, and cybercrime. 

“Now, we’re seeing further evolution as we face the new exposure of AI,” said Werth.

New technologies shift coverage

AI is front and center in the race to recognize new technologies and connected devices at risk of cyberattacks. Organizations are trying to figure out how AI is being used and how to differentiate an attack caused directly by AI rather than as part of another attack or a rogue employee. 

It is a global change for everything, and even insurance companies are struggling to figure out how policies will cover AI.

“AI is going to affect every type of insurance because it is going to affect risk,” said Violet Sullivan, AVP solutions team leader at Crum & Forster, during the RSAC panel.

But cyber insurance is shifting its coverage outside of the corporate network and into a more personal realm.

“We have cyber [insurance] for autos now to protect against data breaches if an auto’s information system is compromised,” said Monique Ferraro, Cyber Counsel with HSB, during the RSAC panel. 

Personal insurance is also becoming more commonplace as more homes and businesses are using smart devices. Cryptocurrency insurance protects wallets and exchanges, and there is more attention for privacy protection.

The price of coverage

Cyber insurance procurement continues to be a lengthy process, but it is getting easier for companies to obtain. 

“Overall, we are seeing stronger cyber hygiene across the industry,” said Werth.

Even small and medium-sized enterprises with fewer controls are able to obtain insurance since measures like multifactor authentication, password managers or passwordless technologies and data backups have become standard for most businesses. 

It is also becoming more common for cyber insurance providers to partner with companies to help them strengthen their cyber posture during their policy lifecycle to become more cyber resilient.

Overall, prices of cyber insurance policies are either flat from year to year or decreasing. But there are exceptions to this. 

“Industry classes that have experienced headline events, e.g. healthcare technology; hospital systems, continue to see pressure on premiums and deductibles,” said Ryan Griffin, partner and head of U.S. cyber at McGill and Partners, in an email interview.

Ransomware is going to continue to be a sticking point in cyber insurance coverage and expense. It was only a year or two ago that getting coverage for ransomware was nearly impossible; however, the current trend is that payments for ransoms have dropped. 

The real problem is the costs of business disruption that comes with a ransomware attack, and that impacts costs and availability. 

The right insurance policy should align with the organization’s security policy, just as it would be for any other security vendor agreement. 

“Cyber insurance is one of the many tools in your toolbox. It’s one of the ways of mitigating risk,” said Sullivan.

Phishing is the leading initial-access vector for attacks in cloud environments, IBM X-Force said in its latest Cloud Threat Landscape Report. IBM’s latest findings are in line with a collection of other recent research from incident response firms and cybersecurity vendors about the prevalence and impact of phishing.

The mode of attack, which threat groups use to harvest credentials for systems and network access, accounted for one-third of all cloud-related incidents IBM X-Force responded to during the two-year period ending in June.

Threat groups most often use phishing emails to trick recipients into entering login information on malicious sites for adversary-in-the-middle attacks, IBM X-Fource found. AITM phishing is a more sophisticated form of a phishing attack that can bypass some forms of multifactor authentication, the report found.

The long-lasting effectiveness and success of phishing campaigns underscores the most central challenge in cybersecurity — people are the weakest link and credentials are the root of the problem.

An entire industry is built around training professionals to think twice before clicking a link in a text message or email that directs them to a login page asking for credentials. Yet, year after year, phishing remains the king of compromise.

Ultimately, organizations are responsible for defending their systems against attacks.

Valid credentials were the initial-access vector for 28% of all cloud-related incidents during the two-year period. Exploited vulnerabilities in public-facing applications were the third-most common initial access vector, turning up in 22% of all cloud intrusions, IBM X-Force said.

The top actions on objective, the avenues threat groups take to accomplish their goals, further illustrates the problem. X-Force said 2 in 5 incident response engagements over the past two years involved the abuse of cloud-hosted Active Directory servers to conduct business email compromise attacks, making it the top action on objective.

When attackers employ AITM phishing attacks to bypass MFA they put a proxy server between the target and legitimate service to collect credentials and tokens that victim’s generate after authenticating the session on a malicious page, X-Force researchers said.

Once this level of access is granted, threat groups can do whatever they want within that compromised application. Oftentimes, this results in downstream compromises when cloud resources share the same enterprise credentials, the report found.

While cybersecurity professionals and authorities resoundingly agree MFA in any form is better than single-factor authentication, the relentless wave of attacks in MFA-equipped environments shows the extent to which MFA defenses can crumble.

Phishing-resistant MFA aims to strengthen enterprise defenses against phishing attacks by limiting or removing user interaction. These advanced modes of authentication come in many forms relying on cryptographic techniques, such as private and public keys, the Web Authentication API specifications, biometrics or the FIDO2 standard.