Oct 17, 2018 8:56:00 AM

Six Considerations for Purchasing Cyber Insurance

In our most recent blog, Brad Pierce discussed what a cyber insurance policy is not. It is not a savior in the wake of a data breach. It is not a replacement for proactive, resilient security measures. What it is, however, is a component of an effective incident response strategy. In this post, I would like to take the time to discuss considerations organizations should take when purchasing a cyber insurance policy.

Topics: Cyber Insurance

Oct 15, 2018 9:00:00 AM

Attack Surface Ep. 1: Three Strategic Investments for Your IT Shop

Join HORNE Cyber’s marketing director, Ashley Madison, as she sits down with Mike Skinner and Brad Aldridge to discuss “Three Strategic Investments for Your IT Shop” on Episode 1 of Attack Surface: The Cybersecurity Podcast for the Want-To-Know Organization.

Topics: Podcast, Executive Insights

Oct 3, 2018 8:55:29 AM

What Cyber Insurance Is Not

The topic of cybersecurity insurance seems to be on the radar of most organizations I speak with. There are a lot of questions around how much coverage is needed and what exclusions one should be on the lookout for when purchasing a policy. I usually try to use this as an opportunity to talk about what a cyber insurance policy is not, and I’ll get to that later.

Topics: Cyber Insurance

Sep 25, 2018 9:30:00 AM

Developing an Incident Response Strategy: Preparing for the "What Ifs"

When we think about the impact of an unexpected event, it can often leave us with varying emotions. In many cases, those emotions are not pleasant… such as panic and stress, feeling vulnerable or lacking control over the world around us. All too often we see clients experience these feelings during the wake of and after a cybersecurity incident. Cybersecurity incidents are always considered the “what ifs”, too often not measured as a strategic threat. An unexpected cybersecurity incident promises negative impact and can sometimes be catastrophic to an organization. So, what can you do? How can your organization be more resilient? How can you better prepare, and experience calm in a time of crisis?

Topics: incident response

Jul 25, 2018 9:30:00 AM

Cybersecurity & Blockchain: What You Need To Know

If you have turned on the TV or been on the internet then most likely you have heard the term "Blockchain". As one of the hottest buzzwords in the tech industry today, it promises to open new ways of doing business and allows strangers to trust each other. In fact, blockchains are already doing these things and will only continue to increase in prominence and importance.

Topics: blockchain

Jul 17, 2018 9:30:00 AM

Speaking in Vegas: DEF CON 26 & Black Hat USA 2018

Shot by Wesley McGrew in Las Vegas in 2017 The most important gathering of hackers and security professionals each year is held in the dry heat of Las Vegas’ summer. It started in 1992 with DEF CON, and has grown into a week-long series of concurrent and complementary conferences, meetings, parties, and events where information security researchers share their latest findings, practitioners network, and IT staff attend to learn about protecting their own companies’ networks. The original conference of the set, DEF CON, remains cash-only at the door—no ID required—allowing both security professionals and the hacking underground to meet with no pretense to break bread and exchange ideas. More than a little actual hacking goes on, as well.

Topics: black hat USA, DEF CON

Apr 18, 2018 9:30:00 AM

Coping with Ransomware Fatigue

Ransomware attacks have increased in number and financial impact significantly. According to the FBI, the cost of ransomware attacks in the past few years has reached into billions of dollars, with the total impact doubling each year. Ransomware attacks can be the result of widespread malicious software, like the high-profile "WannaCry" attacks, or the end-goal of very targeted attacks launched against your organization by threat actors that have compromised your servers or users' workstations.

Topics: ransomware

Mar 13, 2018 9:09:30 AM

High Expectations for Service, With Reverse Engineering

A cornerstone of a cybersecurity firm is in their “reverse engineering” capability. It is a necessary part of responding to breaches, keeping up with the state-of-the-art in threats, and enhances the coverage of penetration testing and red-team engagements. While it separates leaders from followers in the industry, very few business stakeholders have had the opportunity to learn what “reverse engineering” means, how it can be a measure of a security service provider’s capability, and how such services can directly benefit an organization.

