‘Cyber Maturity’ a Key to Surviving Ransomware, Phishing Attacks

    Kate Kuehn was on a plane not long ago chatting with the wife of the owner of a concrete company. The woman was talking about how she was going on a trip that was bittersweet because her husband was selling the company.

    Kate Kuehn

    Kuehn, engaging the woman in a little airplane small talk, asked the woman why the trip was bittersweet.

    “She said, “We had an (cybersecurity) attack and we don’t know how to protect the company. We had to sell the company because we can’t keep up with all the changes regarding cyber.”

    Turns out someone in the company had sent a business-related email that wasn’t protected, and hackers executing a ransomware scam got hold of company information and ransomed it for $2 million.

    The story hit home for Kuehn, a 25-year veteran of the cybersecurity field since her early days working for Verizon on some of the first major cyberattacks against financial networks.

    “They ended up having to pay the ransom, but between putting the proper controls in to make sure it didn’t happen again and the insurance and all the things that needed to be put into place they felt it wasn’t worth staying in business,” said Kuehn, Managing Director in Cyber Solutions at Aon, a leading global professional services firm.

    It’s not an uncommon tale. Kuehn said there’s been an increase in such incidents lately, particularly in the two most common attacks:

    • Ransomware, where they’re trying to extort money; and
    • Phishing attacks, where the hackers are trying to get data or information or back doors either to execute ransomware or execute data infiltration.

    According to Verizon’s 2022 Data Breach Investigations Report, ransomware attacks increased by nearly 13 percent. According to the report, that’s as big an increase as the last five years combined.

    “It’s not a question of ‘if’ you’re going to be breached, it’s a question of ‘when,’” Kuehn said. “Whether it’s you or your HR company or your supply chain … there’s going to be a breach.”

    Kuehn said hackers are getting more sophisticated, and they’re targeting largely midsize businesses lately.

    The problem for most organizations, she said, is that these cyber attacks an be “very difficult to recover from.”

    “The average statistic right now for a midsize business that has a major cyber catastrophe will go out of business in 48 hours,” Kuehn said. “If they don’t go out of business, the reputational damage can be catastrophic.”

    Kuehn offered her perspective on a variety of issues associated with – and solutions for – cybersecurity attacks:

    Corp! Magazine: Who is committing these attacks?
    Kate Kuehn: There are 5 types of threat actors:

    • ‘Hacktivists’ – People who think they’re hacking for the greater good, that they’re doing something to make a social or political impact.
    • Criminals – The ones who are doing it for purely financial gain.
    • Threat actors linked to government – Like the Russians, the Chinese and the Iranians, and there are hacking groups doing it as scare tactics, for financial gain, or for disruption.
    • The ‘script kitties’ and the ones who are doing it for fame and glory, the original hackers.
    • In the middle of it you have the actors who click on something and do something stupid. They actually make up about 50%.

    Kuehn said having someone inside the company make a mistake isn’t that unheard of.

    “Even if you open your own email box you’re going to have emails … I get them every day, like I get one from Dick’s Sporting Goods that says I‘ve won (something), and it looks real,” she said. “But then I look at the (sending) address and it’s from Tom[email protected]. Do we really think Dick’s Sporting Goods is using [email protected]? No.”

    Corp!: What does a company do to start addressing the issue?
    Kuehn: One thing is to understand the maturity of your organization. Are your employees and your executives mature in their cyber understanding. Are they in denial that it’s not going to happen to them?

    Do you have good defenses, maybe are you over-confident that you have too many defenses? Or have you had an issue and lessons learned.

    It’s taking the time to understand and work with your IT team and your partners, your technologists to go through … what are your assets that you need to keep safe day in and day out? What’s it going to take to do that? Then you need to think about … what are the things you should be worried about, and should you put some budget toward that?

    Then you want to think about if you really want to look at the (possible) catastrophes, the big things, and execute things as far as innovating with your cyber insurance or other policies to protect that if a really bad attack does happen, you have at least base controls in place and mechanisms to support the business.

    Corp!: How does a business leader do all of that?
    Kuehn: Cyber plays in all areas of risk, so you should … think about the impact it would create if something should happen. There are awesome organizations – Aon is one of them, but there’s lots of them – that can help you with this.

    Make sure you’re being assessed regularly. Think about how you can educate your employees on base levels of control – don’t click emails that look funny. If someone is sending you a request for gift cards or a money transfer and they’ve never done it before, pick up the phone and ask them if it’s really from them.

    Just be more aware of your surroundings. That will mitigate almost 50% of the cyber threats we see out there.

    Corp!: How important is it to have insurance against cybersecurity attacks?
    Kuehn: Cyber insurance is incredibly important. You wouldn’t drive a car without insurance, why would you operate technology in a business without insurance. It’s just new and novel, and we’re used to insurance being on tangible things. The issue with cyber insurance is you’re insuring against something you can’t touch, feel or smell.

    Corp!; How does media attention affect things? Is that what hackers are looking for?
    Kuehn: When you look at it, the media attention can be driven two ways. You may have an organization that’s looking for some fame or a social cause or something else, or a nation state that’s looking to create some disruption and fear. The Momo attacks a couple years ago were a huge lesson in … how much fear a hacking group could instill.

    On the other side, the media can be used as a tool to really teach the average person some tricks and tips on how to stay safe. It’s a double-edged sword. From a reputational standpoint, if you have a breach and you get put in the media for it, it can damage your brand almost to an unrepairable level.

    Corp!: What do business leaders do to facilitate cyber safety?
    Kuehn: The first thing is to educate yourself. I’m not asking them to understand ‘red team, blue team, purple team’ … but I do think they should understand what the assessments are telling them and where they should be spending their money.

    The CEO sets the tone. If the CEO takes the cyber training and helps facilitate the tabletops and looks at the assessments and invests in their cyber culture, the rest of the organization will follow, and the cyber maturity of the organization will increase. You don’t have to be an expert. You can be a novice, but you have to understand your role within cyber culture preparedness.