CEOs in large enterprises are feeling the heat from board members to adequately defend companies from cyberattacks, according to a sponsored panel at the Black Hat Conference. Moreover, those CEOs are pressuring their SME vendors to up their security game as well.
The all-CEO panel included Kurtis Minder of Groupsense, a cyber reconnaissance company; Ritesh Agrawal of Airgap Networks developing ransomware defence technologies; and Sidd Gavirneni of cyber insurance company Zeguro.
Security is board-level now
“This (security) is a board-level topic. CEOs are definitely involved hands on,” said Agrawal. “CEOs have no choice … because the board is demanding clarification. Investment firms are demanding their portfolio company CEOs to give them a report on what is their ransomware readiness.”
Minder said it isn’t just board and investor pressure, but public pressure is growing as well. “The public nature of the Colonial pipeline hearings, brought that home for a lot of the CEOs,” he said.
He added that CEOs are realizing that ignorance of the depth of the problem has made companies dangerously complacent. “I am finding in the actual practice of ransomware responses, many of them weren’t ready. They were told their Incident Response Plan was solid, or their business continuity plan would cover it. But there are items specific to a ransomware incident that weren’t part of either one of those plans. While they’re more they’re more cognizant and starting to ask the right questions in the boardroom, they’re caught flat footed during the actual incident.”
Down the supply chain, SMEs are a bigger target for cybercrime because they lack the security resources and manpower of the companies they sell to, said Gavirneni. “Companies with less than 500 employees, we don’t see that much of an involvement upfront from CEOs. When you’re a small company, your whole goal is to get some revenue. So (security) is an afterthought.”
However, he said pressure from large customers is changing that. Large enterprises want to ensure that their vendors and suppliers are thinking about security. “But in the SME space, we don’t really see a proactive effort by CEOs to protect against ransomware.
Minder jumped in on that comment in agreement. “Ransomware for small to medium businesses is a little bit like COVID in the early days, where people were like, ‘I don’t know about this COVID thing. It’s probably not real,’ or ‘That’s not gonna happen to me.’”
Minder said that was the attitude of the Colonial CEO. But now the company is on high alert after the fact.
All three panellists said 90 per cent of the problem on the SME level could be solved with just proper digital hygiene. “Basic hygiene is going to cover nine out of 10 times,” said Agrawal. “When it comes to cybersecurity, if you’re better than other enterprises, chances are you’re probably much safer already.”
Agrawal explained the hackers are looking for an easy return on investment tackers “They have their own venture capital firm and they are investing in each other as well.” If a target makes it more expensive to breach, they aren’t going to get a green light to attack.
One stopgap for companies has been cyber insurance, said Gavirneni, but that isn’t going to be as simple as it has been,
“More businesses are asking for cyber insurance,” he said. “At the same time, the premiums are going up drastically. In the first quarter alone, premiums went up by 20%. Insurance companies are getting stringent on what they cover and how much they cover. They are looking for more security, best practices in place and tools and technologies in place.”
Gavirneni said more SMEs are being required by customers to carrying cyber insurance, up to $5 million. But insurance companies are refusing to provide it without significant work on basic hygiene.
Don’t go it alone
Agrawal said companies need to outsource whatever they are not capable of. “Don’t tackle this yourself, especially if you’re a small business. Go to the cloud. Get all the services delivered from the pros that know what they’re doing.”
He said that even for large businesses where the network is more complex should consider outside resources rather than take it on their own effort their deployment is extremely complex. “As the industry rapidly moves toward cloud migration of even the infrastructure, Few enterprises will have the internal resources to properly handle security.”