Topics: cybersecurity, digital forensics, Penetration Testing, data security, information security, incident response, ransomware, Malware, Executive Insights, advanced penetration testing

Mar 6, 2018 10:30:00 AM

Choosing the Right Security Option for Your Organization

Cybersecurity in layers has been the go-to security model for some time now. There’s no one solution that will properly secure your organization’s network and sensitive information. In today’s environment, it takes an orchestra of teams, tools, and active threat detection and prevention operations to properly secure your organization from an attacker. It has become very clear that traditional layers, such as anti-virus, firewalls and monitoring tools, are just not enough. Attack emulation is a critical security layer that not only focuses on known vulnerabilities but also shows what a real attacker could do to your organization. If you are serious about finding your organization’s security weaknesses and resolving them, you’re likely going to need help from a third-party.

Topics: Executive Insights, cybersecurity, Penetration Testing, advanced penetration testing, Security Budget, Good Enough Cybersecurity

Oct 3, 2017 10:26:00 AM

The Cybersecurity Industry: Ignorance is Bliss

As I’ve pointed out before, the greatest threat to cyber security that organizations face today is the cybersecurity industry itself. I’ve long noticed that every business advisory firm in the country is now offering “penetration testing”, even as a critical industry talent shortage points to that not being possible. All you have to do now is buy a $2000 license for a vulnerability scanning tool, send an employee to a two-week training, and BOOM you have a “penetration tester.” 

Topics: Executive Insights, Good Enough Cybersecurity

Jul 18, 2017 10:34:00 AM

Cybersecurity and Construction: Can a Breach Happen to Me?

As a contractor, if you think that cyber attacks “will never happen to me”, it’s time to reconsider your stance. Construction companies are an attractive target for a wide variety of cyber criminals, and the attackers are becoming more active and aggressive. Despite what you read in the news, hacking is not limited to political scandals and major retailers. It’s no longer a question of “if” you will be breached—the question is “when?”.

Topics: Construction, cybersecurity

Jun 13, 2017 10:03:00 AM

Why an Engaged C-Suite Matters in Improving Cyber Security

In a recent article, I talked about how the C-Suite can get past not being technical and take an offensive mindset to cyber security. I think the big message there was to get involved. Part of an organizations IT leadership and consultant’s responsibility is to provide logical explanations of the threats and vulnerabilities that exist and how they can impact confidentiality, integrity, and availability of an organization’s operations, and the C-Suite should want to hear about it. It’s also important to understand the level of effort it takes from your team to mitigate and remediate threats and vulnerabilities so that you can begin to evaluate if you need to make a decision such as realignment of staff or finding a 3rd party partnership.

Topics: Executive Insights

May 30, 2017 10:11:00 AM

Cyber Security Silver Bullet: If It Seems Too Good to be True, It Probably Is

I’ve said it before and I’ll keep on saying it: The greatest threat to cyber security could likely be the cyber security industry itself and the “good enough” mindset.

Topics: Executive Insights

May 23, 2017 10:14:00 AM

There’s Simply No Such Thing as “Good Enough” in Cyber Security

History tells us that there comes a time when almost every new innovative service starts to lose ground to a “good enough” competitor.  In fact, many of the products that we buy are much cheaper than the original models, because competitors cut corners to make something that is good enough to fit our needs at a cheaper price. As a director of operations, I can fully appreciate a lower priced option that still fits the needs of my organization.

Topics: Executive Insights

Apr 13, 2017 10:08:00 AM

Don’t Let Cybersecurity Wag the Dog

When “the tail is wagging the dog”, you know that something has gone wrong. Priorities are not straight, and a part of the system does not understand its role. Providers of offense-oriented security services, such as penetration testing and red team engagements (which I’ve described in previous articles), often make draconian recommendations that, in pursuit of least effort, wind up impacting your ability to do business. When you get these recommendations, you should ask yourself: Is this vendor acting like a partner in my business, or are they content with it being inhibited as a result of their recommendations?

Topics: cybersecurity, data security

Mar 23, 2017 10:03:00 AM

Cyber Security for the Road Warrior

In my previous columns, I’ve been describing the benefits of having offense-oriented testing performed on your company’s network. This time around, I want to give some advice for the road warriors among you. Many of you have to travel for work, and present an attractive target to cyber criminals that want to steal trade secrets, customer information, or even infect your system in a way that puts your network at risk when you return to the office. You can, however, work on the road in a much more secure way, armed with some basic precautions and awareness.

Topics: cybersecurity

Mar 9, 2017 9:42:19 AM

Why "I'm Just Not Technical" is No Longer an Excuse in the C-Suite

I cannot tell you how many board presentations and meetings I have been in and heard "I am just not technical". Not being “tech savvy” is no longer a valid excuse to not understanding the threats your organization faces and what needs to be done to provide protection. If you are in the budgeting, decision making or approval process of technology in your organization, you have no choice.

