- Cyber Pro Club
- Posts
- The Four Horsemen of Cyber Risk
The Four Horsemen of Cyber Risk
Ransomware Costs, Gen AI Risk & Interview Tactics
Cal J Hudson
April 23, 2024
đź‘‹ Good morning, Cyber Pros!
This week’s issue brings you:
Compromised backups increase the cost of ransomware 8X
The four horsemen of cyber risk
AI security resource roundup
A security interview strategy to help you get more offers
Let’s dive in!
Read time: ~7 mins
NEWS
COMPROMISED BACKUPS INCREASE THE COST OF RANSOMWARE 8X
Summary: Compromised backups leave organisations with little room for negotiation in ransomware attacks and often result in paying a ransom to retrieve data.
Key takeaways:
Research by Sophos highlights the significant impact compromised backups have on ransomware incidents.
Sophos surveyed 2,974 IT professionals hit by ransomware attacks, revealing widespread compromise attempts on backups.
Successful compromise of backup systems in ransomware attacks leads to higher ransom demands and longer recovery times.
Paying ransomware demands increases future vulnerability and does not guarantee full data recovery.
Backup compromise rates vary across industries, with energy and education facing the highest success rates.
Median ransom demands double for entities with compromised backups, averaging $2.3 million compared to $1 million for those with intact backups.
Despite increased costs, organisations with compromised backups are nearly twice as likely to pay ransom demands.
LEARNING
THE FOUR HORSEMEN OF CYBER RISK
Security professionals sometimes get tangled up in trying to eliminate risks rather than managing them effectively, which can clash with a company's goals and culture.
Any successful company exists because it took risk. Risk is where opportunity hides. Our job as Cyber Pros is to enable the business with the four horsemen of cyber risk management.
Here’s what that looks like and a mini case study on how Reddit views the intersection of cyber risk and compliance:
1/ Avoidance
Sometimes, the cleanest solution is to simply walk away from risky situations.
This means exiting certain business lines or discontinuing products that pose too much risk.
Don't get blinded by revenue—consider the cybersecurity risks that come with it.
2/ Acceptance
Accepting risk means moving forward despite the potential for negative outcomes.
It's a smart move if the cost of dealing with potential issues is lower than the cost of preventing them.
Some risks are just not worth worrying about, like hardening servers against a nuclear attack in a post-apocalyptic world.
3/ Transfer
Transfer risk by sharing it with others, like through insurance or contractual agreements.
This can be more cost-effective than handling the risk alone.
Remember, it's not just about money—consider the damage to your reputation too.
4/ Mitigation
This is where cybersecurity pros earn their keep, but it's not the only game in town.
Mitigation involves implementing controls to reduce risk, like updating vulnerable software or setting up firewall rules.
Be clear on the terminology—mitigation deals with existing risks, not hypothetical ones.
Mini Case Study - Reddit
“Businesses require risk. If you are not doing something risky in a business, you probably don’t have a business that’s going to be successful.”
I recently listened to a podcast with Reddit's CISO, Fredrick Lee. He provided some great insights that I’ve summarised below:
Following rules is a big part of managing risks. It helps avoid legal trouble and other headaches. That’s why privacy and compliance are so important.
Privacy entails honouring user preferences regarding data processing, underscoring the need to safeguard user privacy.
Compliance is about telling the story of what your security program is actually doing. If it’s going well, compliance comes by default. Compliance is like having a personal trainer / coach. They provide you with guidance and insights to help you achieve your goals.
Compliance not only validates the security program but also acts as a catalyst for growth, opening doors to new opportunities as stakeholders feel more at ease.
Lee stresses the need to view privacy holistically, considering the human experience, a perspective often overlooked by traditional security professionals who primarily focus on systems.
Privacy extends beyond mere security to encompass how data is utilised, advocating for user-centric treatment rather than solely business-driven usage.
CAREER
SECURITY INTERVIEW STRATEGY
A hiring manager is looking for a candidate they can trust to bring them the biggest return on their investment.
If during interviews you’re only focusing on talking about you and your personal experience, and not relating it back the organisation you’re applying to, you’ll miss out on job offers.
The solution: contextualise your responses.
You need to establish trust and show the organisation you have a deep understanding of their goals, challenges, and vision.
And that you are the solution.
Step 1 - Research
Here's a list of how I’d conduct my research into an organisation before an interview:
Visit the website: about, news, blog
Check YouTube for any interviews with executives
Google search for news articles on the organisation and its industry (have there been any security related incidents, any changes in regulation etc.)
If they have a product, read customer reviews
If they provide a service, find product demos
Learn about their competitors and how they compare
The goal here is to identify major challenges and goals.
Step 2 – Interview Preparation
You’ll find that most interviews always cover a variation of the same questions, such as:
Why do you want to work here?
Tell me about a time you…
What's your biggest weakness?
Start by preparing, memorising and practicing these answers. They should flow out of you effortlessly.
Step 3 – Applying Our Strategy
When appropriate, start your responses by making it about them. For example:
I know one of the biggest challenges you’re facing is…
When I was researching this industry before speaking with you today…
Then move into your answer. Example:
“Before this conversation, I watched your [CIO] speak at [X Conference] about the importance of Cybersecurity and how it’s a top priority for your business. My understanding is you’re trying to build out your [cloud security capability] and this role forms part of that strategy. Here’s why I think I’m the person to help deliver on this strategy, based on [insert training] and [insert experience].”
Step 4 – Practice & Adjust
Try variations of this strategy and every time seek to showcase how you’re the answer to achieving their goal, or conquering their strategy!
Each time you do this, you're solidifying your position as the candidate who best understands the company.
That's how you turn interviews into job offers.
AI & SECURITY
AI SECURITY RESOURCE ROUNDUP
1/ Gartner Market Guide for Gen AI Trust Risk and Security Management
AI expands the threat and attack surface and their research concluded that almost 30% of enterprises experienced a breach against their AI systems (no link as behind a pay wall).
Make sure to monitor staff usage of external LLMs. Company data being processed by external sources even Google or Microsoft is still a risk.
LLMs are gaining more capabilities and privileges, making them vulnerable to attacks through untrusted sources and plugins. Such attacks include data leakage and self-replicating worms. The proliferation of agents and plugins can lead to unintended actions and unauthorised access, creating potential security risks for users.
In this overview, Diana Kelly (CISO, Protect AI) shares helpful diagrams and discusses building security into MLOps workflows by leveraging DevSecOps principles.
Researchers created a benchmark called JailBreakV-28K to test the transferability of LLM jailbreak techniques to Multimodal Large Language Models (MLLMs). They found that MLLMs are vulnerable to attacks, especially those transferred from LLMs, and further research is needed to address this issue.
Are you concerned about the safety of your LLM applications? Look no further than OWASP's LLM deployment checklist. This comprehensive resource provides a guiding framework for mitigating risks and maintaining the integrity of your LLM applications.
FEEDBACK
Tell me how you really feel
I want to create a newsletter that you can’t wait to open every week.
Your feedback will help me do that.
REFERRALS
Share Cyber Pro Club!
If you found this newsletter valuable, share this link with others: https://www.cyberproclub.com/subscribe
Thanks for reading.
Cal J Hudson