Cyber 321: 9th September 2022 - Cybersecurity Without Insanity

Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: Cyber insurance cover continues to reduce, Bank of America begins training high schoolers to be cybersecurity experts, and a security flaw in a WordPress plugin exposes 140,000 websites.

This week’s action: Who is minding your shop front?

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.

THREE ARTICLES

1: Cyber insurance cover continues to reduce

What? Computer Weekly reports that “Insurance market Lloyd’s of London has indicated that it will [..] exclude “catastrophic” nation state cyber-attacks from cyber insurance policies from March 2023. [Lloyd’s have said that] the ability of nation state-backed threat actors to spread their attacks quickly and easily and the critical dependencies that societies now have on digital infrastructure meant that the losses that could arise ‘have the potential to greatly exceed what the insurance market is able to absorb’.”

So what? Cyber insurance can play a key part in your organisation’s ability to recover from a cyber-attack, especially in terms of the immediate financial impact. However, the scope of cover is reducing and premiums continue to increase. Therefore, it is important to recognise that having a cyber insurance policy does not replace the need for effective security defences. As a contributor says in the Computer Weekly article, “Someone might insure their car, but still obey the speed limit, wear a seatbelt and avoid drinking and driving [..] In other words, despite being insured, they take additional preventative measures to ensure the risk [is minimised]”.

2: Bank of America begins training high schoolers to be cybersecurity experts

What? Many organisations are facing ongoing challenges filling cybersecurity vacancies. One bank, Bank of America, is working with the Liberty Science Center in Jersey City, New Jersey, to try to develop new talent through educational programs in high schools. “The two organizations are launching a two-year pilot called High Schools of the Future, which they built over the course of 18 months with the input of educators, industry experts on job training and analysts who focus on workforce trends.”

So what? As I have reported previously, for every two cybersecurity vacancies in the US, a third vacancy will remain unfilled due to the lack of talent. BoA is just the latest in a long line of organisations that are now trying to solve the problem. Apprenticeships may be coming back into fashion.

3: Security flaw in a WordPress plugin exposes 140,000 websites

What? WordFence, a security service provider for WordPress websites, recently reported a vulnerability in a WordPress backup plugin called BackupBuddy. The vulnerability could have enabled a bad guy to download any files from an affected website.

So what? This is a reminder that you must not forget your website when it comes to cybersecurity. Of course, it is important to keep your internal systems, servers and laptops secure, but you should also invest time and effort to keep your website secure. After all, it is your shopfront. Creating a new fancy website is one thing. Keeping the software that runs this new website up-to-date is a different thing. I discuss this in more detail in this week’s action.

TWO NUMBERS

1: 34.8 million

What? According to BuiltWith, the internet monitoring service, this is the number of live websites on the internet that are built with WordPress.

So what? With almost 35 million websites relying on WordPress, including almost 30% of the world’s top 1 million websites, it is inevitable that it will continue to get the attention of the bad guys. WordPress is not inherently secure or insecure. As with any software or platform, it comes down to the ongoing efforts of coders to write secure code and the ongoing efforts of site owners to install the latest version of this code and to actively monitor the security of their sites (helped by security tools such as WordFence and the many alternatives).

2: 4.9 million

What? The number of attacks blocked by WordFence in a 12 day period that targeted the BackupBuddy vulnerability.

So what?I assume that only a small percentage of WordPress websites are protected by a security plugin, such as WordFence, so this number of 4.9 million attacks in a 12-day period is an underestimate of the total number of attacks being launched against WordPress websites on a daily basis. And WordPress only represents 30% of the total market, so the total number of attacks against all websites is clearly astronomical. If you are not keeping your website’s software up-to-date and not protecting it with active security layers, you could be seriously exposed.

ONE ACTION

1: Who is minding your shop front?

What? As this week’s numbers show, the bad guys are attacking websites on a 24/7 basis, looking for ways to gain access. If they gain access, the best you can hope for is that they ‘only’ deface your beautiful shop font and cause you some immediate business disruption and long-term reputational damage. Alternatively, they may use this access to steal your data, redirect customer payments away from your bank account, or leverage your site to attack your clients and prospects.

So what? When you are thinking about your cybersecurity defences, do not forget your website. You need to ensure someone is responsible for keeping all of the software up-to-date and for monitoring alerts from the security tools that must be actively protecting your site. Do not assume that your website hosting provider or your web designers are doing this. I can almost guarantee that they are not, unless you have a contractual agreement in place which pays them to perform these activities. If you are unsure about your website’s health, there are plenty of free testing tools to give you some insight – e.g. Beagle Security, Security Scorecard, and Pentest Tools.