CISO Corner: Cyber-Pro Swindle; New Faces of Risk; Cyber Boosts Valuation

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

In this issue of CISO Corner:

Corporations With Cyber Governance Create Almost 4X More Value

By David Strom, Contributing Writer, Dark Reading

Those with special committees that include a cyber expert rather than relying on the full board are more likely to improve security and financial performance.

Companies that have made the effort to follow guidelines for better cybersecurity governance created nearly four times their shareholder value compared to those that haven't.

That's the conclusion of a new survey jointly conducted by Bitsight and the Diligent Institute, which measured cybersecurity expertise across 23 different risk factors, such as the presence of botnet infections, servers hosting malware, outdated encryption certificates for Web and email communications, and open network ports on public-facing servers.

The report also found that having separate board committees focused on specialized risk and audit compliance produces the best outcomes. "Boards that exercise cyber oversight through specialized committees with a cyber expert member as opposed to relying on the full board are more likely to improve their overall security postures and financial performance," agrees Ladi Adefala, a cybersecurity consultant and CEO of Omega315.

Read more: Corporations With Cyber Governance Create Almost 4X More Value

Related: With TikTok Bans, the Time for Operational Governance Is Now

Even Cyber Pros Get Swindled: Inside a Real-Life Vishing Attack

By Elizabeth Montalbano, Contributing Writer, Dark Reading

Successful attackers focus on the psychological manipulation of human emotions, which is why anyone, even a cyber-pro or tech-savvy person, can become a victim.

It started with a phone call around 10:30 a.m. on a Tuesday from an unknown mobile number. I was working on my computer at home and usually don't answer phone calls from people I don't know. For some reason, I decided to stop what I was doing and take that call.

That was my first mistake in a series of several I would make over the next four hours, during which I was the victim of a vishing, or voice-phishing campaign. By the end of the ordeal, I had transferred nearly €5,000 in funds from my bank account and in Bitcoin to the scammers. My bank was able to cancel most of the transfers; however, I lost €1,000 that I had sent to the attackers' Bitcoin wallet.

Experts say it doesn't matter how much expertise you have in knowing the tactics attackers use or experience in spotting scams. The key to the attackers' success is something older than technology, as it lies in manipulating the very thing that makes us human: our emotions.

Read more: Don't Answer the Phone: Inside a Real-Life Vishing Attack

Related: North Korean Hackers Target Security Researchers — Again

Mitigating Third-Party Risk Requires a Collaborative, Thorough Approach

Commentary by Matt Mettenheimer, Associate Director of Cyber Advisory, Cybersecurity Practice, S-RM

The issue can seem daunting, but most organizations have more agency and flexibility to deal with third-party risk than they think.

Third-party risk presents a unique challenge to organizations. On the surface, a third party can appear trustworthy. But without complete transparency into the inner workings of that third-party vendor, how can an organization ensure that data entrusted to them is secure?

Often, organizations downplay this pressing question, due to the longstanding relationships they have with their third-party vendors. But the emergence of fourth- and even fifth-party vendors should incentivize organizations to secure their external data. Doing proper due security diligence on a third-party vendor must now include finding out if the third party outsources private client data to more downstream parties, which they likely do, thanks to the pervasiveness of SaaS services.

Fortunately, there are five simple out-of-the-box steps that provide a starting roadmap for organizations to successfully mitigate third-party risk.

Read more: Mitigating Third-Party Risk Requires a Collaborative, Thorough Approach

Related: Cl0p Claims the MOVEit Attack; Here's How the Gang Did It

Australian Government Doubles Down on Cybersecurity in Wake of Major Attacks

By John Leyden, Contributing Writer, Dark Reading Global

Government proposes more modern and comprehensive cybersecurity regulations for businesses, government, and critical infrastructures providers Down Under.

Weaknesses in Australia's cyber incident response capabilities were laid bare in the September 2022 cyber assault on telecommunications provider Optus, followed in October by a ransomware-based attack on health insurance provider Medibank.

