Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: Ukrainian internet service providers are attacked, cyber insurance will get more expensive, and what board members should know about cybersecurity.
This week’s action: The 7 questions that board members should ask about cybersecurity.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast<;/a> or wherever you get your podcasts.
1: As Russia Invaded, Hackers Broke Into A Ukrainian Internet Provider. Then Did It Again As Bombs Rained Down
“[Over recent days], with Russia continuing its heavy bombardment across Ukraine, parts of the country have seen severe internet outages. One cause appears to be a cyberattack on telecoms provider Triolan, which serves a substantial number of users across the country.
Three other sources within the company and a former cofounder of the business said a cyberattack had occurred, with one claiming some of Triolan’s internal computers had stopped working because the “attackers reset the settings to the factory level.” They added that recovery was proving difficult because some equipment required physical access to restore, which was not possible due to the risk of life to personnel.
A post on the company’s Telegram page revealed that the company had, in fact been hacked twice. A source within the company said the first hack hit on February 24 as Russia moved tanks into the country, with the second on March 9, and that they had much the same effect.”
2: Cyber Risk Transfer will get more difficult and more expensive
The number of ransomware attacks in the U.S. rose more than 300% during 2020 [..] One reason, say cybersecurity specialists who track ransomware threats, is that companies are too quick to pay the ransoms, relying on insurance policies for reimbursement. ‘The insurance company pays the ransom, the criminals make more money, so they make more ransomware, which leads to more insurance, which leads to more payment, and so we get into this vicious cycle,’ said Marty Edwards, vice president of operational technology security at cybersecurity company Tenable. Insurers say they aren’t the ones making the decision to pay a ransom—that responsibility lies with the client, and insurers are contractually obligated to comply. [..] Insurers are beginning to change their approach to cyber policies in response to the rise in claims and scrutiny of ransom payments. [As a contributor asked] ’If you sell car insurance, and you constantly deal with people who leave their car unlocked and the keys in the ignition, would you keep dealing with them?’”
I am still amazed at the simplicity of cyber insurance policy application forms. When we apply for car insurance, we are asked numerous questions about our defences. It is inevitable that insurers will start asking similar questions about our cyber defences. As prices rise and cover becomes more limited, transferring the risk through insurance rather than mitigating the risk through better cybersecurity management may become less appealing.
3: Questions that Board Members should ask about cybersecurity
“Boards have a unique role in helping their organizations manage cybersecurity threats. They do not have day to day management responsibility, but they do have oversight and fiduciary responsibility [including managing business risks]. [..] Asking the smart questions at your next board meeting might just prevent a breach from becoming a total disaster.”
To figure out what to ask, an article in the Harvard Business Review is highly recommended.
Titled ‘7 Pressing Cybersecurity Questions Boards Need to Ask’, it also advises board members about the key things they need to know about cybersecurity.
- It’s important to recognise that cybersecurity is about more than protecting data. Our organisations are more connected than ever, so an attack on the organisation or its business partners could cause major disruption and be difficult to keep from public view.
- The Board of Directors must ensure the organisation has a plan, but it’s not the board’s job to write the plan. It recommends the NIST Cybersecurity Framework (with its 5 key areas of identify, protect, detect, respond and recover) as a good structure for board members to use when assessing the organisation’s plan.
- And finally, it discusses ways to translate the language of the cybersecurity teams into the language of the board. “Directors do not need to become cyber experts (although having one on the board is a good idea). [..] Establishing clear, consistent communication to share useful and objective metrics for information, systems controls, and human behaviours. [And finally] directors asking smart questions of their cybersecurity executives” are all ways that the board can manage the business risk effectively.
5,800 wind turbines in Germany and Central Europe were knocked offline as a result of a cyber-attack on a major satellite internet service provider.
“Due to a massive disruption of the satellite connection in Europe, remote monitoring and control of thousands of wind power converters is currently only possible to a limited extent,”, said the German manufacturer. ‘There is no danger to the wind turbines’ which continue to produce energy but can no longer be reset remotely if needed.
I have two questions: What does resetting a wind turbine mean, and what happens if you can’t reset it?
2: 60 minutes
60 minutes is how long it would take a hacker to crack an 8-character password through a brute-force attack. By comparison, a 12-character password generated by a password manager could take 3,000 years to crack.
1: If you are a board member, ask these 7 questions
One of the articles that I mentioned earlier is from the Harvard Business Review. If you are a board member or a senior manager, you should read it.
You may not be a cyber-expert, but the 7 questions recommended by the authors are easy to understand and could reveal gaps in your organisation’s defences:
The 7 questions are:
- What are our most important assets and how are we protecting them?
- What are the layers of protection we have put in place?
- How do we know if we’ve been breached?
- What are our response plans in the event of an incident?
- What are our recover plans in such an incident?
- What is the board’s role?
- Are we doing enough?
If you need someone to talk to the board or you just need a bit of 1:1 guidance, give me a call.