Can You Hack It?

Trends, tests, and tactics for companies looking to stay protected in an evolving cybersecurity landscape. // Photo by Emily Crombez
Kathy Weaver
Kathy Weaver is the market leader for Aon in Michigan. She leads a local team of commercial risk and human capital professionals. In her role, she supports Aon colleagues in leveraging the local and global experts of Aon, in partnership with clients, to help make better business decisions. Chetan Bhatia is a managing director of cyber resilience and engagement management within Aon’s global cyber solutions practice.

Cybersecurity is hardly a new topic, but given the speed with which increasingly sophisticated cybersecurity threats are evolving and proliferating, the security landscape is necessarily becoming more complex.

The best cybersecurity partners are no longer comprised of a few tech-savvy individuals. Leaders in this space include not only cybersecurity experts, but cyber actuaries, insurance claims experts, financial fraud specialists, attorneys, former law enforcement personnel, digital forensics and incident response experts, threat intelligence professionals, and penetration testers.

The best protection today blends front-line advisory and testing support with specialized expertise to help companies develop a continuous understanding of risk, mitigate that risk, recover from exposures or incidents, and transfer residual risk to minimize financial and operational damage.

Making sure security measures are current and sufficiently robust to address today’s risks is often tricky — which is why penetration testing from “white hat” hackers and security professionals is a common tool in the cybersecurity arsenal.

External (remote) and internal penetration testing can be a highly effective way to identify potential vulnerabilities bad actors could exploit, and to evaluate how effective a company’s people, processes, and tech are at detection and protection against emerging threats.
But aligning cybersecurity strategy and investments with untold thousands of attack techniques is an increasingly expensive and impractical proposition. There are simply too many threats to be able to assess them all, especially given budgetary realities.

The pace at which attackers are evolving their techniques, tactics, and procedures is just too fast for even the best security leaders to keep pace. One emerging solution is the advent of adversary simulation: technology that can simulate thousands of the latest adversarial techniques and test the effectiveness of cybersecurity detection and protection controls on a company’s endpoints, network, email system, database environment, and more.

For now, penetration testing remains an effective and extremely valuable tool to identify blind spots, stress test systems, and evaluate security monitoring.

Matter of Policy
Cyber insurance is an underappreciated piece of a robust cybersecurity program: a way to both mitigate and transfer cyber risk. If risk materializes in the form of a ransomware attack, for example, it can have a devastating impact on an organization, with costly and even crippling ramifications.

The price tag in such a scenario may include costs for digital forensics and investigation, legal services, potential restitution and litigation for privacy/liability issues, and productivity losses.

Cyber insurance protects company balance sheets from that financial exposure, while often providing access to an entire ecosystem of vetted expertise from forensic experts, communication professionals, and legal and logistics support. Cyber insurance companies also help prepare clients by making sure their cybersecurity hygiene follows best practices.

Beyond IT
Decision-makers are recognizing that optimizing cybersecurity is an enterprise-wide mission; it isn’t just the IT department’s responsibility. With so much at stake, legal and finance also should be involved in managing risk and informing cybersecurity decision-making.

Human resources plays a significant role, too, in ensuring all team members understand the organization’s cybersecurity culture generally, and best practices and protocols specifically — as well as managing employee security awareness training.

Top-tier cybersecurity firms work with businesses in virtually all industries. They see both savvy/sophisticated clients and much more vulnerable companies all fall prey to hacking and cyberattacks.

In recent years, adversaries have been more intentional about targeting businesses and industries with less regulation (e.g. construction or manufacturing), or where cybersecurity tends not to be top of mind and protections may not be as robust.

Proliferating Threats
While insider threats and human error will likely continue to present the most significant threat, cybersecurity threats are evolving. AI and machine learning attacks are going to be increasingly problematic, as bad actors leverage these technologies to automate and scale their attacks in ways that enable them to bypass a lot of the traditional security measures.

With growing numbers of connected devices in an IoT world, the attack surface is increasing, and criminals will have more newly vulnerable targets to exploit. The growing sophistication of deep fakes and misinformation will be used for social engineering and fraud.

Quantum computing threats may render current encryption standards obsolete and drive the adoption of quantum-resistant encryption methods. Cyberwarfare and sponsored attacks from nation-states will target intellectual property and sensitive data.

Supply chains will continue to be threatened, with bad actors targeting third-party vendors and software providers to exploit vulnerabilities in the supply chain.

In this evolving threat environment, organizations need to not only continue to invest in employee security training, awareness, and robust controls, but they should stay informed and engaged to make sure their cybersecurity protections are sufficient to meet the challenges of increasingly sophisticated tactics and technologies.