As a result, the Australian government is carving out plans to revamp cybersecurity laws and regulations, with a proclaimed strategy to position the nation as a world leader in cybersecurity by 2030.

As well as addressing gaps in existing cybercrime laws, Australian legislators hope to amend the country's Security of Critical Infrastructure (SOCI) Act 2018 to place a greater emphasis on threat prevention, information sharing, and cyber incident response.

Read more: Australian Government Doubles Down On Cybersecurity in Wake of Major Attacks

Related: Australian Ports Resume Operation After Crippling Cyber Disruption

A CISO's Guide to Materiality & Risk Determination

Commentary by Peter Dyson, Head of Data Analytics, Kovrr

For many CISOs, "materiality" remains an ambiguous term. Even so, they need to be able to discuss materiality and risk with their boards.

The SEC now requires public companies to assess whether cyber incidents are "material," as the threshold for reporting them. But for many CISOs, materiality remains an ambiguous term, open for interpretation based on an organization's unique cybersecurity environment.

The core of the confusion around materiality is determining what constitutes a "material loss." Some consider materiality as impacting 0.01% of the prior year's revenue, equating to approximately one basis point of revenue (which equates to one hour of revenue for Fortune 1000 corporations).

By testing different thresholds against industry benchmarks, organizations can gain a clearer understanding of their vulnerability to material cyberattacks.

Read more: A CISO's Guide to Materiality & Risk Determination

Related: Prudential Files Voluntary Breach Notice with the SEC

Zero-Day Bonanza Drives More Exploits Against Enterprises

By Becky Bracken, Senior Editor, Dark Reading

Advanced adversaries are increasingly focused on enterprise technologies and their vendors, while end-user platforms are having success stifling zero-day exploits with cybersecurity investments, according to Google.

There were 50% more zero-day vulnerabilities exploited in the wild in 2023 than in 2022. Enterprises are being hit especially hard.

According to Mandiant and Google Threat Analysis Group (TAG) research, sophisticated nation-state backed adversaries are taking advantage of a sprawling enterprise attack surface. Footprints that consist of software from multiple vendors, third-party components, and sprawling libraries provide a rich hunting ground for those with the ability to develop zero-day exploits.

Cybercrime groups have been particularly focused on security software, including Barracuda Email Security Gateway; Cisco Adaptive Security Appliance; Ivanti Endpoint Manager, Mobile, and Sentry; and Trend Micro Apex One, the research added.

Read more: Zero-Day Bonanza Drives More Exploits Against Enterprises

Related: Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs

Getting Security Remediation on the Boardroom Agenda

Commentary by Matt Middleton-Leal, Managing Director for EMEA North, Qualys

IT teams can better withstand scrutiny by helping their board understand risks and how they are fixed, as well as explaining their long-term vision for risk management.

CEOs of the past might not have lost sleep about how their security team is approaching specific CVEs, but with CVEs for dangerous bugs like Apache Log4j remaining unpatched at many organizations, security remediation is now on the agenda more broadly. That means that more security leaders are getting asked to provide insight into how well they are managing risk from a business perspective.

This leads to tough questions, particularly around budgets and how they are being used.

Most CISOs are tempted to use information around IT security core principles — the number of issues stopped, updates deployed, critical issues fixed — but without comparison to other business risks and issues, it can be tough to keep attention and demonstrate that a CISO is delivering.

To overcome these issues, we have to use comparisons and context data to tell a story around risk. Providing base figures on the number of patches deployed does not describe the huge amounts of effort that went into fixing a critical issue that jeopardized a revenue-generating application. It also does not show how your team performs against others. Essentially, you want to demonstrate what good looks like to the board, and how you continue to deliver over time.

Read more: Getting Security Remediation on the Boardroom Agenda

Related: What the Boardroom Is Missing: CISOs