Topics: cyber risk

Mar 2, 2017 10:00:00 AM

How Much Should You be Spending on Cybersecurity?

We often hear clients and prospective clients asking “how much should I be spending on cybersecurity?” That is a very complex question and one that is not easily answered without first having an understanding of what is meant by cybersecurity. There are many different versions of cybersecurity being pushed in the market and there is no "one size fits all" solution despite what your vendor may tell you. The key is in spending for what is right for your organization, not simply deciding that a set percentage should be spent on these solutions. Below are some key questions that you should ask of yourself:

Topics: IT Budget

Feb 23, 2017 10:05:00 AM

Their Breach is Your Breach

When you’re catching up on the news, it’s become all too common to see stories about new breaches that have occurred, resulting in the theft of customers’ personal and financial information from businesses of all sectors. If you’re a regular reader of my column, you’re probably gotten past the fallacy of thinking “that can’t happen to me”, but there’s still something very detached about it all. Even when you get a letter or email notifying you that your information has been stolen from an online service you use, it happens so often you have a hard time seeing the urgency.

Topics: password security, password reuse

Feb 16, 2017 10:25:45 AM

Don't Let Cyber Risk Derail Your M&A Deal

Headlines around hacking and data breaches have become a regular occurrence over the last few years. When a business loses the trust of its customers, it can be nearly impossible to win it back. Cybersecurity, or the lack thereof, can famously destroy existing companies, but could it also be killing future business deals? The obvious example is Verizon’s potential acquisition of the deeply troubled Yahoo. Despite the flaws at the former tech behemoth, the deal seemed to be progressing forward nicely until it was revealed that one billion Yahoo users had their accounts compromised in 2013.

Topics: risk management, M&A

Feb 9, 2017 9:50:52 AM

You've Been Breached. Think It Won't Happen Again?

There’s a popular saying in the cybersecurity space, “There’s two types of organizations, those that have been breached and those that don’t know they’ve been breached.” In working with organizations that know they’ve been breached, I’ve noticed a very alarming fact. It’s not their first breach! This left me wondering why and how? How can an organization suffer from one breach and have a second or third similar breach? What did they not learn from the initial breach that would leave them vulnerable to similar subsequent breaches? One of the common themes we see is that they “handled” the first breach themselves or they hired a security consultant with little to no experience in incident response that focused on recovery and not fully understanding how the attack was carried out. This is a very scary reality that we are seeing more and more daily. 

Topics: incident response

Feb 2, 2017 10:00:00 AM

The Victims of Cyber Security Training

It’s harder than you think to identify good talent in cyber security. Whether you’re trying to fill full-time security positions within your organization, or partner with service providers and vendors that can identify vulnerabilities and help maintain resilience, there is an ocean of “get rich/smart quick” schemes that make things more difficult for you. They target up-and-coming information security professionals, and, in turn, leave you with less qualified staff and vendors.

Topics: cybersecurity training

Jan 26, 2017 10:01:00 AM

An Internet of Hackable “Things” Threatens Your Business

In this column, I try to avoid “buzz words” and jargon. Information security is complex enough without them. The security industry is overrun with companies that intend to confuse you with marketing bullet points, wrapped up as new concepts and trends, in the hopes that you will cut them a check. Meanwhile, you are the one that will bear the ultimate responsibility for risks they know you don’t understand.

Topics: Internet of Things, IoT Security

Jan 16, 2017 10:00:00 AM

Being a Compliant Victim of Cybercrime

When I discuss cybersecurity with business leaders, the most common misconception I see involves the role of security compliance. In my last column, I described the reality of cybercrime, a wild frontier of advanced attackers that can critically damage your business with impunity. In this dangerous environment, it’s important to realize that compliance alone will not protect you.

Topics: cybersecurity

Jan 5, 2017 10:07:00 AM

Why 2017 Could Be the Year of Cyber-Espionage

In this digital age where most businesses are focusing on the disrupt or be disrupted ethos, it seems that most are ignoring an even bigger trend that will affect their organization. In 2016, cybersecurity or the lack thereof played a significant role. The fact that even presidential campaigns were affected by hacking scandals and data leaks illustrates how the question is no longer if you will be breached, but when.

Topics: cybersecurity, cyber espionage